HP-UX AAA Server A.08.01 administrator’s guide HP-UX 11i v2 and HP-UX 11i v3 HP Part Number: T1428-90072 Published: May 2010 Edition: Edition 10
HP-UX AAA Server A.08.01administrator’s guideHP-UX 11i v2 and HP-UX 11i v3
HP Part Number: T1428-90072Published: May 2010Edition: Edition 10
Copyright © 2002–2010 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license required from HP for possession, use or copying. Consistent with FAR 12.211 and12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items arelicensed to the U.S. Government under vendor’s standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are setforth in the express warranty statements accompanying such products and services. Nothing herein should be construed asconstituting additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
UNIX is a registered trademark of The Open Group.
Java™ is a US trademark of Sun Microsystems.
Microsoft®, Windows ®, and Windows NT ® are U.S. registered trademarks of Microsoft Corporation.
Oracle ® is a registered US trademark of Oracle Corporation, Redwood City, California.
OpenLDAP ® is a registered trademark of the OpenLDAP Foundation
Netscape Navigator ™ is a registered trademark of Time Warner, Inc.
Table of ContentsAbout This Document ..................................................................................................................27
Intended Audience.............................................................................................................27New and Changed Information in This Edition.................................................................27Document Organization.....................................................................................................27Publishing History..............................................................................................................28Typographic Conventions..................................................................................................29HP-UX Release Name and Release Identifier.....................................................................30Related Information............................................................................................................30HP Encourages Your Comments........................................................................................30
I Introduction...............................................................................................................................311 Overview: The HP-UX AAA Server .......................................................................................34
RADIUS Topology ........................................................................................................35Establishing a RADIUS Session.....................................................................................36Product Structure..........................................................................................................38
HP-UX AAA Server Daemon, Libraries, and Utilities ............................................38HP-UX AAA Server Manager Program ..................................................................38Documentation.........................................................................................................38
HP-UX AAA Server Architecture .................................................................................39Configuration Files ..................................................................................................40AATV Plug-Ins ........................................................................................................40The Software Engine: Finite State Machine ............................................................40
HP-UX AAA Server Commands, Utilities and Daemons.............................................41Handling an Access Request.........................................................................................41
Authentication to Verify the Client and User .........................................................42Authorization to Control Sessions and Access to Services .....................................44
Authorization Steps ...........................................................................................45Session Logs For Accounting .......................................................................................48IPv6 Support for External Services................................................................................48
HP-UX AAA Server as a Client................................................................................482 Upgrading to Version A.08.01.............................................................................................49
The HP-UX AAA Server Upgrade Process...................................................................49Upgrading from Versions A.07.00, A.06.02, A.06.01, or A.07.01 to Version A.08.01.....49Upgrading from Version A.06.00.x to Version A.08.01.................................................51Upgrading from Version A.05.x to Version A.08.01......................................................53Merging the Dictionary File..........................................................................................53Merging the radius.fsm File.....................................................................................53Merging the vendors File............................................................................................53
3 Installing and Securing the HP-UX AAA Server.......................................................................54Acquiring the HP-UX AAA Server Software................................................................54Installing and Uninstalling the HP-UX AAA Server....................................................54
Table of Contents 3
To Install the HP-UX AAA Server...........................................................................54To Uninstall the HP-UX AAA Server Software.......................................................55
HP-UX AAA Server File Locations ..............................................................................56Securing the HP-UX AAA Server..................................................................................63
Changing the Default HP-UX AAA Server Settings ...............................................63Changing the Default Tomcat User Name and Password..................................63Changing the Default RMI Objects Secret..........................................................64Changing the Default test_user Settings............................................................64Changing the Default localhost Proxy Settings..................................................64
Environment Specific Security Procedures .............................................................64Using Secure Socket Layer (SSL) for Secured Remote Server ManagerAdministration...................................................................................................64Creating a Tomcat Identity Specifically for the HP-UX AAA Server ................66Running the HP-UX AAA Server on Hosts with System HardeningSoftware..............................................................................................................67Running the HP-UX AAA Server as a Non-Root User......................................68Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot....68
4 Enabling the HP-UX AAA Server for GUI-based Administration................................................71Accessing the Server Manager......................................................................................71
Starting and Stopping the RMI Objects...................................................................72Starting and Stopping Tomcat.................................................................................72
Testing the Installation .................................................................................................72To Test the Installation.............................................................................................72
Starting HP-UX AAA Servers Using Server Manager..................................................74AAA Server Start Options........................................................................................75Server Manager’s Reload Feature............................................................................76
Starting HP-UX AAA Servers From the Command Line.............................................77Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot..................................................................................................................................80
Stopping or Restarting HP-UX AAA Servers...............................................................81Using Server Manager..............................................................................................81From the Command Line.........................................................................................81
Adding an HP-UX AAA Server to Your Network........................................................82II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI ................................84
5 The HP-UX AAA Server Manager Interface.............................................................................88Commonly Used Icons in the GUI................................................................................89
6 Managing HP-UX AAA Servers.............................................................................................90Using the Server Connections Screen............................................................................90Adding a New Server Connection................................................................................91Modifying Connection Attributes.................................................................................92Deleting a Server Connection........................................................................................93Managing Multiple Servers...........................................................................................93Loading and Saving Your Configuration......................................................................94
4 Table of Contents
Loading and Saving Your Configuration Using RMI Server...................................95Enhancing Loading and Saving Performance Using Secure Copy Protocol...........96Setting up Key-Based Authentication......................................................................97
Creating a Public-Private key set with ssh-keygen........................................97Sharing the Public key with Remote Hosts........................................................98
Verifying Key-Based Authentication.......................................................................997 Configuring RADIUS Clients Using the Access Devices Screen...............................................100
Navigating the Access Devices Screen........................................................................100Adding a RADIUS Client............................................................................................100Modifying a RADIUS Client’s Properties....................................................................103Deleting a RADIUS Client...........................................................................................104
8 Configuring Realms...........................................................................................................105Using the Local Realms Screen....................................................................................105Adding a Realm...........................................................................................................105Modifying Realms.......................................................................................................108Special Entries..............................................................................................................109Deleting a Realm.........................................................................................................110Configuring Realms for Authentication using an External Server.............................111
Configuring Realms for Database Access via SQL................................................111Configuring Realms for LDAP ..............................................................................112
Modifying a Directory Configuration..............................................................115Deleting a Directory Configuration..................................................................115Tuning the AAA Server to LDAP Server Connection......................................116
9 Configuring Proxies...........................................................................................................117Navigating the Proxy Screen.......................................................................................117Changing the Default localhost Proxy Settings...........................................................118Creating or Modifying a Proxy...................................................................................118
Forwarding Authentication and Dynamic Authorization Requests From a ProxyServer......................................................................................................................121Forwarding Authentication Requests to a Remote Server.....................................122
Changing RADIUS Port Numbers..............................................................................123Forwarding Requests to Alternate RADIUS Ports.................................................123
Forwarding Accounting Requests...............................................................................124Proxying Authentication and Accounting Messages to the Same Server...................124Proxying Accounting Requests to a Central Server....................................................125Deleting a Proxy..........................................................................................................125
10 Configuring Users............................................................................................................127Navigating the Users Screen.......................................................................................127Changing the Default test_user Settings.....................................................................127Adding a User Profile .................................................................................................128
Tabs on the Add Users Screen................................................................................130Specifying Attributes Using the Free Attributes Pane......................................130
Modifying User Profiles..............................................................................................131
Table of Contents 5
Deleting a User Profile.................................................................................................131To Delete a User Profile From the Default users File..........................................132To Delete a User Profile in a Local Realms File......................................................132
11 Modifying Server Properties..............................................................................................133Navigating the Server Properties Screen.....................................................................133DHCP Relay Properties...............................................................................................133DNS Updates Properties.............................................................................................134Message Handling Properties.....................................................................................135SNMP Properties.........................................................................................................136
Enable SNMP Support...........................................................................................136Tunneling Properties...................................................................................................136
Tunneling Reply Items (Optional).........................................................................137Certificate Properties...................................................................................................137File Size Properties......................................................................................................138
Maximum Logfile Size...........................................................................................138Miscellaneous Properties.............................................................................................138
Permit Microsoft Client Authenticate As Computer.............................................138Local Users File Properties..........................................................................................139ProLDAP Properties....................................................................................................139AAA Server As A Client Properties............................................................................140Client Action Properties..............................................................................................140
12 Logging and Monitoring ..................................................................................................142Overview.....................................................................................................................142Server Log Files ..........................................................................................................142
Using Server Manager to Retrieve Logfile Information.........................................142Search Parameters.............................................................................................143Message Types .................................................................................................144
Using Server Manager to Retrieve Statistics .........................................................144Accounting Log Files ..................................................................................................145
Using Server Manager to Retrieve Accounting Logfiles........................................146Format of Accounting Records in the Default Merit Style....................................147
Time-Based Values............................................................................................147Client A-V Pairs................................................................................................148User Entry A-V Pairs.........................................................................................148Session Tracking................................................................................................148
Writing Livingston CDR Accounting Records.......................................................149Livingston CDR Session Record Format..........................................................150
Changing the Accounting Log Filename...............................................................150Changing the Accounting Log Rollover Interval...................................................151Rolling Over the Log File and Accounting Stream and Setting the Log Level......151
III Advanced Configuration Information........................................................................................15313 Securing LAN Access With EAP........................................................................................159
Overview.....................................................................................................................159
6 Table of Contents
The Secure LAN Advisor.......................................................................................159Preparing Your LAN ...................................................................................................160Determining the EAP Authentication Method to Use................................................161Securing WLANs with the HP-UX AAA Server.........................................................164Digital Certificate Administration...............................................................................164
Using the “Self-Signed” Digital Certificates..........................................................165Installing Your Own Digital Certificates and Keys................................................166
Installing Server Certificates and Keys.............................................................166Installing Client Certificates and Keys.............................................................167Defining Certificate Locations on the HP-UX AAA Server..............................167
14 Managing Sessions.........................................................................................................169Session Logs.................................................................................................................169
Displaying Session Attributes................................................................................169Stopping a Session..................................................................................................170
Session Limits..............................................................................................................170Setting Limits on a User-by-User Basis..................................................................171
Setting Timeout Values.....................................................................................171Establishing a Filter...........................................................................................171Limiting Access Points (NAS-Port, NAS-ID, Calling-Station ID, andothers)...............................................................................................................171Denying Access (Called-Station-ID and others)...............................................172Limiting Simultaneous Sessions.......................................................................172
Setting Limits for Users on a Global Basis.............................................................173Setting Limits for All User Profiles Grouped by Realms.................................173
15 Assigning IP Addresses....................................................................................................174Assigning Static IP Addresses.....................................................................................174
To Assign a Static IP (IPv4) Address to a Profile in Flat Files................................174To Assign a Static IPv6 Address to a Profile in Flat Files......................................175To Assign Static Traditional IP (IPv4) Addresses to a User Profile in an LDAPLDIF File.................................................................................................................177To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF File.............178
Assigning Dynamic IP Addresses Using DHCP.........................................................17816 OATH Standards-Based OTP Authentication.......................................................................179
OTP and OATH Overview..........................................................................................179HP-UX AAA Server and OATH Support....................................................................180Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAPv2.................................................................................................................................182Components Required to Configure OTP Authentication..........................................182Configuring OTP Authentication on the HP-UX AAA Server ..................................183
OTP Authentication Configuration Flowchart......................................................183Basic or Typical Configuration...............................................................................186Advanced Configuration........................................................................................187
Advanced OTP Authentication Configuration Concepts.................................187
Table of Contents 7
Attributes for Configuring OTP Authentication.........................................192Advanced Deployment Scenarios.....................................................................199
Validating OTP Alone..................................................................................200Configuring Two-Factor Authentication.....................................................202OTP or Password Validation at External RADIUS Server...........................210
Predefined Mapping and Conversion Functions...................................................217Sample Configuration Files....................................................................................217
The sqlaccess.config Sample File.............................................................217Sample Policy Files...........................................................................................220
The oath-request-ingress.grp Sample File......................................221The oath-reply-egress.grp Sample File............................................221The oath-proxy-egress.grp Sample File............................................222
17 Configuring EAP-SIM and EAP-AKA Authentication Methods................................................224EAP-SIM......................................................................................................................224
Overview................................................................................................................224EAP-SIM Authentication Using HP-UX AAA Server............................................225Features..................................................................................................................227Benefits...................................................................................................................228Configuring EAP SIM............................................................................................228
EAP-SIM Client Configuration.........................................................................228EAP-SIM User Credential Lookup Configuration............................................228EAP-SIM Realm-Based Configurations............................................................229
Realm-Based EAP-SIM Configuration Information in authfile..................229Realm-Based EAP-SIM Configuration Information in EAP.authfile...........232
Global EAP-SIM Configuration in aaa.config..................................................235EAP-AKA....................................................................................................................236
Overview................................................................................................................236EAP-AKA Authentication Using HP-UX AAA Server..........................................236Features..................................................................................................................237Benefits...................................................................................................................238Configuring EAP-AKA..........................................................................................239
EAP-AKA Client Configuration.......................................................................239EAP-AKA User Credential Lookup Configuration..........................................239EAP-AKA Realm-Based Configurations..........................................................240
Realm-Based EAP-AKA Configuration Information in authfile.................240Realm-Based EAP-AKA Configuration Information in EAP.authfile.........242
Global EAP-AKA Configuration in aaa.config.................................................247Fast Re-Authentication................................................................................................248
Configuring for Fast Re-Authentication................................................................248Configuring for Fast Re-Authentication in EAP.authfile...........................248
Sample EAP.authfile Configuration for Fast Re-authentication...........250Configuring for Fast Re-Authentication in aaa.config File.........................251
Sample aaa.config Configuration for Fast Re-authentication................251
8 Table of Contents
Guidelines to Write EAP-SIM and EAP-AKA Fast Re-Authentication DatabaseAATVs....................................................................................................................252
Fast Re-Authentication Database Update AATV.............................................253Update AATV Inputs...................................................................................253Update AATV Outputs................................................................................254AATV Functionality and Return Events.....................................................254
Fast Re-Authentication Database Lookup AATV.............................................254Lookup AATV Inputs..................................................................................254Lookup AATV Outputs...............................................................................255Lookup AATV Functionality and Return Events........................................256
Pseudonym Identities..................................................................................................256Random Pseudonyms............................................................................................256Algorithm-Based Pseudonyms..............................................................................257Configuring for Pseudonym Identity Support......................................................258
Sample EAP.authfile Configuration for Random Pseudonym IdentitySupport.............................................................................................................260Sample EAP.authfile Configuration for Algorithm-based PseudonymIdentity Support................................................................................................261Sampleaaa.configConfiguration for Algorithm-based Pseudonym IdentitySupport.............................................................................................................262
Guidelines to Write EAP-SIM and EAP-AKA Pseudonym Database AATVs.......262Pseudonym Database Update AATV...............................................................264
Update AATV Inputs...................................................................................264Update AATV Outputs................................................................................265AATV Functionality and Return Events.....................................................265
Pseudonym Database Lookup AATV...............................................................265Lookup AATV Inputs..................................................................................265Lookup AATV Outputs...............................................................................266Lookup AATV Functionality and Return Events........................................268
Generating Authentication Vectors Using A3, A8, and AKA Algorithms.................2683GPP Milenage A3, A8, and AKA Algorithm........................................................269
18 Configuring HP-UX AAA Server for Scalability and High-Availability ....................................273Overview.....................................................................................................................273Scalability and High-Availability Concepts................................................................274
Grouping HP-UX AAA Servers.............................................................................274HP-UX AAA Server Attributes..............................................................................274
HP-UX AAA Server Deployment for Scalability and High-Availability....................274Managing Multiple HP-UX AAA Servers For Scalability and High-Availability......276
Administering HP-UX AAA Servers Using HP-UX AAA Server Manager..........276Logging In.........................................................................................................277Adding a Group................................................................................................278Modifying a Group...........................................................................................279Deleting a Group..............................................................................................279
Table of Contents 9
Adding a Server................................................................................................280Modifying a Server...........................................................................................284Deleting a Server...............................................................................................284Cloning a Server................................................................................................284
Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool(Command Line)....................................................................................................287
rad_admin Syntax.............................................................................................287Examples of Administering Multiple HP-UX AAA Servers............................288Administering HP-UX AAA Servers Using Interactive User Interface............288
Disaster Recovery of the HP-UX AAA Server Manager.............................................28919 Configuring the HP-UX AAA Server for Client Functionality .................................................291
Overview.....................................................................................................................291CLIENT AATV.............................................................................................................292
Configuring CLIENT AATV..................................................................................292Working of the CLIENT AATV..............................................................................292
Supported APIs...........................................................................................................294Internal Attributes and Mapping Functions...............................................................295
20 Configuring the HP-UX AAA Server for Dynamic Authorization.............................................297Dynamic Authorization Overview..............................................................................297HP-UX AAA Server and Dynamic Authorization......................................................297Processing of Dynamic Authorization Requests.........................................................298Configuring for Dynamic Authorization....................................................................300
Basic Configuration................................................................................................301Advanced Configuration........................................................................................302
Migrating Existing SQL Access Deployments for Dynamic Authorization.....302Configuring Multiple HP-UX AAA Servers as a Group..................................304
Configuring for Disconnect and CoA Request Processing.........................306Dedicated HP-UX AAA Servers for Dynamic Authorization.....................311
Dynamic Authorization in Authorize Only Mode...........................................316Configuring for Dynamic Authorization in Authorize Only Mode...........317
Configuring for Proxy Functionality................................................................319Configuring for Dynamic Authorization Proxy Functionality...................320
Configuring for Failover...................................................................................321Security Consideration in Dynamic Authorization..........................................321
Replay Protection........................................................................................321Message-Authenticator................................................................................324Reverse Path Forwarding Check for Proxies...............................................324
Sample Configuration Files.........................................................................................326The client-request-init.grp.dynauth Sample File.................................327The client-reply-ingress.grp.dynauth Sample File...............................327The sqlaccess.config.dynauth Sample File................................................327The sqlaccess.config.dynauth_server_group Sample File....................329The dbsetup.sql.dynauth_server_group Sample File...............................331
10 Table of Contents
IV Integrating the HP-UX AAA Server With External Services..........................................................33221 LDAP Authentication.........................................................................................................335
LDAP Server Compatibility ........................................................................................335Related LDAP Documentation ...................................................................................335Authentication with LDAP .........................................................................................335
Configuring the LDAP Server ...............................................................................335The HP-UX AAA Server LDAP Schema...........................................................336To Configure Netscape Directory Server v6.....................................................337To Configure iPlanet Directory Server v5.........................................................337To Configure OpenLDAP 2.0.x.........................................................................337
22 SQL Access....................................................................................................................338SQL Access Overview.................................................................................................338
SQL Access Concepts.............................................................................................339RADIUS Attribute to SQL Statement Mapping................................................340Mapping Functions...........................................................................................341Conversion Functions.......................................................................................341SQL Action Processing and Result Handling...................................................342
Implementing SQL Access..........................................................................................342Sample Implementation Files.................................................................................342
sqlaccess.config Sample File....................................................................343dbsetup.sql Sample File...............................................................................345Finite State Machine Sample.............................................................................346
Pre-requisites for SQL Access................................................................................346Database Server and Schema............................................................................346
Database Security........................................................................................347High Availability.........................................................................................347
Database Client.................................................................................................347Shared Library Path Configuration.............................................................348
Database Client Connector Libraries................................................................348SQL Access Implementation Details......................................................................348sqlaccess.config File Configuration........................................................................349
Database Connection Definition.......................................................................350SQL Actions......................................................................................................352Mapping Syntax................................................................................................353
RAD Mapping.............................................................................................355DBC Mapping..............................................................................................356DBP Mapping..............................................................................................357RET Mapping...............................................................................................359Mapping Functions......................................................................................359Conversion Functions..................................................................................361
SQL Statement..................................................................................................362SQL Result Mapping.........................................................................................364
Result Handling for Retrieval Requests......................................................366
Table of Contents 11
Global Definitions.............................................................................................369Advanced SQL Mapping Configuration................................................................369
Developing Custom Functions.........................................................................369Null SQL Statements.........................................................................................370Null Source and Target Mapping.....................................................................370Time Synchronization.......................................................................................371Finite State Table Configuration in the FSM.....................................................372Stored Procedures.............................................................................................373
Administering Users and Tokens Stored in an SQL Database....................................374Managing Users.....................................................................................................375
Adding Users to an SQL Database...................................................................375Modifying User Credentials.............................................................................377
Managing Users Using OTP to Authenticate.........................................................378Importing Tokens into the Database.................................................................378Assigning Tokens to Users................................................................................379
Assigning a Specific Token to a User...........................................................379Allocating Any Available Tokens to a User.................................................380
Enrolling Tokens (Procedure for Users)...........................................................380Synchronizing Tokens (Procedure for Users)...................................................382Terminating Tokens..........................................................................................383
Viewing User and Token Statistics.........................................................................383Valid Token Status Values......................................................................................383Invoking the User Database Administration Manager Interface from ServerManager.................................................................................................................384
Multi-Row Support For SQL Access...........................................................................38523 Simple Network Management Protocol (SNMP) Support.....................................................386
Setting Up SNMP to Monitor the HP-UX AAA Server...............................................38624 VPN Tunneling................................................................................................................388
Establishing a Tunnel for a User..................................................................................38825 Using DHCP...................................................................................................................390
Required DHCP Server Features.................................................................................390Recommended DHCP Server Features..................................................................390
Defining DHCP Address Pools for Specific Users......................................................390To Associate an Address Pool with a User Profile in AAA Server Flat Files.........390To Associate an Address Pool with a User Profile in an LDAP LDIF File.............391
Associating Address Pools with Realms and Other Conditions.................................391V Customizing the HP-UX AAA Server..........................................................................................392
26 Customizing the HP-UX AAA Server Using the Finite State Machine......................................396States ...........................................................................................................................396
Using Xstring to call Policy ...................................................................................399Using Xstring to Call an Alternate authfile ...........................................................399
Event Names ...............................................................................................................399Predefined Event Names .......................................................................................400
12 Table of Contents
Creating New Names ............................................................................................403Actions ........................................................................................................................403
FSM Tables.............................................................................................................405Custom State Tables ....................................................................................................406
Tracking Versions ..................................................................................................406Examples ...............................................................................................................406
Preprocessing Module .....................................................................................406Interim Logging .....................................................................................................408Custom Logging Format .......................................................................................408Proxy Accounting Messages..................................................................................409
27 Customizing the HP-UX AAA Server Using Policies..............................................................411Policy Overview..........................................................................................................411Defining a Policy in a Decision File.............................................................................412
Action Commands.................................................................................................413The delete Command....................................................................................414The insert Command....................................................................................415The modify Command....................................................................................417The exit Command.........................................................................................418The log Command...........................................................................................419The if Command.............................................................................................420
Attribute Specifications..........................................................................................422Attribute Names...............................................................................................422Vendor Names..................................................................................................422Attribute Instance Specifications......................................................................422
No Instance Specification............................................................................423Numeric Instance Specification...................................................................423Keyword Instance Specification..................................................................423
Attribute Functions...........................................................................................424The count Attribute Function....................................................................424The length Attribute Function..................................................................424The strcat Attribute Function..................................................................425The substr Attribute Function..................................................................426The tolower Attribute Function................................................................429The toupper Attribute Function................................................................430
Value Types............................................................................................................430Arithmetic Expressions..........................................................................................431
Arithmetic Operator Precedence and Association...........................................431Supported Boolean Operators................................................................................432
Boolean Operator Precedence and Association................................................433Type Compatibility................................................................................................434
Invoking a Policy.........................................................................................................435Invoking Policies Through Predefined Policy Hooks............................................435
Request Ingress Policy......................................................................................435
Table of Contents 13
User Policy........................................................................................................436Invoking Policy from User Profiles.............................................................437
Reply Egress Policy...........................................................................................437Proxy Egress Policy...........................................................................................438Proxy Ingress Policy..........................................................................................439
Useful Attributes for Policy Conditions.................................................................440Modifying the FSM for Specific Customizations ..................................................441
Sample Policy Implementations..................................................................................442Dynamic Access Control........................................................................................442
Step 1 – Modifying the Default FSM for DAC..................................................442Step 2 – Defining the DAC Policies...................................................................443
DNIS Routing.........................................................................................................444Step 1 – Modifying the Default FSM for DNIS Routing...................................444Step 2 – Defining the DNIS Routing Policies....................................................444
28 Customizing the HP-UX AAA Server Using the SDK.............................................................446SDK Overview.............................................................................................................446Migrating Plug-ins Created Using Previous Versions of the SDK..............................448Prerequisites for Using the SDK..................................................................................448SDK Directory Structure..............................................................................................448SDK Concepts..............................................................................................................448
Overview of AATVs...............................................................................................448AATV Components................................................................................................449
The init Function...........................................................................................449The action Function..........................................................................................449The timer or callback Function.........................................................................450The cleanup Function.......................................................................................450
Creating Plug-ins.........................................................................................................450Using AATVs to Create a Plug-in..........................................................................451Compiling and Loading a Plug-in.........................................................................452Testing and Debugging a Plug-in..........................................................................453
Using the GNU Project Debugger....................................................................453Using gdb to Debug Your Software Module...............................................453
Creating Plug-ins for AATVs......................................................................................454A3 and A8 Algorithm Plug-in for EAP-SIM..........................................................454
Creating A3, A8 Plug-ins..................................................................................455AKA Algorithm Plug-in for EAP-AKA.................................................................456
Creating AKA Plug-ins.....................................................................................457VI Troubleshooting.....................................................................................................................461
29 Troubleshooting Overview................................................................................................464AAA Environment Components.................................................................................464HP-UX AAA Server Operation...................................................................................465Probable Causes for Failure.........................................................................................467
Configuration Problems.........................................................................................467
14 Table of Contents
External Service Problems......................................................................................467Protocol Limitations...............................................................................................468RADIUS Client and Supplicant Considerations....................................................468
30 Troubleshooting Procedures..............................................................................................469Troubleshooting Flowchart.........................................................................................469
Troubleshooting Flowchart Process.......................................................................471Troubleshooting the Server Manager Administration Utility.....................................472
Common Problems With the Server Manager.......................................................473Troubleshooting Server Manager Launch Problems........................................475Troubleshooting Remote Management Problems............................................476
Troubleshooting the HP-UX AAA Server...................................................................477Troubleshooting HP-UX AAA Server Startup Problems.......................................478
Common Problems with HP-UX AAA Server Startup.....................................478Troubleshooting Bind Errors at HP-UX AAA Server Startup.....................482
Troubleshooting an Unresponsive HP-UX AAA Server........................................483Troubleshooting Common Configuration Problems........................................484Troubleshooting External Services...................................................................488
Identifying External Service Failures using Logfile Error Messages..........488Identifying Unrecorded External Datastore Failures..................................493Identifying Proxy Server Failures................................................................493Identifying Unrecorded DHCP Failures.....................................................493
Troubleshooting Access-Rejects from the HP-UX AAA Server.............................494Common Authentication Failure Problems......................................................494
EAP Problems........................................................................................................502Troubleshooting Provisioning Errors.....................................................................506Troubleshooting the HP-UX AAA Server Admin Utility......................................506
31 Troubleshooting Resources................................................................................................509HP-UX AAA Server Troubleshooting Utilities............................................................509
The radcheck Utility: For Checking the Server Status........................................509The radpwtst Utility: For Testing Authentication...............................................510The raddbginc Utility: For Setting Debug Output Levels..................................510The radsignal Utility: For Rolling Over the Debug Output to New Files.........511
The HP-UX AAA Server Logfile and Debug File........................................................511The HP-UX AAA Server Logfile............................................................................511The HP-UX AAA Server Debug File......................................................................511
32 Reporting Problems.........................................................................................................513Server Set Up Information...........................................................................................513Server Manager Related Information..........................................................................514External Components..................................................................................................514
External Databases.................................................................................................514SNMP Servers.........................................................................................................514DHCP Servers.........................................................................................................514OpenSSL.................................................................................................................514
Table of Contents 15
EAP Related Information............................................................................................514Clients.....................................................................................................................515Access Points..........................................................................................................515
VII Reference.............................................................................................................................51633 Configuration Files .........................................................................................................519
HUP Processing...........................................................................................................519The aaa.config File.................................................................................................520
Variables in the aaa.config File.........................................................................520The strict_duplicate_check Variable.....................................................520The aatv.ProLDAP Property..........................................................................521The iaaa.SNMP Property.................................................................................521The log_threshold_limit and suppression_interval Variables......522The list_copy_limit Variable....................................................................522The localUsersFile.FilterType Property.............................................522The default_users_file_cis_search Property.....................................523The log_forwarding Variable.......................................................................523The log_generated_request Variable.......................................................523The ourhostname Variable.............................................................................523The packet_log Variable...............................................................................524The radius_log_fmt Variable.......................................................................524The reply_check Variable.............................................................................524
OTP Authentication-Related Configuration Items................................................525Dynamic Authorization-Related Configuration Items..........................................525
The clients File........................................................................................................526Prefixed Users and authfile...............................................................................527Wildcard Support for IPv4 and IPv6......................................................................527
The users File ............................................................................................................528Syntax of a User Entry ...........................................................................................528Syntax of IPv6 Attributes.......................................................................................528
NAS-IPv6-Address...........................................................................................528Framed-Interface-Id..........................................................................................529Framed-IPv6-Prefix...........................................................................................529Login-IPv6-Host................................................................................................529Framed-IPv6-Route...........................................................................................530Framed-IPv6-Pool.............................................................................................530
With Tunneling ......................................................................................................530The dictionary File .................................................................................................531
Attribute Entries ....................................................................................................532Pruning Expressions ..............................................................................................533Value Entries ..........................................................................................................534
The las.conf File .....................................................................................................535LAS Session Timing Parameters ...........................................................................535Token Pool Configuration .....................................................................................536
16 Table of Contents
Realm Configuration .............................................................................................537The vendors File .......................................................................................................538
Syntax of a vendors File.......................................................................................538The log.config File .................................................................................................539
Syntax of a Stream Entry........................................................................................539Default Entry .........................................................................................................541End Entry ...............................................................................................................541Logging Multiple Streams .....................................................................................541
Values Logged by Default.................................................................................541Examples................................................................................................................542
Livingston Call Detail Record (CDR) Format...................................................542Multiple Logging Streams ...............................................................................542Logging Based on attributes.............................................................................543Accounting Log Based on Attribute Value.......................................................544Changing the Accounting Log Rollover Interval.............................................545
34 Attribute-Value Pairs.........................................................................................................546Specifying Attribute-Value Pairs.................................................................................546
Attribute-Value Formats........................................................................................546Examples................................................................................................................547Tagged Attributes ..................................................................................................547
Attributes in User Profiles...........................................................................................547Configuration Attributes........................................................................................548
Local Authorization Service (LAS) Configuration...........................................549Simultaneous-Use Attribute........................................................................550Attributes Concerning OTP Authentication...............................................550
Check (and Deny) Items..............................................................................................550Attributes Concerning the NAS.............................................................................551Policy Attributes.....................................................................................................552Other Attributes.....................................................................................................552
Reply Items..................................................................................................................553General Attributes..................................................................................................554Attributes Concerning Login Users.......................................................................556Attributes for Framed Users..................................................................................556Tunneling Attributes..............................................................................................558Other Attributes.....................................................................................................560
Attributes in Accounting Records...............................................................................561Additional Session Information.............................................................................561
35 MIB Objects...................................................................................................................566MIB Objects..................................................................................................................566
A Supported IETF RFCs..............................................................................................................573B Supported Authentication Methods...........................................................................................575C RADIUS Data Packets.............................................................................................................577
Data Packet Format...........................................................................................................577
Table of Contents 17
Attribute-Value Pair Format .......................................................................................578D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK........................................579
Header Files and Data Structures in the SDK...................................................................579APIs in the HP-UX AAA Server SDK...............................................................................579
A-V Pair APIs..............................................................................................................580sdk_avp_t *sdk_avp_allocate()..............................................................................580void sdk_avp_free()................................................................................................580int sdk_get_avp_info()...........................................................................................580int sdk_set_avp()....................................................................................................581int sdk_set_vend_avp()..........................................................................................581
Authreq APIs...............................................................................................................582sdk_avp_t *sdk_find_avp()....................................................................................582sdk_avp_t *sdk_find_vend_avp()..........................................................................583int sdk_del_avp()....................................................................................................584int sdk_insert_avp()...............................................................................................584int sdk_get_authreq_info().....................................................................................585
Logging APIs...............................................................................................................587int sdk_logit().........................................................................................................587int sdk_log_debug()...............................................................................................588
Asynchronous Event and I/O APIs.............................................................................589int sdk_pollfd_register().........................................................................................590int sdk_pollfd_unregister()....................................................................................590int sdk_schedule_event()........................................................................................590
Secondary APIs............................................................................................................591sdk_authreq_t *sdk_get_authreq_by_id()..............................................................591char *sdk_get_config_dir().....................................................................................591int sdk_set_authreq_info........................................................................................591int sdk_get_client_info().........................................................................................592int sdk_decrypt_passwd()......................................................................................593int sdk_encrypt_passwd()......................................................................................594sdk_authreq_t * sdk_authreq_allocate...................................................................594void sdk_authreq_free...........................................................................................594int sdk_enqueue_authreq.......................................................................................594
E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server......................................596Expressions ......................................................................................................................596Specifying Attributes in Group Entries ...........................................................................597
Dynamic Access Control ............................................................................................597Internal Values ............................................................................................................598
Using Indirection .............................................................................................................598Example Group Entries ....................................................................................................599
DNIS.grp for DNIS Routing........................................................................................599
18 Table of Contents
DAC.grp for Dynamic Access Control.......................................................................600Glossary of Terms......................................................................................................................603Index........................................................................................................................................609
Table of Contents 19
List of Figures1-1 Typical AAA Network Topology................................................................................361-2 Client-Server RADIUS Transaction.............................................................................371-3 Authentication Process................................................................................................401-4 Default Action Sequence.............................................................................................421-5 Authentication Steps...................................................................................................431-6 Authorization Steps....................................................................................................454-1 Return Value After Successfully Starting a AAA Server............................................754-2 Server Manager’s Start Options Screen.......................................................................754-3 Algorithm for Determining Which FSM to Load........................................................805-1 The HP-UX AAA Server Manager User Interface......................................................896-1 Server Manager’s Connected Server Screen................................................................916-2 The Add Connection Screen........................................................................................916-3 The Modify Connection Screen...................................................................................926-4 The Delete Server Connections Screen........................................................................936-5 Server Manager’s Server Status Frame........................................................................946-6 Server Manager’s Load Configuration Screen............................................................956-7 Server Manager’s Save Configuration Screen.............................................................967-1 Server Manager’s Access Device Screen....................................................................1007-2 Server Manager’s Access Device Attributes Screen..................................................1017-3 The Delete Access Device Screen..............................................................................1048-1 Server Manager’s Local Realms Screen.....................................................................1058-2 Server Manager’s Local Realm Attributes Screen.....................................................1068-3 The Delete Local Realm Screen.................................................................................1118-4 User Storage Parameters for Database Access via SQL............................................1129-1 Proxy Configuration..................................................................................................1179-2 Server Manager’s Proxy Screen.................................................................................1189-3 Server Manager’s Proxy Attributes Screen................................................................1199-4 The Delete Proxy Screen............................................................................................12610-1 Server Manager’s Users Screen.................................................................................12710-2 The Add Users Screen...............................................................................................12810-3 The Modify Users Screen..........................................................................................13110-4 The Delete Users Screen............................................................................................13211-1 Server Manager’s Server Properties Screen...............................................................13312-1 Server Manager’s Logfile Screen...............................................................................14312-2 Server Manager’s Statistics Screen............................................................................14512-3 AAA Server Statistics Example.................................................................................14512-4 Accounting Logfile Search Screen in Server Manager .............................................14612-5 Detailed Accounting Record for a Selected User......................................................14713-1 The Secure LAN Advisor For Securing WLANs......................................................16013-2 Server Manager’s Certificate Properties Screen........................................................16714-1 Sessions Search Filter Screen.....................................................................................169
20 List of Figures
14-2 Example Return for a Sessions Search ......................................................................17014-3 Example of a Session’s Attributes..............................................................................17015-1 The Users Screen.......................................................................................................17415-2 The Framed User Attributes Form............................................................................17515-3 The Users Screen.......................................................................................................17615-4 The Framed User Attributes Form............................................................................17716-1 OATH Standards-Based OTP Authentication Flow and the HP-UX AAA Server....18116-2 OTP Authentication Configuration Flowchart for RADIUS Standard Password....18516-3 OTP Authentication Configuration Flowchart for MS-CHAP v2.............................18616-4 Usage of Bit Masks to set OTP Authentication Actions............................................19017-1 EAP-SIM Authentication Using HP-UX AAA Server...............................................22518-1 HP-UX AAA Server Deployment for Scalability and High-Availability..................27518-2 Server Connections....................................................................................................27818-3 Adding a Group........................................................................................................27818-4 Sample Group Created..............................................................................................27918-5 Modify Group............................................................................................................27918-6 Adding a Server.........................................................................................................28018-7 Selecting the Server for Loading...............................................................................28518-8 Loading Configuration Completed...........................................................................28518-9 Cloning Server...........................................................................................................28618-10 Saving Configuration................................................................................................28619-1 CLIENT AATV Flowchart.........................................................................................29420-1 HP-UX AAA Server Performing Dynamic Authorization Operation......................29820-2 Dynamic Authorization Request Processing............................................................30020-3 Flowchart for Basic and Advanced Configuration...................................................30120-4 Multiple HP-UX AAA Servers in a Group for Dynamic Authorization...................30520-5 Server Properties.......................................................................................................30920-6 Server Properties (CLIENT)......................................................................................30920-7 Server Properties: Modify Property..........................................................................31020-8 Client Action Properties............................................................................................31020-9 Server Properties.......................................................................................................31420-10 Server Properties (CLIENT)......................................................................................31520-11 Server Properties: Modify Property..........................................................................31520-12 Client Action Properties............................................................................................31520-13 Dynamic Authorization in Authorize Only Mode....................................................31620-14 Proxy Functionality...................................................................................................32020-15 Server Properties.......................................................................................................32320-16 Server Properties (CLIENT)......................................................................................32320-17 Server Properties: Modify Property (Event Timestamp)..........................................32420-18 Server Properties.......................................................................................................32520-19 Server Properties (CLIENT)......................................................................................32620-20 Reverse Path Forwarding Check...............................................................................32622-1 SQL Access Components...........................................................................................33922-2 RADIUS Attribute to SQL Statement Mapping........................................................341
21
22-3 The User Database Administration Manager ..........................................................37522-4 The Add User Screen.................................................................................................37622-5 The Token Validate Screen........................................................................................37922-6 The Enroll Token Screen............................................................................................38122-7 The Synchronize Token Screen..................................................................................38222-8 The User Statistics Screen..........................................................................................38326-1 Default FSM State Transitions...................................................................................39727-1 Flow of the Request Ingress Policy............................................................................43627-2 Flow of the User Policy..............................................................................................43727-3 Flow of the Reply Egress Policy................................................................................43827-4 Flow of the Proxy Egress Policy................................................................................43927-5 Flow of the Proxy Ingress Policy...............................................................................44028-1 SDK Plug-in Example................................................................................................44729-1 AAA Environment Components...............................................................................46529-2 HP-UX AAA Server Operation.................................................................................46630-1 Troubleshooting Flowchart.......................................................................................470C-1 RADIUS Request/Reply Message Format.................................................................577C-2 Attribute-Value Pair Format......................................................................................578
22 List of Figures
List of Tables1 HP-UX AAA Server Administrator’s Guide Printing History...................................282 HP-UX 11i Releases.....................................................................................................301-1 Commands, Utilities, and Daemons...........................................................................411-2 How Requests are Altered Using the proxy-egress and proxy-ingress Policies........463-1 File Locations Upon Installation.................................................................................563-2 Files Generated During Operation..............................................................................633-3 Ports Associated with RMI Objects that must be Configured....................................674-1 Server Start Options....................................................................................................754-2 radiusd Options..........................................................................................................774-3 New Server Connection Screen Fields........................................................................826-1 Fields in the Connection Attributes Form...................................................................916-2 Icons in Server Manager’s Server Status Frame..........................................................947-1 Add Access Device Configuration Form Options.....................................................1028-1 Fields in the Local Realm Attributes Form...............................................................1068-2 Special Entries...........................................................................................................1108-3 Values for Configuring Realms for LDAP.................................................................1139-1 Proxy Configuration Options....................................................................................1209-2 Options for Forwarding Requests.............................................................................1229-3 Accounting Logging Options....................................................................................12410-1 General Attributes in the Add User Screen...............................................................12911-1 DHCP Relay Properties.............................................................................................13311-2 DNS Update Properties.............................................................................................13411-3 Message Handling Properties...................................................................................13511-4 Certificate Path Properties.........................................................................................13711-5 ProLDAP Properties..................................................................................................13911-6 AAA Server As A Client Properties..........................................................................14011-7 Client Action Properties............................................................................................14112-1 Filter Parameters for Searching Logfiles...................................................................14312-2 Statistic Search Parameters .......................................................................................14512-3 Accounting Logfile Search Parameters ....................................................................14612-4 Reasons Why The Record Was Generated................................................................14813-1 LAN Configuration Items.........................................................................................16113-2 Supported EAP Methods and Their Features...........................................................16316-1 Supported OTP Functions for PAP and MS-CHAP v2.............................................18216-2 Bit Masks to Configure OTP Authentication Tasks..................................................18816-3 Common OTP Authentication Actions.....................................................................19016-4 Attributes for Configuring OTP Authentication.......................................................19216-5 System-Wide OTP Configuration Items....................................................................19616-6 SQL actions and Stored Procedures that Support OTP Authentication...................21817-1 The iaaaFile authfile Configuration Parameters.............................................23017-2 EAP.authfile Configuration Parameters..............................................................233
23
17-3 The aaa.config Configuration Block Parameters.................................................23517-4 AKA Vector Parameters............................................................................................24017-5 EAP.authfile Configuration Parameters..............................................................24217-6 The aaa.config Configuration Block Parameters.................................................24717-7 EAP.authfile Configuration Parameters..............................................................24917-8 The aaa.config Configuration Block Parameters for Fast Re-authentication......25117-9 Vendor-Specific Attributes for Fast Re-Authentication Database Update AATV....25317-10 Vendor-Specific Attributes for Fast Re-Authentication Database Lookup AATV....25417-11 Lookup AATV Output Attributes.............................................................................25517-12 EAP.authfile Configuration Parameters..............................................................25817-13 The aaa.config Parameters for Algorithm-based Pseudonym Identity...............26017-14 Vendor-Specific Attributes for Pseudonym Database Update AATV......................26417-15 Vendor-Specific Attributes for Pseudonym Database Lookup AATV......................26517-16 Lookup AATV Output Attributes.............................................................................26617-17 Lookup AATV Attributes for EAP-SIM....................................................................26717-18 Lookup AATV Attributes for EAP-AKA..................................................................26717-19 3GPP Milenage Parameters.......................................................................................26917-20 Configuration Parameters of aatv.3GPP-Milenage{} Block..............................27018-1 Server Attributes.......................................................................................................28118-2 rad_admin Options...................................................................................................28719-1 APIs Supporting Client Functionality.......................................................................29419-2 Pre-defined Mapping Functions for Client Functionality.........................................29619-3 Internal Attributes for Client Functionality..............................................................29620-1 SQL Actions that Support Dynamic Authorization..................................................32720-2 SQL Actions that Support Dynamic Authorization in Groups.................................32920-3 Tables and Stored Procedures in the dbsetup.sql.dynauth_server_group
File.............................................................................................................................33121-1 The HP-UX AAA Server LDAP Schema...................................................................33622-1 The sqlaccess.config Sample File.....................................................................34322-2 Database Access Parameters.....................................................................................35122-3 Input Mapping Data Types and Syntax....................................................................35422-4 Output Mapping Data Types and Syntax.................................................................35422-5 RAD Mapping Parameters........................................................................................35522-6 DBC Mapping Parameters.........................................................................................35722-7 DBP Mapping Parameters.........................................................................................35822-8 Pre-defined Mapping Functions...............................................................................36022-9 Pre-defined Conversion Functions............................................................................36122-10 Return Values and Description for OCI and ODBC APIs.........................................36522-11 Fields in the Add Users Form...................................................................................37622-12 Fields in the Enroll Token Device Form....................................................................38122-13 Fields in the Synchronize Token Form......................................................................38322-14 Valid Token Status Values.........................................................................................38422-15 Internal Attributes for Implementing Multi-Row Functionality..............................38526-1 Predefined Event Names...........................................................................................400
24 List of Tables
26-2 Available Actions.......................................................................................................40326-3 Predefined FSM Tables..............................................................................................40527-1 Examples Illustrating the Use of the delete Command.........................................41427-2 Behavior of the insert Command in Various Scenarios........................................41627-3 Examples Illustrating the Use of the insert Command.........................................41627-4 Examples Illustrating the Use of the modify Command.........................................41827-5 Examples of the strcat Attribute Function............................................................42527-6 Supported Arithmetic Operators..............................................................................43127-7 Supported Boolean Operators...................................................................................43227-8 Compatible Attribute Types......................................................................................43527-9 Attributes Typically Used in Policy Group Conditions and Replies........................44027-10 Interlink-specific Attributes Used by DAC...............................................................44230-1 Common Problems with the Server Manager...........................................................47330-2 Common Problems with HP-UX AAA Server Startup.............................................47830-3 Common Configuration Problems............................................................................48430-4 External Service Failure Problems............................................................................48830-5 Common Authentication Failure Problems..............................................................49430-6 EAP Problems............................................................................................................50330-7 ...................................................................................................................................50631-1 Debugging Levels in the HP-UX AAA Server..........................................................51233-1 Dynamic Authorization-Related Configuration Items.............................................52533-2 Default LAS Session Timing Parameters..................................................................53633-3 Information Recorded by LOG_V2_o.......................................................................54134-1 Reply Item Attributes................................................................................................55334-2 Session Termination Causes......................................................................................56335-1 MIB Objects and Definitions.....................................................................................566A-1 Supported IETF RFCs................................................................................................573A-2 Additional IETF RFCs Supported by HP-UX AAA Server.......................................573A-3 AAA RFCs Supported by HP-UX AAA Server.........................................................574C-1 RADIUS Request/Reply Message Format Description ............................................577C-2 Attribute Value Pair Format Description .................................................................578D-1 Actions Performed as a Result of the loc_avp A-V Pair.............................................585D-2 Information Types.....................................................................................................586D-3 HP-UX AAA Server Debug Levels............................................................................589D-4 Possible Values of the infotype Parameter..................................................................592E-1 A-V Pair Expression Operators.................................................................................596E-2 A-V Pair Expression Examples..................................................................................597
25
List of Examples22-1 Define the Oracle Database Connection Parameters................................................35222-2 Define the MySQL Database Connection Parameters...............................................35222-3 User and Password Input and Output Mappings.....................................................35922-4 SQL Statement to Delete a Row................................................................................36322-5 SQL Statement with Result Mapping - OCI..............................................................36722-6 SQL Statement with Result Mapping - OCI Using the New Syntax.........................36822-7 SQL Action with Null Source and Target Mappings................................................37122-8 Timestamp Synchronization.....................................................................................37222-9 FSM with Accounting Log via SQL Access...............................................................37322-10 Remove Session Stored Procedure Definition...........................................................37427-1 An example of a policy file that restricts Session-Timeout to one hour for guests,
removes unwanted attributes, and provides administrative privileges toadministrators...........................................................................................................413
27-2 Examples Illustrating the Use of the if Command..................................................42127-3 Examples Illustrating the Use of the offset Keyword...........................................42727-4 Examples Illustrating the Use of the before Keyword...........................................42827-5 Examples Illustrating the Use of the after Keyword.............................................42927-6 Using arithmetic expressions....................................................................................43227-7 Examples Illustrating Precedence Rules...................................................................43428-1 Example of a Pre-Paid Billing Application Using a Plug-in Created Using the HP-UX
AAA Server SDK.......................................................................................................44733-1 Examples of NAS-IPv6-Address Attribute Syntax...................................................52933-2 Examples of Framed-Interface-Id Attribute Syntax..................................................52933-3 Examples of Framed-IPv6-Prefix Attribute Syntax...................................................52933-4 Examples of Login-IPv6-Host Attribute Syntax.......................................................53033-5 Example of a Framed-IPv6-Route Attribute Syntax.................................................53033-6 Example of a Framed-IPv6-Pool Attribute Syntax....................................................530
26 List of Examples
About This DocumentThis document provides an overview of the HP-UX AAA Server and describes how toconfigure, administer, and troubleshoot the product. This document does not coverinstalling the product.The document printing date and part number on the cover indicate the document’scurrent edition. The printing date and part number changes when a new edition isprinted. Minor changes can be made at reprint without changing the printing date.The document part number will change when extensive changes are made.Document updates may be issued between editions to correct errors or documentproduct changes. To ensure that you receive the updated or new editions, subscribe tothe appropriate product support service. Contact your HP sales representative fordetails.The latest version of this document is available at:http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29.
Intended AudienceThis document is intended for HP-UX AAA Server administrators who understandthe HP-UX operating system.
New and Changed Information in This EditionThe following additions and changes are made for edition 10:• Includes support for log level filters. For details, see “Starting HP-UX AAA Servers
From the Command Line” (page 77)• Includes support for string concatenation in policy files. For details, see chapter
“The strcat Attribute Function” (page 425).• Includes support for arithmetic operations in policy files. For details, see
“Arithmetic Expressions” (page 431).Other minor changes have been made throughout the document, as required.
Document OrganizationThe HP-UX AAA Server A.08.01 Administrator's Guide is organized as follows:• Part I — Introduction provides general information about the HP-UX AAA Server
product and the RADIUS protocol. It also describes how to secure your HP-UXAAA Server installation.
• Part II — Configuring the HP-UX AAA Server Manager Using the Server ManagerGUI describes how to use the Server Manager to administer your AAAenvironment.
Intended Audience 27
• Part III — Advanced Configuration Information provides information on advancedtopics, such as securing LAN access using EAP, session management, assigningIP addresses, configuring OTP and two-factor authentication, configuring forEAP-SIM and EAP-AKA authentication methods, configuring for scalability andhigh-availability, configuring for the client functionality, and configuring for thedynamic authorization capability of the HP-UX AAA Server.
• Part IV — Integrating the HP-UX AAA Server With External Services describeshow to integrate the HP-UX AAA Server with external services such as LightweightDirectory Access Protocol (LDAP), SQL Access, Dynamic Host ConfigurationProtocol (DHCP), Simple Network Management Protocol (SNMP), and VirtualPrivate Network (VPN).
• Part V — Customizing the HP-UX AAA Server describes how to customize theHP-UX AAA Server to meet various deployment scenarios.
• Part VI — Troubleshooting provides guidelines and error messages to helptroubleshoot issues with the HP-UX AAA Server.
• Part V — Reference provides information to supplement the task-based informationin the previous parts of the document. Use the information in this section to learnmore about non-task-based topics such as configuration files, and attribute-valuepairs.
• Appendix A (page 573) lists all the RFCs that are supported by the HP-UX AAAServer.
• Appendix B (page 575) lists and describes all the authentication methods that aresupported by the HP-UX AAA Server.
• Appendix C (page 577) provides information about the RADIUS data packet format.• Appendix D (page 579) lists and describes all the header files, data structures, and
APIs included in the HP-UX AAA Server SDK.• Appendix E (page 596) discusses the syntax of decision files that are supported by
previous versions of the HP-UX AAA Server.
Publishing HistoryThe following table shows the printing history of this document. The first entry in thetable corresponds to the current edition, and previous editions are listed in reversechronological order.
Table 1 HP-UX AAA Server Administrator’s Guide Printing History
Supported OSSupportsSoftwareVersion
Document ReleaseDate (month/year)
Document Part Number
HP-UX 11i v2 and HP-UX 11i v3A.08.0105/10T1428-90072
HP-UX 11i v2 and HP-UX 11i v3A.08.0002/09T1428-90071
HP-UX 11i v1, 11i v2, 11i v3A.07.0103/08T1428-90066
28
Table 1 HP-UX AAA Server Administrator’s Guide Printing History (continued)
Supported OSSupportsSoftwareVersion
Document ReleaseDate (month/year)
Document Part Number
HP-UX 11i v1, 11i v2, 11i v3A.07.0009/07T1428–90064
HP-UX 11i v1, 11i v2A.07.0009/065991-6434
HP-UX 11i v1, 11i v2A.06.0211/05T1428-90061
HP-UX 11.00, 11i v1, 11i v2A.06.01.x01/04T1428-90050
HP-UX 11.00, 11i v1A.06.01.x10/03T1428-90042
HP-UX 11.00, 11i v1A.06.00.0804/03T1428-90025
HP-UX 11.00, 11i v1A.06.00.0702/03T1428-90014
HP-UX 11.00, 11i v1A.05.01.0106/02T1428-90001
Typographic ConventionsThis document uses the following typographical conventions:audit(5) An HP-UX manpage. In this example, audit is the name and 5 is the
section in the HP-UX Reference. On the web and on the InstantInformation CD, it may be a link to the manpage itself. From theHP-UX command line, you can enter “man audit” or “man 5audit” to view the manpage. See man( 1).
Book Title The title of a book. On the web and on the Instant Information CD,it may be a link to the book itself.
KeyCap The name of a keyboard key. Note that Return and Enter both referto the same key.
Emphasis Text that is emphasized.Emphasis Text that is strongly emphasized.Term The defined use of an important word or phrase.ComputerOut Text displayed by the computer.UserInput Commands and other text that you type.Command A command name or qualified command phrase.Variable The name of a variable that you may replace in a command or
function or information in a display that represents several possiblevalues.
[ ] The contents are optional in formats and command descriptions. Ifthe contents are a list separated by |, you can choose one of the items.
Typographic Conventions 29
{ } The contents are required in formats and command descriptions. Ifthe contents are a list separated by |, you can choose one of the items.
... The preceding element can be repeated an arbitrary number of times.| Separates items in a list of choices.
HP-UX Release Name and Release IdentifierEach HP-UX 11i release has an associated release name and release identifier. Theuname(1) command with the -r option returns the release identifier. The followingtable lists the releases available for HP-UX 11i.
Table 2 HP-UX 11i Releases
Release NameRelease Identifier
HP-UX 11i v1B.11.11
HP-UX 11i v2B.11.23
HP-UX 11i v3B.11.31
Related InformationIn addition to this document, additional information about the HP-UX AAA servercan be found in the Internet and Security Solutions collection underAAAServer (RADIUS)at:http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29
HP Encourages Your CommentsHP encourages your comments concerning this document. We are committed toproviding documentation that meets your needs.Send your comments to: [email protected] the document title, manufacturing part number, and any comment, error found,or suggestion for improvement you have concerning this document.
30
Part I IntroductionThis part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 1: “Overview: The HP-UX AAA Server ” (page 34)• Chapter 2: “Upgrading to Version A.08.01” (page 49)• Chapter 3: “Installing and Securing the HP-UX AAA Server” (page 54)• Chapter 4: “Enabling the HP-UX AAA Server for GUI-based Administration” (page 71)
31
Table of Contents1 Overview: The HP-UX AAA Server .............................................................................................34
RADIUS Topology .............................................................................................................35Establishing a RADIUS Session..........................................................................................36Product Structure................................................................................................................38
HP-UX AAA Server Daemon, Libraries, and Utilities .................................................38HP-UX AAA Server Manager Program .......................................................................38Documentation..............................................................................................................38
HP-UX AAA Server Architecture ......................................................................................39Configuration Files .......................................................................................................40AATV Plug-Ins .............................................................................................................40The Software Engine: Finite State Machine ..................................................................40
HP-UX AAA Server Commands, Utilities and Daemons..................................................41Handling an Access Request..............................................................................................41
Authentication to Verify the Client and User ...............................................................42Authorization to Control Sessions and Access to Services ..........................................44
Authorization Steps ................................................................................................45Session Logs For Accounting .............................................................................................48IPv6 Support for External Services.....................................................................................48
HP-UX AAA Server as a Client.....................................................................................482 Upgrading to Version A.08.01...................................................................................................49
The HP-UX AAA Server Upgrade Process.........................................................................49Upgrading from Versions A.07.00, A.06.02, A.06.01, or A.07.01 to Version A.08.01..........49Upgrading from Version A.06.00.x to Version A.08.01.......................................................51Upgrading from Version A.05.x to Version A.08.01...........................................................53Merging the Dictionary File................................................................................................53Merging the radius.fsm File...........................................................................................53Merging the vendors File.................................................................................................53
3 Installing and Securing the HP-UX AAA Server.............................................................................54Acquiring the HP-UX AAA Server Software.....................................................................54Installing and Uninstalling the HP-UX AAA Server..........................................................54
To Install the HP-UX AAA Server.................................................................................54To Uninstall the HP-UX AAA Server Software.............................................................55
HP-UX AAA Server File Locations ....................................................................................56Securing the HP-UX AAA Server.......................................................................................63
Changing the Default HP-UX AAA Server Settings ....................................................63Changing the Default Tomcat User Name and Password.......................................63Changing the Default RMI Objects Secret...............................................................64Changing the Default test_user Settings..................................................................64Changing the Default localhost Proxy Settings.......................................................64
Environment Specific Security Procedures ..................................................................64
32 Table of Contents
Using Secure Socket Layer (SSL) for Secured Remote Server ManagerAdministration.........................................................................................................64Creating a Tomcat Identity Specifically for the HP-UX AAA Server .....................66Running the HP-UX AAA Server on Hosts with System Hardening Software......67Running the HP-UX AAA Server as a Non-Root User............................................68Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot.........68
4 Enabling the HP-UX AAA Server for GUI-based Administration......................................................71Accessing the Server Manager............................................................................................71
Starting and Stopping the RMI Objects.........................................................................72Starting and Stopping Tomcat.......................................................................................72
Testing the Installation .......................................................................................................72To Test the Installation...................................................................................................72
Starting HP-UX AAA Servers Using Server Manager.......................................................74AAA Server Start Options.............................................................................................75Server Manager’s Reload Feature..................................................................................76
Starting HP-UX AAA Servers From the Command Line...................................................77Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot.......................................................................................................................................80
Stopping or Restarting HP-UX AAA Servers.....................................................................81Using Server Manager...................................................................................................81From the Command Line..............................................................................................81
Adding an HP-UX AAA Server to Your Network.............................................................82
Table of Contents 33
1Overview: The HP-UX AAA ServerThe Remote Authentication Dial In User Service (RADIUS) protocol defines a standardfor information exchange between a network device or software application and anauthentication, authorization, and accounting (AAA) server to manage and track useraccess to network services.A RADIUS AAA server provides authentication (verifying user credentials),authorization (supplying provisioning information for the user), and accounting (storageof usage information into accounting logs) services to devices and software applications(AAA clients) that support the IETF RADIUS standards.The AAA or RADIUS client is the access device or application that acts as an enforcementpoint to control access to a resource. The user device itself or application requestingaccess to the resource is referred to as the supplicant.
34 Overview: The HP-UX AAA Server
RADIUS TopologyThe RADIUS protocol follows the client-server architecture. The client sends userinformation to the AAA server using Access-Request or accounting-Request messages.The AAA server processes the request locally, or, if acting as a proxy server, forwards(proxies) the request to a secondary RADIUS Server.When processing a RADIUS request locally, the AAA server can utilize additionalexternal services (LDAP, external database access, DHCP, and so on.) to service therequest.The processing of RADIUS requests is usually configured on a per-realm basis. A realmis a group of users sharing a common component in the Network Access Identifier(NAI) attribute in the RADIUS request (for example,"example.org" is the realmcomponent for "[email protected]").In Figure 1-1 (page 36), a sample Internet Service Provider (ISP) uses four AAA serversto handle user requests. User organizations are grouped into realms. Each user connectsto one of the ISP's servers through a local Network Access Server (NAS). The NASsends a RADIUS Access-Request containing the user's credentials to one of the AAAservers. In turn, the AAA server accesses user and policy information from the repositoryspecified for the user's realm. The repository can be in flat text files associated with theAAA Server, an external database or LDAP Server, or an HP-UX Unix user repository.When authenticating users stored in replicated LDAP directory servers or databases,the server can be configured to perform load balancing and failover to achieve greaterscalability and availability.
RADIUS Topology 35
Figure 1-1 Typical AAA Network Topology
Establishing a RADIUS SessionA RADIUS session tracks the life of a user session through a series of message exchanges.RADIUS sessions are used to limit simultaneous access to a resource for users whoshare the same credential, and to manage the allocation and release of IP addressesacquired on behalf of the user by the AAA server. Figure 1-2 (page 37) illustrates thetransaction between a RADIUS AAA server and a client:
36 Overview: The HP-UX AAA Server
Figure 1-2 Client-Server RADIUS Transaction
When the user's device connects to the client, the client sends a RADIUS Access-Requestto the AAA server. When the server receives the request, it validates the sending client.If the client is permitted to send requests to the server, the server then takes informationfrom the Access-Request and attempts to match the request to a user profile. If allconditions are met, the server sends an Access-Accept packet to the client; otherwise,the server sends an Access-Reject packet. An Access-Accept data packet often includesauthorization information that specifies the services the user can access and othersession information, such as a timeout value that indicates when the user must bedisconnected from the system.When the client receives an Access-Accept packet, it generates an Accounting-Requestto start the session and send the request to the server. The Accounting-Request datapacket describes the type of service being delivered and the user of the service. Theserver then responds with an Accounting-Response to acknowledge that the requestwas successfully received and recorded. The user's session ends when the clientgenerates an Accounting-Request that is triggered by the user, the client, or aninterruption in service-to stop the session. The server acknowledges theAccounting-Request with an Accounting-Response.
Establishing a RADIUS Session 37
Product StructureThe HP-UX AAA Server is based on the client-server architecture. The HP-UX AAAServer consists of the following components:• HP-UX AAA Server daemon, libraries, and utilities• The AAA Server Manager program that performs administration and configuration
tasks from a web browser for one or more AAA servers• Documentation (Administrator’s Guide, READMEs, and the Secure LAN Advisor
help system)
NOTE: To secure the communication between the Server Manager and HP-UX AAAServer, install the Server Manager and the HP-UX AAA Server in a secure network.
HP-UX AAA Server Daemon, Libraries, and UtilitiesThe server daemon, libraries, and utilities perform the authentication, authorization,and accounting functions while processing requests. The HP-UX AAA Server alsoincludes the AAA RMI objects. The RMI objects provide communication between theHP-UX AAA Server and the HP-UX Tomcat-based Servlet Engine which hosts theHP-UX AAA Server Manager.
HP-UX AAA Server Manager ProgramThe HP-UX AAA Server Manager utilizes the HP-UX Tomcat-based Servlet Engine toprovide a configuration interface between a web browser and one or more HP-UXAAA Servers. The Server Manager is used for configuring and managing the servers.In addition, the Server Manager can retrieve logged server sessions and accountinginformation for an administrator. By specifying a set of HP-UX AAA Servers, the ServerManager can be used to manage a group of HP-UX AAA Servers with a commonconfiguration.
DocumentationThe following documentation is accessible through the Server Manager:• Context-sensitive help on the Server Manager's buttons and options• A Secure LAN Advisor help system to guide you through securing your Wireless
Local Area Networks (WLANs) with the HP-UX AAA Server. The Secure LANAdvisor provides information only; it does not edit configuration files
• The HP-UX AAA Server Administrator's Guide in .pdf format. Use this documentfor step-by-step instructions on configuring the HP-UX AAA Server.
38 Overview: The HP-UX AAA Server
IMPORTANT: For the most recent product documentation, see http://www.docs.hp.com.
HP-UX AAA Server ArchitectureThe HP-UX AAA Server architecture consists of the following components:• Configuration files. Files to provide the information necessary for the server to
perform authentication, authorization, and accounting requests for your system.In most cases, these files can be modified by using the Server Manager.
• AATV plug-ins. Dynamically loaded libraries that perform discrete actions, suchas initiating an authentication request, replying to an authentication request, orlogging an accounting record.
• The radiusd software engine, which includes the Finite State Machine (FSM) andassociated routines. At server startup, the FSM reads instructions from the statetable in the /etc/opt/aaa/radius.fsm configuration file. The state tableoutlines what AATV actions to call and what order to call them in.
When the server is initialized, it loads and initializes the AATV plug-ins. It also readsthe configuration files to initialize the data required for the actions to execute accordingto the application's requirements.Figure 1-3 illustrates the general process of server initialization and response to anauthentication request.
HP-UX AAA Server Architecture 39
Figure 1-3 Authentication Process
Configuration FilesFor detailed information on the server configuration files, Chapter 33: “ConfigurationFiles ” (page 519).
AATV Plug-InsAn AATV plug-in defines the actions that perform a variety of functions, includingauthenticating requests, authorization, and logging. Built-in actions supportauthentication of users using information from several different repositories, andaccounting requests using several different polices and storage formats.For more information on these built-in actions, see “Actions ” (page 403)
The Software Engine: Finite State MachineThe Finite State Machine (FSM) controls the step-by-step process that the server followsto process and respond to an authentication request. You can configure the FSM tocustomize your server configuration without programming software modules. For
40 Overview: The HP-UX AAA Server
more information on the Finite State Machine, see Chapter 26: “Customizing the HP-UXAAA Server Using the Finite State Machine” (page 396).
HP-UX AAA Server Commands, Utilities and DaemonsTable 1-1 provides an overview of the HP-UX AAA Server commands, utilities, anddaemons.
Table 1-1 Commands, Utilities, and Daemons
DescriptionCommand
Sends RADIUS status and protocol requests to a AAA server and displays thereplies. Receiving the reply confirms that the HP-UX AAA Server is operational.
radcheck
The radcheck utility can be invoked on any host by any user. However theHP-UX AAA Server returns more information to registered clients.
Sets debug logging level for the HP-UX AAA Server running correctly. Turndebugging on and off, or set the level of output while the AAA Server is running.
raddbginc
Rolls over the server log file and accounting stream while the AAA Server isrunning. Also, sets the log level based on the RADIUS message type.
radsignal
RADIUS server daemon. Services user authentication and accounting requestsfrom RADIUS clients. Authentication and accounting requests are transmitted
radiusd
to the radiusd daemon in the form of UDP packets that conform to the RADIUSprotocol. Theradiusddaemon can be started from the Server Manager, commandline, or at boot time using the /etc/rc.config.d/radiusd.conf file.
Tool to administer one or more HP-UX AAA Servers configured on the host.rad_admin.sh
RADIUS client utility that can process commands to send requests to and checkresponses from a RADIUS server. This can be used as a Dynamic AuthorizationServer to receive and respond to Disconnect and CoA requests.
radpwtst
Handling an Access RequestWhen the HP-UX AAA server receives a RADIUS message, it calls the FSM and definesa starting event according to the type of message. This event is stored in theInterlink-Proxy-Action attribute. In the default FSM, the first action for allrequests is request-ingress POLICY. If this POLICY is executed successfully, the nextaction is determined by the event stored in Interlink-Proxy-Action. By default,for an Access-Request this action is iaaaUsers. Figure 1-4 (page 42) shows how theFSM actions interact to process the Access-Request for authentication and authorization.
HP-UX AAA Server Commands, Utilities and Daemons 41
Figure 1-4 Default Action Sequence
Authentication to Verify the Client and UserThe authentication of an access request has a number of distinctive steps, as shown inFigure 1-5 (page 43). The rounded rectangles represent configuration files that theHP-UX AAA Server uses and the ovals represent one or more authentication types.
42 Overview: The HP-UX AAA Server
Figure 1-5 Authentication Steps
Authentication StepsFollowing lists the authentication steps followed by the HP-UX AAA Server:1. After the HP-UX AAA server receives an Access-Request, it attempts to match the
client making the request to an entry in the clients file. The server attempts toauthenticate a request only if a match can be made.
Handling an Access Request 43
2. The iaaaUsers action checks the local users file. In this step, the User-Nameattribute value from the Access-Request is used to find an entry for the user in the/etc/opt/aaa/users file.• If User-Name matches an entry, the server retrieves that profile and then
authentication moves to step 5.• If User-Name does not match an entry, authentication moves to step 3.
3. If the iaaaUsers action does not find a matching user profile in the users file,the FSM calls theiaaaRealm action. TheiaaaRealm action parses the User-Nameattribute value for a realm name, and searches authfile to determine the datastore where the user profiles for the parsed realm are located. A default entry canbe used to handle any realms that are not explicitly configured in authfile.
NOTE: If no realm is specified in the NAI, the server assigns the value NULL forthe realm. You can configure NULL realm behavior in the same manner as namedrealms.
4. The iaaaRealmaction calls another action that attempts to retrieve a matchinguser profile from the data store for the realm, as indicated by authfile:• A realm-specific AAA users file;• An external data store, such as LDAP or a database;• A Unix user profile service via the getpwent() system call.If the realm is defined as a proxy, the RADIUS request is forwarded to the targetRADIUS server defined for this realm.
5. The user is authenticated according to the protocol established by theAccess-Request. If a password-based protocol (PAP,CHAP, MSCHAP) is specified,the user's password is verified. If an EAP method is used, mutual authenticationis carried out according to the EAP type (PEAP, TLS, TTLS, or PEAP).
If User-Name matches no entry, either in a local text file or an external data source, theauthentication fails.
Authorization to Control Sessions and Access to ServicesThe HP-UX AAA server can authorize users using one of the following methods:• Provisioning on a user-by-user basis with check items and by adding reply items
to an Access-Accept message (simple policy)• Through Local Authorization Server (LAS) functions based on realms• Through stored policy decisions based on other logical groups that can add check
and reply items to the requestLike authentication, the authorization of an access request has a number of distinctivesteps, as shown in Figure 1-6 (page 45). The rounded rectangles represent configurationfiles and the ovals represent one or more actions called by the FSM.
44 Overview: The HP-UX AAA Server
Figure 1-6 Authorization Steps
Authorization Steps1. The server receives the Access-Request.2. The server evaluates the request-ingress policy. This is the first step in the FSM,
before the request is despatched for processing. The request ingress policy can beused to alter the request in one of the following ways:• A-V pairs may be added, changed, or removed.• The request classification may be altered.• The request may be rejected immediately.• The request may be dropped entirely, and no reply is sent.If the request-ingress policy is evaluated successfully, the HP-UX AAA Servercontinues with the authorization process.
3. If a request is being proxied, then the HP-UX AAA Server evaluates theproxy-egress and proxy-ingress policies. The HP-UX AAA Server applies theproxy-egress policy before the RADIUS proxy request message is created and sent.The proxy-ingress policy is applied after the proxy response is received. Table 1-2discusses how these policies are used to alter requests.
Handling an Access Request 45
Table 1-2 How Requests are Altered Using the proxy-egress and proxy-ingressPolicies
Use of the proxy-ingress PolicyUse of the proxy-egress Policy
A-V pairs can be added, modified, or removed.A-V pairs can be added, modified, or removed.
The reply type may be altered.The request may be rejected immediately.
The request may be dropped entirely and noreply is sent.
The request may be dropped entirely and noreply is sent.
The request may be rejected immediately.The proxy target host may be changed.
4. Check Items. After authentication each check item in the user profile is processedor matched against the request's corresponding Attribute-Value (A-V) pairs.• If all the check and deny items associated with User-Name are satisfied, the
CHK_DNY action returns an ACK value to the FSM.• If any check or deny item, including the user's password, is not matched
correctly, the authentication module returns a NAK value to the FSM. Therequest fails, and an Access-Reject message is returned to the client.
5. User Policy. All requests are subjected to user policy after authentication. The userpolicy is applied only after successful authentication. A user policy can be specifiedin a Policy-Pointer attribute on the request as either a check item or a reply item.If the Policy-Pointer attribute is found in the check items, then the HP-UX AAAServer does not look for one in the reply items. The value of the Policy-Pointerattribute should specify the URL for the decision file to be evaluated. If a requestcontains a Policy-Pointer attribute, as either a check item or a reply item, thespecified policy is applied. If the request does not contain a Policy-Pointer, thenno user policy is applied. In this case the POLICY action returns an ACK event tothe FSM.Some policies that can be implemented include:• Dialed Number Identification Service (DNIS)-routing requests according to
the number called from or called;• Grouping users by NAS addresses or ports;• Control session duration, concurrent usage, or delivered services by logical
groupings defined by the contents of specified A-V pairs;• Control access according to any time-based criteria.
6. Local Authorization Server (LAS). The LAS refers to the routines and code in theserver that handles authorization. LAS and POSTLAS actions are part of the LAS.Session control with LAS is based on realms. Local Session tracking must beexplicitly enabled for a realm via the Server Manager or the /etc/opt/aaa/las.conf file. If the realm is not listed, LAS does not enforce any session controlfor users from that realm. When the LAS handles an Access-Request for a user in
46 Overview: The HP-UX AAA Server
a local realm configured in the las.conf file, the LAS module performs thefollowing actions:• Checks the user profile for a Simultaneous-Session attribute-value pair, which
determines the maximum number of active sessions the user can have. Defaultvalue is 1.
• Authorizes or denies service based on Service-Class.The POSTLAS action performs Simultaneous Access Token (SAT) control, whichis used to implement realm-based simultaneous session control.
NOTE: HP recommends not to enable local session tracking for any realmsutilizing session management via SQL Access.
7. Reply items refer to the generation of an Access-Accept or Access-Reject messageby the ReplyPrep action. By adding reply items to a user's profile or throughpolicy decisions, ReplyPrep can provide a NAS with provisioning informationin an Access-Accept data packet. Depending on the capabilities of the NAS, thereply items can be used to control a user's session. For example, the following userentry limits the length of the session and the hosts that can be accessed:[email protected] Password = "public" Filter = "library", Session-Timeout = 3600
Users can authenticate as [email protected] using password public toconnect for one hour (3600 seconds) to the library hosts that the filter libraryallows.The ReplyPrep action also checks for a Service-Type value, equates the valuewith user entries, and then appends reply items to the request accordingly. Theattribute values for these items specify the default values to use when configuringthe connection specified by Service-Type. The special user entries are not used forauthentication; the reply items for one of these entries are appended to a requestfrom any user requesting the corresponding service type. If duplicate A-V pairsexist, pruning is applied to determine the A-V pair that must be included in theAccess-Accept or Access-Reject message.
8. The HP-UX AAA Server evaluates the reply-egress policy just before the RADIUSreply message is created and sent. The reply-egress policy can be used to alter therequest in one of the following ways:• A-V pairs may be added, modified, or removed• The reply type may be modified• The request may be dropped entirely and no reply is sent.
Handling an Access Request 47
Session Logs For AccountingDuring operation, the HP-UX AAA Server processes information received in anAccounting-Request from the client. By default, session logging information is writtento a file following a predefined format, such as Merit or Livingston. You can modifyhow and where the server generates the logs by editing the log.config file. You canalso schedule logging by editing the FSM. In addition, modifying the FSM andconfiguring SQL Access enables you to use a database to store session log information.For more information, see Chapter 22: “SQL Access” (page 338).
IPv6 Support for External ServicesThe HP-UX AAA Server can be configured to use IPv6 addresses and support IPv6attributes for most of the protocols and services it supports. The HP-UX AAA Servercurrently supports only IPv4 for Dynamic user IP address assignment using DHCP.
IMPORTANT: The HP-UX AAA Server supports the use of RADIUS IPv6 attributeswith HP-UX 11i v2 (and subsequent releases). RADIUS communication over IPv6transports is supported with HP-UX 11i v2 (and subsequent releases).
HP-UX AAA Server as a ClientTypically, the HP-UX AAA Server works in the server mode. It receives requests fromclients, processes them, and sends out appropriate responses, based on the requesttype. However, under some circumstances, it is desirable for the HP-UX AAA Serverto perform client functions. This functionality involves the ability to send HP-UX AAAServer-initiated messages and assimilate responses. For example, it is advantageousto have the HP-UX AAA Server disconnect sessions or change session characteristicsin real time, by sending Disconnect and Change-Of-Authorization (CoA)requests. Therefore, starting with the HP-UX AAA Server A.08.01 release, the HP-UXAAA Server also performs certain client functionalities.For more information, see Chapter 19 (page 291).
48 Overview: The HP-UX AAA Server
2 Upgrading to Version A.08.01This chapter explains how to upgrade to the HP-UX AAA Server A.08.01 from previousversions.
The HP-UX AAA Server Upgrade ProcessThe following process describes the HP-UX AAA Server A.08.01 product installationon a system where a previous version of the HP-UX AAA server is currently installed:1. The contents of the existing configuration in /etc/opt/aaa/ are copied to /etc/
opt/aaa.old/. If any files with the same names exist in /etc/opt/aaa.old/,they will be overwritten.
2. The old product binaries are removed and new product binaries are installed.3. Old unmodified configuration files are replaced with the new default configuration
files in /etc/opt/aaa/.4. Backup of the default A.08.01 files are installed in /opt/aaa/newconfig/etc/
opt/aaa/ for your reference.5. Generally, no additional migration is necessary, except as specified in the following
sections:• “Upgrading from Versions A.07.00, A.06.02, A.06.01, or A.07.01 to Version
A.08.01.”• “Upgrading from Version A.06.00.x to Version A.08.01” (page 51)• “Upgrading from Version A.05.x to Version A.08.01” (page 53)
NOTE: Contact your HP Support representative if you are upgrading from versionA.05.x and require assistance.
Upgrading from Versions A.07.00, A.06.02, A.06.01, or A.07.01 toVersion A.08.01
Starting with HP-UX AAA Server A.08.00 release, EAP-LEAP AATV is obsolete. TheEAP-LEAP authentication method is replaced by the EAP-PEAP authentication method.HP recommends that you use EAP-PEAP in place of EAP-LEAP for improved security.Unlike EAP-LEAP, EAP-PEAP supports mutual authentication and uses an encryptedtunnel to transmit the user's credentials.If you have configured a realm for EAP-LEAP authentication, remove the realm entryfrom the /etc/opt/aaa/authfile and /etc/opt/aaa/EAP.authfile andre-configure the realm. For information on EAP-PEAP, see Chapter 13 “Securing LANAccess With EAP”.Starting with HP-UX AAA Server A.08.00 release, the Oracle authentication moduleis obsolete. The Oracle authentication module is supported using SQL Access. HP
The HP-UX AAA Server Upgrade Process 49
recommends that you set up your HP-UX AAA Server to interact with the Oracledatabase using the SQL Access feature.If you have configured a realm for ORACLE authentication, remove the realm entryfrom the /etc/opt/aaa/authfile and /etc/opt/aaa/EAP.authfile andre-configure the realm. For Database via SQL using the HP-UX AAA Server Manager,see Chapter 8 “Configuring Realms”. For information on how to implement SQLAccess, see Chapter 22 “SQL Access”.Starting with HP-UX AAA Server A.08.00 release, the SecurID authentication is obsolete.The SecurID authentication is replaced by the Open AuTHentication (OATH)standards-based One-Time Password (OTP) authentication. OATH is an industry-widecollaboration to develop open-reference architecture for strong authentication. TheOATH standards-based OTP authentication solution supports hardware and softwaretokens from multiple vendors.If you have configured a realm for SecurID authentication, remove the realm entryfrom the /etc/opt/aaa/authfile and the /etc/opt/aaa/EAP.authfile andre-configure the realm. For information on OATH standards-based authentication, seeChapter 16 “OATH Standards-Based OTP Authentication”.No migration is required. If you have modified /etc/opt/aaa/dictionary, andwant to use SQL Access, OTP authentication, or pre-defined policy hooks in the FSM,merge the dictionary file. For information on merging the dictionary file, see“Merging the Dictionary File” (page 53).If you have modified the radius.fsm file, and you want to use OTP authentication,Dynamic Authorization, EAP-SIM, EAP-AKA, or use pre-defined policy hooks in theFSM, merge the radius.fsm file. For information on merging the radius.fsm file,see “Merging the radius.fsm File” (page 53).If you have configured realms with LDAP as the back end, and you want to enable CISsearch, then you must specify the Filter-Type in the realm configuration in theauthfile as follows:
50 Upgrading to Version A.08.01
<realm name> -DEFAULT ProLDAP ""{ Filter-Type CIS Directory "directory_name" { Host <ldap-server-hostname> Port <ldap-server-port> Administrator <ldap-server-administrator> Password <Password> Searchbase <search-base> Authenticate <auto | search | bind> }}
Additions have been made to the vendors file in this version of the HP-UX AAAServer. If you have modified the vendors file, you must merge the vendors file. Forinformation on merging the vendors file, see“Merging the vendors File” (page 53).
Upgrading from Version A.06.00.x to Version A.08.01To upgrade the configuration files, complete the following steps:1. Backup your existing HP-UX AAA server configuration.2. Install the HP-UX AAA Server A.08.01 without removing your existing HP-UX
AAA Server software.3. Copy the following files from /etc/opt/aaa.old/ to /etc/opt/aaa/. You
do not need to modify these files when migrating to A.08.01:• The clients file• The las.conf file• The iaaaAgent.conf file• The engine.config file• The DAC.grp file and additional policy files• New or modified certificate files (to be copied from /etc/opt/aaa.old/
security/ to /etc/opt/aaa/security/)4. Update the following A.08.01 files in/etc/opt/aaa/ to include any modifications
you made for your legacy configuration. Perform this step to include your legacyconfiguration in the new A.08.01 file format. Refer to the copy of your legacy filesin /etc/opt/aaa.old/ and update the corresponding A.08.01 files listed below:• The vendors file• The log.config file• The radius.fsm file• The dictionary file• The aaa.config file
Upgrading from Version A.06.00.x to Version A.08.01 51
5. Copy your legacy users files from /etc/opt/aaa.old/ to /etc/opt/aaa/(including the default users file and all files with the .users extension). Update theusers files as follows:• Remove all DEFAULT, dumbuser, pppuser, and slipuser entries. The
following shows example entries for each:DEFAULT DEFAULT Authentication-Type = Realm
Filter-Id = "unlim"
dumbuser dumbuser Authentication-Type = None Service-Type = Login, Login-Service = Telnet, Login-IP-Host = 255.255.255.255
pppuser pppuser Authentication-Type = None Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP
slipuser slipuser Authentication-Type = None Service-Type = Framed, Framed-Protocol = SLIP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP
• Remove all Authentication-Type=Realm andAuthentication-Type=File strings from the remaining user entries. Thefollowing is a sample sed command you can modify to remove these entries:$ sed -e ’s/Authentication-Type[ ]*=[ ]*Realm[ ,,]*//g’-e ’s/Authentication-Type[ ]*=[ ]*File[ ,,]*//g’ <users or*.users file name>
6. Use Server Manager to re-configure all of your legacy realm and outbound proxyentries on A.08.01. Refer to your legacy authfile at /etc/opt/aaa.old/authfile:• Use Server Manager’s Proxies link to re-configure entries in /etc/opt/
aaa.old/authfile with the following syntax:realm.com RADIUS <Realm_host_name>
• Use Server Manager’s Local Realms link to re-configure the realm entries asthey appear in /etc/opt/aaa.old/authfile.
• If you have configured realm for EAP-LEAP, ORACLE or SecurIDauthentication, complete the Migration procedure listed in “Upgrading fromVersions A.07.00, A.06.02, A.06.01, or A.07.01 to Version A.08.01”.
52 Upgrading to Version A.08.01
7. If you are using a Netscape Directory server, update the RADIUS schema file forthe directory server. Copy /opt/aaa/examples/proldap/55iaaa-radius.ldif to the Netscape Directory server. Stop and restart slapdafter copying the schema file to the Netscape server.
8. If you are using an OpenLDAP server, update the RADIUS schema file for thedirectory server. Copy /opt/aaa/examples/proldap/iaaa-radius.ldifto the OpenLDAP server. Stop and restart slapd after copying the schema file tothe OpenLDAP server.
Upgrading from Version A.05.x to Version A.08.01Contact your HP Support representative if you are upgrading from Version A.05.x toVersion A.08.01 or if you need assistance with your migration.
Merging the Dictionary FileTo merge the legacy dictionary file changes to the new A.08.01 dictionary file,complete the following steps:1. Copy the new dictionary file from /opt/aaa/newconfig/etc/opt/aaa/ to
/etc/opt/aaa/.2. Update the /etc/opt/aaa/dictionary file to include any modification you
made for your legacy dictionary file.Refer to the copy of your legacy dictionary file in /etc/opt/aaa.old/.
Merging the radius.fsm FileTo merge the legacy radius.fsm file changes to the new A.08.01 radius.fsm file,complete the following steps:1. Copy the new radius.fsm file from /opt/aaa/newconfig/etc/opt/aaa/
to /etc/opt/aaa/.2. Update the /etc/opt/aaa/radius.fsm file to include any modification you
made for your legacy radius.fsm file.Refer to the copy of your legacy radius.fsm file in /etc/opt/aaa.old/
Merging the vendors FileTo merge the legacy vendors file changes to the new A.08.01 vendors file, completethe following steps:1. Copy the new vendors file from /opt/aaa/newconfig/etc/opt/aaa/ to
/etc/opt/aaa/.2. Update the /etc/opt/aaa/vendors file to include any modification you made
for your legacy vendors file.
Upgrading from Version A.05.x to Version A.08.01 53
3 Installing and Securing the HP-UX AAA ServerThis chapter explains how to acquire, install, and secure the HP-UX AAA Serverproduct. Always refer to the HP-UX AAA Server Release Notes for importantinformation specific to each version of the product, including requirements anddependencies.
Acquiring the HP-UX AAA Server SoftwareYou can get the most recent version of the HP-UX AAA Server product at the HPSoftware Depot: http://www.hp.com/go/softwaredepot.
IMPORTANT: Be sure to review the HP-UX AAA Server Release Notes beforeinstallation. The Release Notes list the requirements for each release, including:installation, patch, and browser requirements.You can access the Release Notes online at:http://docs.hp.com/en/internet.html#HP-UX%20AAA%20Server%20%28RADIUS%29)
Installing and Uninstalling the HP-UX AAA ServerThe following components are installed when you install the HP-UX AAA Server:• AAA Server binaries, libraries, and utilities• RMI objects that facilitate communication from the AAA server to Server Manager• AAA server AATV modules
To Install the HP-UX AAA ServerComplete the following steps to install the HP-UX AAA Server:1. Log in to your system as root.2. Verify that the product dependencies are installed:
# export PATH=$PATH:/usr/sbin# swlist |egrep “hpuxws22Tomcat|hpuxwsApache|T1456AA”
IMPORTANT: Be sure you have the correct versions of the product dependenciesinstalled -- refer to the HP-UX AAA Server Release Notes.
3. Verify that the patch dependencies are installed. Skip this step if you are installingthe HP-UX AAA Server on an HP–UX 11i v2 or HP-UX 11i v3 operating system.# swlist -l product | grep aC
Review the patch requirements in the product Release Notes if the following valueis not returned:HP aC++ -AA runtime libraries (aCC A.03.37)
54 Installing and Securing the HP-UX AAA Server
NOTE: Check the Release Notes for the HP-UX AAA Server version you areinstalling to verify patch requirements.
4. Download the AAA Server depot file from http://www.software.hp.comand move it to /tmp
5. Verify that you have downloaded the file correctly:# swlist -d -s /tmp/<AAA Server>.depot
6. Stop any active Tomcat processes:/opt/hpws22/tomcat/bin/shutdown.sh
7. Install the AAA Server:# swinstall -s /tmp/<AAA Server>.depot HPUX-AAAServer
NOTE: If the installation is not successful, an error message is displayed. Thecause of the failure will appear at the end of /var/adm/sw/swagent.log file.
8. After installing the product, add the following entries to the /etc/services file:# RADIUS protocolradius 1812/udpradacct 1813/udp radius-dynauth 3799/udp
NOTE: These RADIUS values are the server’s defaults and are specified in theRADIUS RFC 2865. Dynamic Authentication ports and defaults are specified inRFC 5176.
To Uninstall the HP-UX AAA Server SoftwareComplete the following steps to uninstall the HP-UX AAA Server:1. From the navigation tree, click Administration.2. Verify the AAA server you want to stop is selected in the Server Status Frame.3. Click Stop to stop the server.4. From the command line, stop the RMI objects and Tomcat. See “Starting and
Stopping the RMI Objects” (page 72) and “Starting and Stopping Tomcat” (page 72)for more information.
NOTE: Enter the following command if you have not done it already:# export JAVA_HOME=/opt/java1.5
5. Remove all files residing in the /var/opt/aaa/ and/opt/hpws22/tomcat/webapps/aaa/aaalog/ subdirectories.
6. Logout anyone using HP-UX AAA Server administrator login “aaa”.
Installing and Uninstalling the HP-UX AAA Server 55
7. As root user, enter swremove HPUX-AAAServer or swremove at the commandprompt to invoke the standard HP-UX GUI to select HPUX-AAAServer bundlefor removal. Refer theswremovemanpage for more information on this command.
HP-UX AAA Server File LocationsAlthough HP-UX AAA Server can be run as root user, HP recommends running it asa non-root user.A user and group, both named aaa, is created during installation. The HP-UX AAAServer can be run as non-root user, using the default aaa user created during installation,or any other user who is part of the aaa group.
IMPORTANT: Do not remove the default login aaa and group aaa created duringinstallation, even if you prefer not to use them.
Table 3-1 File Locations Upon Installation
FileDirectory
Server modules and plug-ins/opt/aaa/aatv
Server daemons and utilities:/opt/aaa/bin
• las.test.sh: script to create simulated sessions fortesting
• radcheck: AAA Server test utility (like the pingcommand)
• raddbginc: controls server debug output• radsignal: controls server debug output and rolls over
the server log file and accounting stream• radiusd: AAA Server executable• rad_admin.sh: Tool to administer one or more HP-UX
AAA Servers configured on the host• radpwtst: AAA test client utility
56 Installing and Securing the HP-UX AAA Server
Table 3-1 File Locations Upon Installation (continued)
FileDirectory
Finite state machine, sample policy files:/opt/aaa/examples/config
• *.fsm: Sample FSM tables• sqlaccess-acct.fsm: Sample FSM required to
implement accounting without session managementusing SQL Access
• sqlaccess-acct-sess.fsm: Sample FSM requiredto implement accounting with session management usingSQL Access
• *.grp: Sample decision files• OTP sample reference implementation files:
— oath-request-ingress.grp
— oath-reply-ingress.grp
— oath-proxy-egress.grp
• Dynamic Authorization Reference Implementation files:— client-request-init.grp.dynauth
— client-reply-ingress.grp.dynauth
HP-UX AAA Server File Locations 57
Table 3-1 File Locations Upon Installation (continued)
FileDirectory
userdb: Contains the files required for management of usersprofile and tokens in SQL compliant database
/opt/aaa/examples/sqlaccess/userdb
58 Installing and Securing the HP-UX AAA Server
Table 3-1 File Locations Upon Installation (continued)
FileDirectory
Sample AATVs and plug-ins:/opt/aaa/examples/examples/sdk
• /opt/aaa/examples/sdk/ace/samplesc.c: SampleChallenge-Response Authentication AATV
• /opt/aaa/examples/sdk/cis/checkCSI.c: SamplePre-Authentication AATV
• /opt/aaa/examples/sdk/sim_a3a8/sample_sim_a3a8.c: Sample EAP-SIM A3 or EAP-SIMA8 algorithm plug-in module
• /opt/aaa/examples/sdk/aka_algo/sample_aka_algo.c: Sample EAP-AKA algorithmplug-in module
Configuration files and scripts that enable the HP-UX AAAServer to use an ODBC client to interact with a MySQLdatabase:
/opt/aaa/examples/sqlaccess/mysql-1
• sqlaccess.config: Sample configuration file thatdefines database connections, SQL statements, andRADIUS - database mappings
• sqlaccess.config.dynauth: Sample configurationfile that defines SQL actions required for implementingthe dynamic authorization functionality.
• sqlaccess.config.dynauth_server_group:Sample configuration files that define SQL actionsrequired for implementing the dynamic authorizationfunctionality when multiple HP-UX AAA Servers areconfigured as a group.
• dbsetup.sql: Script that creates the database tables forthe sample configuration and inserts a test user in adatabase table
• dbsetup.sql.dynauth_server_group: Script thatcreates the database tables and stored procedures for thedynamic authorization sample configuration.
NOTE: Refer to Chapter 22: “SQL Access” (page 338) fordetails on using the SQL Access feature.For information on dynamic authorization, see Chapter 20(page 297).
Configuration file and script that enable the HP-UX AAAServer to use an OCI client to interact with an Oracledatabase server:
/opt/aaa/examples/sqlaccess/oracle-1
• sqlaccess.config: Sample configuration file thatdefines database connections, SQL statements, andRADIUS - database mappings
• sqlaccess.config.dynauth: Sample configurationfile that defines SQL actions required for implementingthe dynamic authorization functionality.
HP-UX AAA Server File Locations 59
Table 3-1 File Locations Upon Installation (continued)
FileDirectory
• sqlaccess.config.dynauth_server_group:Sample configuration files that define SQL actionsrequired for implementing the dynamic authorizationfunctionality when multiple HP-UX AAA Servers areconfigured as a group.
• dbsetup.sql: Script that creates the database tables forthe sample configuration and inserts a test user in adatabase table
• dbsetup.sql.dynauth_server_group: Script thatcreates the database tables and stored procedures for thedynamic authorization sample configuration.
NOTE: Refer to Chapter 22: “SQL Access” (page 338) fordetails on using the SQL Access feature.For information on dynamic authorization, see Chapter 20(page 297).
Header files for SDK/opt/aaa/include
• sdk.h: Header file contains the definitions for all theSDK data structures, constants and APIs.
• plugin.h: Header file containing interfaces plug-ins
60 Installing and Securing the HP-UX AAA Server
Table 3-1 File Locations Upon Installation (continued)
FileDirectory
Connector libraries that enable HP-UX AAA Server tocommunicate with supported database clients:
/opt/aaa/lib/dbcon/alternate
• libdbcon_oci.so: OCI client connector library• libdbcon_odbc.so: MySQL Unix ODBC client
connector library
NOTE: Refer to Chapter 22: “SQL Access” (page 338) fordetails on using the client connector libraries.
LDAP schema and sample LDIF files/opt/aaa/examples/proldap
Shared libraries:/opt/aaa/lib
• libradlib.sl: Contains functions that interface withthe main server
• librpilib.sl: Contains functions for programs andutilities
• libjniAgent.sl: Contains functions for ServerManager.
NOTE: Shared library files have .so file extensions onHP-UX 11i v2 (B.11.23) and HP-UX 11i v3 (B.11.31).
Default configuration files. Files residing here are copied to/etc/opt/aaa directory during installation.
/opt/aaa/newconfig
Directory containing a unique set of self-signed digitalcertificates created during installation.
/etc/opt/aaa/security/
Directories where manpages are installed/opt/aaa/share/man/man5 and~/man1m
Directory containing Administrator’s Guide and productdocumentation.
/opt/aaa/share/doc/
HP-UX AAA Server File Locations 61
Table 3-1 File Locations Upon Installation (continued)
FileDirectory
Configuration files:/etc/opt/aaa
• aaa.config: runtime and tunneling configuration file• authfile: realm to authentication-type mapping file• clients: client to shared secret mapping file• dictionary: definition file required by the radiusd
daemon• las.conf: authorization and accounting configuration
file• log.config: session logging configuration file• radius.fsm: external FSM table for the server• users: holds user security profiles and reply items• vendors: holds Internet Assigned Numbers Authority
(IANA) numbers and other vendor specific details• engine.config: stores most of the AAA server
properties.• EAP.authfile: configures EAP authentication for user
profiles• iaaaAgent.conf: specifies how often the AAA server’s
SNMP subagent will check to see if a master agent isactive
• aaa.config.license: Do not alter this file• RADIUS-ACC-SERVER-MIB.txt: describes RADIUS
Accounting MIB definitions.• RADIUS-AUTH-SERVER-MIB.txt: describes RADIUS
Authentication MIB definitions.• RADIUS-DYNAUTH-CLIENT-MIB.txt: RADIUS Client
Dyanmic Authorization MIB definition• Default policy files:
— request-ingress.grp
— reply-egress.grp
— proxy-egress.grp
— proxy-ingress.grp
— client-request-init.grp
— client-request-egress.grp
— client-reply-ingress.grp
Table 3-2 lists the files generated during operation and located in /var/opt/aaa/ bydefault:
62 Installing and Securing the HP-UX AAA Server
Table 3-2 Files Generated During Operation
FileDirectory
Default session accounting logs, Merit style/acct/session.yyyy-mm-dd.log
Currently active sessions log file/data/session.las
Shared memory files related to the interface used for someauthentication types.
IMPORTANT: You must not alter or delete the sharedmemory (*.sm) files. The server does not operate correctlyif the files are changed or removed from the ipc directory.
/ipc/*.sm
The server log file/logs/logfile
Compressed daily or weekly log files/logs/logfile.yyyymmdd
For session accounting logs in Livingston call detail recordsdirectory style format (not generated by default configuration)
/radacct/*
Contains the process id (pid) for the server./run/radius.pid
Securing the HP-UX AAA ServerPerforming the steps in this section increases the security of your HP-UX AAA Serverinstallation. HP recommends all customers perform the steps in“Changing the DefaultHP-UX AAA Server Settings ” (page 63). Perform the steps in “Environment SpecificSecurity Procedures ” (page 64) depending on your environment.
Changing the Default HP-UX AAA Server SettingsThe following information explains how to increase the security of your HP-UX AAAServer by changing some of the default settings. HP recommends that all customerschange the default values.
Changing the Default Tomcat User Name and PasswordAll Tomcat servers come with the same default user name and password. You mustchange the user name and password to unique values.Complete the following steps to change the Tomcat user name and password:1. Open /opt/hpws22/tomcat/conf/tomcat-users.xml.2. Look for entries with the roles=“tomcat” string. These entries are valid Tomcat
user names and passwords.3. Modify the file to include only the user name and password you want to use. Use
the following format:<user username="new user name" password="new password" roles="tomcat"/>
Securing the HP-UX AAA Server 63
Changing the Default RMI Objects SecretHP recommends changing the default RMI Objects secret.Complete the following steps to change the default RMI objects secret:1. Open/opt/hpws22/tomcat/webapps/aaa/WEB-INF/gui.properties.2. Look for the following entry:
rmi.config.secret = "secret"
3. Change the “secret” portion to a new value4. Open the /opt/aaa/remotecontrol/rmiserver.properties file.5. Look for the following entry:
rmi.config.secret = "secret"
6. Change the “secret” portion to the same value configured in Step 3.
IMPORTANT: The rmi.config.secret in /opt/aaa/remotecontrol/rmiserver.properties and in /opt/hpws22/tomcat/webapps/aaa/WEB-INF/gui.properties must be identical.
Changing the Default test_user SettingsHP recommends changing the default test_users password. This password can bechanged only after starting the Server Manager. More information on how to changethe default test_users password is provided in “Changing the Default test_user Settings”(page 127)
Changing the Default localhost Proxy SettingsHP recommends changing the default localhost proxy settings. This setting can bechanged only after starting the Server Manager. More information on how to changethe default localhost proxy settings is provided in “Changing the Default localhostProxy Settings” (page 118).
Environment Specific Security ProceduresDepending on your environment needs, you can perform any of the following stepsfor additional security:
Using Secure Socket Layer (SSL) for Secured Remote Server Manager AdministrationUse the following steps to configure SSL (HTTPS):
64 Installing and Securing the HP-UX AAA Server
1. Generate a certificate for Tomcat to establish the SSL connection. Use the followingsteps to create a self-signed certificate with the Java command line keytool utility:1. Remove $HOME/.keystore if it already exists2. Enter the following command:
$ export JAVA_HOME=/opt/java1.5
3. Enter the following command:$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
4. Enter a password for the key store when prompted.5. Enter the certificate information (company, contact name, etc.), when
prompted. This information must be accurate because it is displayed to userswho attempt to administer Server Manager.
6. Enter a password for the key when prompted. Use the same password youused for the key store
2. Uncomment the following underlined comments in /opt/hpws22/tomcat/conf/server.xml:<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <!-- <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true" useURIValidationHack="false" <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" /> </Connector> -->
3. Add the keystorePass attribute to the uncommented field in /opt/hpws22/tomcat/conf/server.xml to establish the key store and key password onTomcat. Add the keystorePass attribute as shown in the following:<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystorePass="<password>" />
IMPORTANT: Replace <password> with the password used to generate thekeystore in Step 1.
4. Stop and start Tomcat:• Stop -/opt/hpws22/tomcat/bin/shutdown.sh• Start - /opt/hpws22/tomcat/bin/startup.sh
5. Point your web browser to:https://<hostname>:8443/aaa
Securing the HP-UX AAA Server 65
Creating a Tomcat Identity Specifically for the HP-UX AAA ServerIf several applications use Tomcat, you can configure Tomcat to have a user name andpassword specifically for the AAA Server. All other applications using Tomcat willhave a different user name and password.Complete the following steps to create a Tomcat identity specifically for your HP-UXAAA Server:1. Search for the following line in/opt/hpws22/tomcat/conf/server.xml:
<!-- Tomcat Examples Context -->
Add the following code above this line: <Context path="/aaa" docBase="aaa" debug="0" reloadable="false" crossContext="false"> <Realm className="org.apache.catalina.realm.MemoryRealm" debug="0" pathname="conf/aaa-users.xml"/> </Context>
2. Open the /opt/hpws22/tomcat/conf/aaa-users.xml file.3. Replace adminaaa with the new user name and password4. Enter the following command:
$ export JAVA_HOME=/opt/java1.5
5. Stop Tomcat if it is running:$ /opt/hpws22/tomcat/bin/shutdown.sh
6. Restart Tomcat:$ /opt/hpws22/tomcat/bin/startup.sh
NOTE: Before starting and stopping the Remote Method Invocation (RMI) server,the JAVA_HOME environment variable must be set to appropriate path. Forexample, to use Java6, export JAVA_HOME to the /opt/java6 path. If theJAVA_HOME environment variable is not set or set incorrectly, the default value/opt/java1.5 is used to start and stop the RMI Server.
7. Stop the RMI objects if they are running:$ /opt/aaa/remotecontrol/rmistop.sh
8. Set the shared library path to the OCI client or ODBC driver in the /opt/aaa/remotecontrol/rmistart.sh script if you are implementing the SQL Accessfeature. See the following README files for more information:• /opt/aaa/examples/sqlaccess/oracle-1/README: for Oracle - OCI• /opt/aaa/examples/sqlaccess/mysql-1/README: for MySQL - ODBCSee Chapter 22: “SQL Access” (page 338) for more information on the SQL Accessfeature.
9. Start the RMI objects:
66 Installing and Securing the HP-UX AAA Server
/opt/aaa/remotecontrol/rmistart.sh
10. Point your web browser to:http://<hostname>:8081/aaa
11. Login with the new AAA Server-specific user name and password
Running the HP-UX AAA Server on Hosts with System Hardening SoftwareIf you are setting up the HP-UX AAA Server on a system that is being hardened usinglock-down software such as Bastille, you must ensure that the ports used by the HP-UXAAA Server are kept open. The following ports must be kept open if you are runningthe HP-UX AAA Server:• Port 1812 (Radius authentication port)• Port 1813 (Radius accounting port)• Port 8081 (port used by the Server Manager. Needed only if this host is going to
run the Server Manager)• Port 2099 (port used by the RMI server. Needed only if the HP-UX AAA Server
on this host needs to be remotely managed from another host.)• RMI Server ports listed in Table 3-3. By default, these ports change each time the
RMI objects are started.
NOTE: These ports are default ports. However, you can configure these services touse other ports.
If the HP-UX AAA Server on the host needs to be remotely managed from anotherhost, then some additional ports need to be opened. By default, these ports are chosenrandomly and keep changing every time the RMI server is restarted. To make it moreconvenient to open, these ports can be configured in /opt/aaa/remotecontrol/rmiserver.properties. Table 3-3 lists the ports that need to be configured andopened for the corresponding remote management functionality required.
Table 3-3 Ports Associated with RMI Objects that must be Configured
FunctionalityPort
If you are using the administrative functions• adm.server.port
If you are modifying, loading, or saving theconfiguration
• conf.server.port
• file.server.port
If you are using maintenance features such asaccounting, logging, reporting, getting statistics, orsession management
• stat.server.port
• acct.server.port
• log.server.port
• sess.server.port
Securing the HP-UX AAA Server 67
Running the HP-UX AAA Server as a Non-Root UserSome organizations require network server processes to run as the non-root user.Complete the following steps to run the AAA server as a non-root user:1. Login to the system as the root user.2. Add the user name www to the aaa group.
NOTE: Before starting and stopping the Remote Method Invocation (RMI) server,the JAVA_HOME environment variable must be set to appropriate path. Forexample, to use Java6, export JAVA_HOME to the /opt/java6 path. If theJAVA_HOME environment variable is not set or set incorrectly, the default value/opt/java1.5 is used to start and stop the RMI Server.
3. Use the following command to start the RMI objects as the aaa user:$ su - aaa -c /opt/aaa/remotecontrol/rmistart.sh
4. Use the following command to start Tomcat as the www user:$ su - www -c "export JAVA_HOME=/opt/java1.5; /opt/hpws22/tomcat/bin/startup.sh"
5. Point your web browser to:http://<hostname>:8081/aaa
NOTE: Any log files created when the HP-UX AAA server was running as the rootuser will not be accessible after performing this procedure. To view these logfiles,change the ownership to match the UID of when the log files were created. For moreinformation, see the chown manpage for more information.
Setting Up the HP-UX AAA Server to Start as Non-Root User After RebootComplete the following steps to set up the HP-UX AAA Server to start as non-root userafter reboot:1. Set the RADIUSD variable to 1 in the /etc/rc.config.d/radiusd.conf file.2. Open the /sbin/init.d/radiusd.rc file and look for the following entry:
DAEMONNM=radiusd CONFFILE=$AAAPATH/clients DAEMONEXE=/opt/aaa/bin/${DAEMONNM}
3. Change the DAEMONEXE line to set radiusd to start as the aaa user after reboot:Change:DAEMONEXE=/opt/aaa/bin/${DAEMONNM}
To:DAEMONEXE=”/usr/bin/su - aaa -c /opt/aaa/bin/${DAEMONNM}”
4. Look for the following entry:
68 Installing and Securing the HP-UX AAA Server
echo "$DAEMONNM started with <$retval>"if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];then /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1fi
5. Change the then statement to start the RMI objects as the aaa user after reboot:Change:if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];then /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh>/dev/null 2>&1fi
To:if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];then /usr/bin/nohup /usr/bin/su - aaa -c /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1fi
6. Look for the following entry:# stop the daemon!!! if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi
7. Change the then statement to stop the RMI objects as the aaa user duringshutdown:Change:if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]];then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1fi
To:if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /usr/bin/su - aaa -c /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1fi
8. Look for the following entry:/opt/aaa/bin/rad_admin.sh start all > /dev/null 2>&1
9. To start all the HP-UX AAA Servers as the aaa user during reboot, modify thestatement as follows:/usr/bin/su - aaa -c /opt/aaa/bin/rad_admin.sh start all >/dev/null 2>&1
Securing the HP-UX AAA Server 69
10. Look for the following entry:/opt/aaa/bin/rad_admin.sh stop all > /dev/null 2>&1
11. To stop all the HP-UX AAA Servers as the aaa user during shutdown, modify thestatement as follows:/usr/bin/su - aaa -c /opt/aaa/bin/rad_admin.sh stop all >/dev/null 2>&1
12. If you are implementing the SQL Access feature, add the following environmentvariable settings in the user’s .profiles file in the home directory:(For ODBC only)export ODBCINI=path/odbc.ini
(For OCI and ODBC)export SHLIB_PATH=${SHLIB_PATH}:Path for odbc/oci client libraries
70 Installing and Securing the HP-UX AAA Server
4 Enabling the HP-UX AAA Server for GUI-basedAdministration
This chapter explains how to enable your HP-UX AAA server software to beginadministration.This chapter addresses the following topics:• “Accessing the Server Manager” (page 71)• “Testing the Installation ” (page 72)• “Starting HP-UX AAA Servers Using Server Manager” (page 74)• “Starting HP-UX AAA Servers From the Command Line” (page 77)• “Stopping or Restarting HP-UX AAA Servers” (page 81)• “Adding an HP-UX AAA Server to Your Network” (page 82)
Accessing the Server ManagerTo start the HP-UX AAA Server and the Server Manager graphic user interface, completethe following steps:1. Enter the following command:
# export JAVA_HOME=/opt/java1.5
NOTE: Before starting and stopping the Remote Method Invocation (RMI) server,the JAVA_HOME environment variable must be set to appropriate path. Forexample, to use Java6, export JAVA_HOME to the /opt/java6 path. If theJAVA_HOME environment variable is not set or set incorrectly, the default value/opt/java1.5 is used to start and stop the RMI Server.
2. Start the Remote Method Invocation (RMI) objects to allow the AAA server softwareto communicate with Server Manager. Use the following command:# /opt/aaa/remotecontrol/rmistart.sh
3. Start the HP-UX Tomcat-based Servlet Engine. Use the following command:# /opt/hpws22/tomcat/bin/startup.sh
NOTE: To use IPv6 addresses, enter the following command before starting theHP-UX Tomcat-based Servlet Engine:# export JAVA_OPTS="$JAVA_OPTS \-Djava.net.preferIPv4Stack=false"
4. Enable the Java Runtime Environment (JRE) and Javascript for the browser, sothat the browser can run the Server Manager applets and execute Javascripts.
Accessing the Server Manager 71
5. Point your web browser to the following URL to manage the HP-UX AAA Serverwith the Server Manager interface:http://<IP-Address or FQDN>:8081/aaa
6. To access the Server Manager, enter your user name and password.
NOTE: The default Server Manager username is tomcat. The default ServerManager password is tomcat.
Starting and Stopping the RMI ObjectsBefore starting and stopping the Remote Method Invocation (RMI) server, theJAVA_HOME environment variable must be set to appropriate path. For example, touse Java6, export JAVA_HOME to the /opt/java6 path. If the JAVA_HOMEenvironment variable is not set or set incorrectly, the default value /opt/java1.5 isused to start and stop the RMI Server.To start and stop the RMI objects, use the following commands:• To start: /opt/aaa/remotecontrol/rmistart.sh• To stop: /opt/aaa/remotecontrol/rmistop.sh• Status: netstat -a | grep 7790
Starting and Stopping TomcatTo start and stop Tomcat, use the following commands:• To start: /opt/hpws22/tomcat/bin/startup.sh• To stop: /opt/hpws22/tomcat/bin/shutdown.sh• Status: netstat -a | grep 8081
Testing the InstallationTo test the server installation quickly, perform the following procedure using ServerManager:• Add a loopback connection to a AAA server• Start the AAA server• Check the status for a response
To Test the InstallationComplete the following steps to test the server installation:1. Connect to Server Manager and start the AAA server. See “Accessing the Server
Manager” (page 71).2. From the navigation tree, click the Server Connections link and then click the
Connect to Server link.
72 Enabling the HP-UX AAA Server for GUI-based Administration
3. In the Add Connection screen that opens, enter the values for you server as shownin the following format:Name The identifying string of a remote server.Domain Name or IP Address The IP address (traditional IPv4 address in
dotted-quad notation, or IPv6 address inIPv6 literal format notation), or validDomain Name System (DNS) host name ofthe AAA server that the connection mapsto.Example: IPv4 address- 192.0.2.0IPv6 address- fedc:ba98:7654:3210Domain Name- example.org
4. Click Create.5. Verify the server is listed and selected in the Server Status frame.6. From the navigation tree, click Administration.7. Click Start.8. Verify the server has started. A green “GO” icon in the Server Status frame indicates
the server is running.9. Verify the server is selected in the Server Status frame and then select the Status
option.10. Check Server Manager’s Message Frame for the status reply. The following reply
at the bottom of the Message Frame indicates the server is running correctly:“<server name> (port#)” is responding
Testing the Installation 73
11. Verify that your HP-UX AAA Server is installed and operating correctly by usingthe testing user (namedtest_user) created during installation. Aftertest_useris authenticated and the AAA server sends an Access-Accept, the client sends anAccounting-Request to start the session. After the session is terminated, the clientsends an Accounting-Request stop message to stop the session logging and theAAA server writes the session information to a file.a. Enter the following command:
# /opt/aaa/bin/radpwtst -s localhost -i 192.0.2.0 -l test_user
This command simulates an Access-Request from port 1 of a NAS with an IPaddress of 192.0.2.0. When prompted for a password, enter: password. Thecommand must return the following output:’test_user’ authentication OK
b. Enter the following command:# /opt/aaa/bin/radpwtst -c 4 -s localhost -i 192.0.2.0 -l 1 -u ppp -:Acct-Status-Type=Start test_user
This command simulates an Accounting-Request start message, activatingthe users’s PPP session. The command must return the following output:Accounting Response received
c. Enter the following command:# /opt/aaa/bin/radpwtst -c 4 -s localhost -i 192.0.2.0 -l 1 -u ppp -:Acct-Status-Type=Stop test_user
This command simulates an Accounting-Request stop message, terminatingthe users’s session. The command must return the following output:Accounting Response received
d. View the session logs for test_user’s start and stop accounting messagesby selecting Accounting in Server Manager’s navigation tree and clickingDisplay.
IMPORTANT: HP recommends removing test_user or changing it’s defaultpassword before deploying the HP-UX AAA Server in a production environment. See“Securing the HP-UX AAA Server” (page 63) for more information.
Starting HP-UX AAA Servers Using Server ManagerTo start AAA servers using Server Manager, complete the following steps:1. From the navigation tree, click Administration.2. Select the servers you want to start in the Server Status frame.
74 Enabling the HP-UX AAA Server for GUI-based Administration
NOTE: Server commands will only be executed on servers selected in the ServerStatus frame.
3. Click Start.Figure 4-1 shows the return value in Server Manager’s message frame when a serveris successfully started.
Figure 4-1 Return Value After Successfully Starting a AAA Server
AAA Server Start Options
Select the Start button’s corresponding icon to display the Start Options screenshown in Figure 4-2. Table 4-1 describes the start options you can use.
Figure 4-2 Server Manager’s Start Options Screen
Table 4-1 Server Start Options
DescriptionOption
Specifies the UDP port number to listen to authentication requests. Thedefault Authentication port number is 1812.
Authentication
Specifies the UDP port number to listen to accounting requests. The defaultAccounting port number is 1813.
Accounting
Starting HP-UX AAA Servers Using Server Manager 75
Table 4-1 Server Start Options (continued)
DescriptionOption
Specifies the UDP port number to listen for the dynamic authorizationrequests. The default value is 3799.
Dynamic Authorization
Specifies the UDP port number to relay authentication requests. This optionis useful when proxying requests to a AAA server that is not listening onthe default port.
Authentication Relay
Specifies the UDP port number to relay accounting requests. This option isuseful when proxying requests to a AAA server that is not listening on thedefault port.
Accounting Relay
Specifies the local UDP port number to which the Client AATV binds tolisten for the incoming client requests. This field is optional. If no value isentered, the HP-UX AAA Server uses any available port.
Client
Specifies the debug level. Higher levels write more information to theradius.debug file. Increasing this value can cause performance to decline.The default value is 0.
Debug Level
Specifies the level of information logged in the log file based on the RADIUSmessage type. The Default value logs detailed information in the log file.
Log Control
Empties the logfile and debug file when the server is started.Reset Logfile
Empties stored session table at server startup.
IMPORTANT: This option is only intended for experimental use or testingand not for a live production server. If you reset a production server, theserver loses track of the sessions that are still active.
Reset Session Table
NOTE: All options specified when the server is started are written to the server’slogfile.
IMPORTANT: Modified start options will not take effect until the server is stopped(by selecting the stop button) and then restarted.
Server Manager’s Reload FeatureThe Reload button signals the HP-UX AAA Server to reload specific configurationinformation while the server is running. The result of the command will be displayedin the Message frame. The HP-UX AAA server will reload the following files and theclient policy files after you select Reload:• users
• clients
• authfile
• aaa.config
76 Enabling the HP-UX AAA Server for GUI-based Administration
• engine.config (all values except the certificate properties, which require youto stop and restart the server to be refreshed)
• las.conf
• EAP.authfile
• aaa.config.license
• sqlaccess.config
• request-ingress.grp
• reply-egress.grp
• proxy-egress.grp
• proxy-ingress.grp
• client-request-init.grp
• client-request-egress.grp
• client-reply-ingress.grp
In order for other configuration changes to take effect, you must stop and restart theserver.
IMPORTANT: Save the configuration before reloading the configuration information.
Starting HP-UX AAA Servers From the Command LineThe radiusd daemon is a process that services user authentication and accountingrequests from RADIUS clients. Authentication and accounting requests come to theradiusd daemon in the form of UDP packets conforming to the RADIUS protocol.You can start the radiusd daemon from the Server Manager GUI, command line, orthrough an inetd service.
radiusd Syntaxradiusd [-c workdir] [-C] [-d configdir] [-da aatvdir] [-dl logdir] [-di ipcdir] [-dr rundir] [-dd datadir] [-dm meritdir] [-ip ipaddress][-ll msg_type:msg_sub_type:log_level] [-p authport] [-q acctport][-cp clientport] [-dp dynauthport] [-f fsm] [-l] [-n] [-pp authproxy][-qq acctproxy] [-g logtype] [-h] [-s] [-sn SNMP Contextname] [-ttimeout] [-v] [-z] [-x] [-x] [-x] [-x]
Table 4-2 describes all the radiusd options.
Table 4-2 radiusd Options
DescriptionOption
Sets current working directory. This option can be useful for determiningthe location of system generated files, such as core files.
-c Working-directory
Enables token caching.-C tokcachedir
Starting HP-UX AAA Servers From the Command Line 77
Table 4-2 radiusd Options (continued)
DescriptionOption
Specifies the directory where the configuration files are located. Ifomitted, the default directory is /etc/opt/aaa.
-d Config-directory
Specifies the directory where the AATV libraries are located. If omitted,the default directory is /opt/aaa/aatv.
-da AATV-directory
Specifies the directory where the log and debug files are located. Ifomitted, the default directory is /var/opt/aaa/logs.
-dl Logfile-directory
Specifies the directory where the files generated for shared memoryoperation are located. If omitted, the default directory is /var/opt/aaa/ipc.
-di IPC-directory
Specifies the directory where the server's process id file (radiusd.pid)is located. If omitted, the default directory is /var/opt/aaa/run.
-dr Run-directory
Specifies the directory where the active session file (session.las) islocated. If omitted, the default directory is /var/opt/aaa/data.
-dd Data-directory
Specifies the directory where Merit style accounting log files (sessionlogs) are located. If omitted, the default directory is /var/opt/aaa/acct.
-dm Accounting-directory
Specifies the IP address to listen for requests.-ip ip address
Sets the log level based on the RADIUS message type. If the option isused multiple times, then the log level for each of the specified RADIUS
-llmsg_type:msg_sub_type:log_level
message types will be set. The msg_type parameter specifies the RADIUSmessage type for which the log level should be set. The msg_typeparameter should be one of the following:• auth: Authentication messages.• acct: Accounting messages.• disconn: Disconnect messages.• coa: Change-Of-Authorization messages.• all: All the above messages.The msg_sub_type parameter specifies the sub type of the msg_typeparameter for which the log level should be set. The msg_sub_typeparameter should be one of the following:• req: Request messages.• resp: Response messages.• ack: Ack response messages.• nak: Nak response messages.• all: All the above messages.
78 Enabling the HP-UX AAA Server for GUI-based Administration
Table 4-2 radiusd Options (continued)
DescriptionOption
The log_level parameter specifies the log level to be set for the msg_typeand msg_sub_type parameters. The log_level parameter should be oneof the following:• suppress: Suppresses all the log messages for the msg_type and
msg_sub_type parameters.• low: Provides minimal information in the log messages for the
msg_type and msg_sub_type parameters.• default: Provides detailed information in the log messages for the
msg_type and msg_sub_type parameters. This is the default behavior.
Specifies the UDP port number to listen to auth requests. If omitted, thelocal host services will be queried for the RADIUS port (see services(4)).
-p Authentication-port
If unable to obtain the port from host services, the RADIUS standarddefault of 1812 will be used.
Specifies the UDP port number to listen for acct requests. If omitted,the local host services will be queried to obtain the radacct port (see
-q Accounting-port
services(4)). If unable to obtain the port from host services, the RADIUSstandard default of 1813 will be used.
Allows the user to specify an alternate Finite State Machine (FSM) tablefile instead of the default radius.fsm file. The default FSM file (/etc/opt/aaa/radius.fsm) follows Merit style accounting behavior.
-f FSM
strftime(3) format for naming logfiles. The -l option specifies thelogfile name format with timestamp precision and dictates when a logfile
-l Log-format
must start logging. For example, the following specifies the logging tostart every hour:$ ./radiusd -l logfile.%Y%m%d%H
Resets the session table. If omitted, the default is to restore the sessiontable from a previous run.
-n
Specifies the UDP port number to forward (proxy) authenticationrequests.
-pp Authentication-proxy
Specifies the UDP port number to forward (proxy) accounting requests.-qq Accounting-proxy
Selects logfile, syslog, or stderr logging.-g Logtype
Displays help message-h
Single process (non-spawning) mode-s
Inactivity timeout value (minutes) when theradiusddaemon is startedthrough inetd.
-t Timeout
Displays AAA server version.-v
Empties the logfile and the debug file if -x option is used.-z
Starting HP-UX AAA Servers From the Command Line 79
Table 4-2 radiusd Options (continued)
DescriptionOption
Adds to debug flag value.-x
Specifies the port on which the CLIENT AATV must listen.-cp
Specifies the port on which the HP-UX AAA Server must listen forproxied Dynamic Authorization messages.
-dp
Specifies the SNMP context name that the HP-UX AAA Server SNMPsubagent uses to register with the master agent. If the context name is
-sn <context name>
not specified, it is omitted. The context name is required for identificationwhen multiple instances of the HP-UX AAA Server are running on asingle host.
NOTE: The radiusd daemon determines what action must be taken when receivingrequests based upon an FSM that it loads into memory when the server is started. TheFSM can be configured, but it is static after server startup. The server uses the algorithmshown in Figure 4-3 to determine which FSM must be loaded into memory:
Figure 4-3 Algorithm for Determining Which FSM to Load
IMPORTANT: When started by the inetd service, radiusd times out if it does notreceive a message in 15 minutes. With the -t Timeout option, you can override thisvalue. If the value is set to 0, it waits indefinitely without timing out.
Configuring the HP-UX AAA Server to Start Automatically Upon System RebootYou can configure the HP-UX AAA Server (radiusd) and RMI objects to startautomatically after a system reboot.
80 Enabling the HP-UX AAA Server for GUI-based Administration
• Set theRADIUSDvariable in/etc/rc.config.d/radiusd.conf to 1. The defaultsetting is 0.
CAUTION: Modifying the content in the/sbin/init.d/radiusd.rc file otherthan radiusd options can disallow booting of the system.
NOTE: You can also start the Server Manager interface after reboot. In the /etc/rc.config.d/hpws22_tomcatconf file, set HPWS22_TOMCAT_START to 1,and set JAVA_HOME to/opt/java1.5.
Stopping or Restarting HP-UX AAA ServersYou must stop or restart AAA servers to update configuration changes. To avoidentering the configuration values every time an instance must be started or stopped,the HP-UX AAA Server Admin Tool is provided. The HP-UX AAA Server Admin Toolsimplifies the start and stop tasks. Therefore, it is recommended that you use the HP-UXAAA Server Admin Tool to start or stop an instance using CLI.
CAUTION: Do not stop a live server in production as it interrupts services to users.
Using Server Manager1. From the navigation tree, click Administration.2. Select the servers you want to stop in the Server Status frame.
NOTE: Server commands will only be executed on servers selected in the ServerStatus frame.
3. Click Stop.A message prompt enables you to confirm whether you wish to stop the server. If theserver cannot be stopped, the administrator is notified of the problem in the messageframe.
From the Command LineTo stop radiusd, enter the following command at the HP-UX prompt:# kill -9 `cat /var/opt/aaa/run/radiusd.pid|awk '{print$1}'`
To restart radiusd, enter the following command at the prompt:# kill -9 `cat /var/opt/aaa/run/radiusd.pid|awk '{print$1}'` \;/opt/aaa/bin/radiusd
Stopping or Restarting HP-UX AAA Servers 81
Adding an HP-UX AAA Server to Your NetworkMultiple servers can be configured and run using the AAA Server Manager graphicinterface. You must establish at least one connection before you begin configuration.Only one connection can be local to the Server Manager program.You can install a server to any machine that meets the system requirements and thatcan establish a UDP connection to the machine hosting the Server Manager.To add an HP-UX AAA Server to your network, complete the following steps:1. From the navigation tree, click the Server Connections link and then click the
Connect to Server link.2. On the Create New Server Connection screen that appears, enter values as shown
in Table 4-3.
Table 4-3 New Server Connection Screen Fields
Value to EnterField
An identifying string for a server running the AAA softwareName
82 Enabling the HP-UX AAA Server for GUI-based Administration
Table 4-3 New Server Connection Screen Fields (continued)
Value to EnterField
Full DNS name or IP address (traditional IPv4 or IPv6 address) ofan HP-UX AAA server
Domain or IP Address
Examples: IPv4 address- 192.0.2.0IPv6 address- fedc:ba98:7654:3210Domain name- example.org
3. Click Create.If the client program successfully connects to the server, the name you specifiedmust appear in the Status Frame displayed in the lower left corner of the programsinterface.
Adding an HP-UX AAA Server to Your Network 83
Part II Configuring the HP-UX AAA Server Manager Usingthe Server Manager GUI
This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 5: “The HP-UX AAA Server Manager Interface” (page 88)• Chapter 6: “Managing HP-UX AAA Servers” (page 90)• Chapter 7: “Configuring RADIUS Clients Using the Access Devices Screen” (page 100)• Chapter 8: “Configuring Realms” (page 105)• Chapter 9: “Configuring Proxies” (page 117)• Chapter 10: “Configuring Users” (page 127)• Chapter 11: “Modifying Server Properties” (page 133)• Chapter 12: “Logging and Monitoring ” (page 142)
84
Table of Contents5 The HP-UX AAA Server Manager Interface..................................................................................88
Commonly Used Icons in the GUI......................................................................................896 Managing HP-UX AAA Servers..................................................................................................90
Using the Server Connections Screen.................................................................................90Adding a New Server Connection......................................................................................91Modifying Connection Attributes......................................................................................92Deleting a Server Connection.............................................................................................93Managing Multiple Servers................................................................................................93Loading and Saving Your Configuration...........................................................................94
Loading and Saving Your Configuration Using RMI Server........................................95Enhancing Loading and Saving Performance Using Secure Copy Protocol................96Setting up Key-Based Authentication...........................................................................97
Creating a Public-Private key set with ssh-keygen..............................................97Sharing the Public key with Remote Hosts.............................................................98
Verifying Key-Based Authentication............................................................................997 Configuring RADIUS Clients Using the Access Devices Screen.....................................................100
Navigating the Access Devices Screen.............................................................................100Adding a RADIUS Client..................................................................................................100Modifying a RADIUS Client’s Properties.........................................................................103Deleting a RADIUS Client................................................................................................104
8 Configuring Realms................................................................................................................105Using the Local Realms Screen.........................................................................................105Adding a Realm................................................................................................................105Modifying Realms.............................................................................................................108Special Entries...................................................................................................................109Deleting a Realm...............................................................................................................110Configuring Realms for Authentication using an External Server..................................111
Configuring Realms for Database Access via SQL.....................................................111Configuring Realms for LDAP ...................................................................................112
Modifying a Directory Configuration....................................................................115Deleting a Directory Configuration.......................................................................115Tuning the AAA Server to LDAP Server Connection............................................116
9 Configuring Proxies................................................................................................................117Navigating the Proxy Screen............................................................................................117Changing the Default localhost Proxy Settings................................................................118Creating or Modifying a Proxy.........................................................................................118
Forwarding Authentication and Dynamic Authorization Requests From a ProxyServer...........................................................................................................................121Forwarding Authentication Requests to a Remote Server..........................................122
Changing RADIUS Port Numbers....................................................................................123
Table of Contents 85
Forwarding Requests to Alternate RADIUS Ports......................................................123Forwarding Accounting Requests....................................................................................124Proxying Authentication and Accounting Messages to the Same Server........................124Proxying Accounting Requests to a Central Server..........................................................125Deleting a Proxy................................................................................................................125
10 Configuring Users.................................................................................................................127Navigating the Users Screen.............................................................................................127Changing the Default test_user Settings..........................................................................127Adding a User Profile ......................................................................................................128
Tabs on the Add Users Screen.....................................................................................130Specifying Attributes Using the Free Attributes Pane...........................................130
Modifying User Profiles....................................................................................................131Deleting a User Profile......................................................................................................131
To Delete a User Profile From the Default users File................................................132To Delete a User Profile in a Local Realms File...........................................................132
11 Modifying Server Properties...................................................................................................133Navigating the Server Properties Screen..........................................................................133DHCP Relay Properties....................................................................................................133DNS Updates Properties...................................................................................................134Message Handling Properties...........................................................................................135SNMP Properties..............................................................................................................136
Enable SNMP Support.................................................................................................136Tunneling Properties.........................................................................................................136
Tunneling Reply Items (Optional)...............................................................................137Certificate Properties........................................................................................................137File Size Properties............................................................................................................138
Maximum Logfile Size.................................................................................................138Miscellaneous Properties..................................................................................................138
Permit Microsoft Client Authenticate As Computer...................................................138Local Users File Properties...............................................................................................139ProLDAP Properties.........................................................................................................139AAA Server As A Client Properties.................................................................................140Client Action Properties....................................................................................................140
12 Logging and Monitoring .......................................................................................................142Overview...........................................................................................................................142Server Log Files ................................................................................................................142
Using Server Manager to Retrieve Logfile Information..............................................142Search Parameters..................................................................................................143Message Types .......................................................................................................144
Using Server Manager to Retrieve Statistics ...............................................................144Accounting Log Files .......................................................................................................145
Using Server Manager to Retrieve Accounting Logfiles.............................................146Format of Accounting Records in the Default Merit Style..........................................147
86 Table of Contents
Time-Based Values.................................................................................................147Client A-V Pairs......................................................................................................148User Entry A-V Pairs..............................................................................................148Session Tracking.....................................................................................................148
Writing Livingston CDR Accounting Records............................................................149Livingston CDR Session Record Format................................................................150
Changing the Accounting Log Filename.....................................................................150Changing the Accounting Log Rollover Interval........................................................151Rolling Over the Log File and Accounting Stream and Setting the Log Level...........151
Table of Contents 87
5 The HP-UX AAA Server Manager InterfaceHP-UX AAA Server Manager (Server Manager) is a browser-based application. It usesthe HP-UX Tomcat-based Servlet Engine to provide a configuration interface betweena web browser and one or more AAA servers. The Server Manager is used to start,stop, configure, and modify the servers. In addition, Server Manager can retrieveinformation about logged server sessions and accounting information for anadministrator.Figure 5-1 shows the various parts of the Server Manager interface.The Server Manager user interface consists of the following three sections:• The navigation tree- Click on links in the navigation tree to open the corresponding
section in the Main Screen.• The Main Screen- Configure the HP-UX AAA Server on this screen.• HP-UX AAA Server Status Frame-View the status of your servers on this screen.
88 The HP-UX AAA Server Manager Interface
NOTE: The Default (Server Connections) group, including a server, calledlocalhost, is present by default. This group is compatible with the ServerConnections present in releases earlier than HP-UX AAA Server A.08.01. All ServerConnections managed by the HP-UX AAA Server Manager in the earlier versionsof HP-UX AAA Server are moved to the Default (Server Connections) group duringmigration.
Figure 5-1 The HP-UX AAA Server Manager User Interface
Commonly Used Icons in the GUI
• Click to add new servers, realms, or users.
• Click to delete the corresponding entry.
• Click to display a context-sensitive Help screen.
• Click to edit the corresponding entry.
• indicates that the configuration file cannot be modified using the ServerManager. Edit the configuration file manually using a command line editor.
Commonly Used Icons in the GUI 89
6Managing HP-UX AAA ServersYour server configuration can be synchronized and controlled across one or more serverinstallations. These server installations can be on the same machine as the ServerManager program, or on different machines. Server Manager identifies each AAAinstallation as a server connection and maps a hostname to the IP address (bothtraditional IPv4, and IPv6 address formats are supported) or DNS name of a remotemachine where a AAA server is installed.Starting with HP-UX AAA Server A.08.00 release, HP-UX AAA Server Manager supportsadministering multiple HP-UX AAA Servers on the same host for scalability. Also,HP-UX AAA Servers can be distributed on different hosts for high-availability. Formore information, see Chapter 18 (page 273)
NOTE: Before defining a connection, ensure that the HP-UX Tomcat-based ServletEngine is running on the machine.
You cannot configure servers until a server connection is established. All configurationmodifications are saved locally and are not associated with any server. A connectionnamed localhost is configured as a server connection by default during installation.This section addresses the following topics:• “Using the Server Connections Screen” (page 90)• “Adding a New Server Connection” (page 91)• “Modifying Connection Attributes” (page 92)• “Deleting a Server Connection” (page 93)• “Managing Multiple Servers” (page 93)• “Loading and Saving Your Configuration” (page 94)
Using the Server Connections ScreenThe Server Connections screen shown in Figure 6-1 allows you to add a new server orgroup, and modify or delete an existing server or group.
90 Managing HP-UX AAA Servers
Figure 6-1 Server Manager’s Connected Server Screen
Adding a New Server ConnectionTo add a new server connection, complete the following steps:
1. Click to display the Add Connection screen.The Add Connection screen appears as shown in Figure 6-2.
Figure 6-2 The Add Connection Screen
2. In the Connection Attributes form, enter your connection attributes according tothe format shown in Table 6-1
Table 6-1 Fields in the Connection Attributes Form
AttributesField Name
The identifying string of a remote serverName
The client IP address or DNS name. Both traditional IP (IPv4), and IPv6address formats are supported. The HP-UX AAA server can resolvethe DNS name format entries to both IPv4 and IPv6 addresses.
Domain Name or IPAddress
Enter an IPv4 address in dotted-quad notation. Enter an IPv6 addressin IPv6 Literal format notation. For example:IPv4 address — 192.0.2.0IPv6 address — fedc:ba98:7654:3210
Adding a New Server Connection 91
3. Click Create to create the server connection.ClickCancel to return to the Managed Servers screen without creating a new serverconnection.
IMPORTANT: When adding a connection to a new remote server, you must startthe RMI objects on that host to allow Server Manager to administer the server.Before starting and stopping the RMI server, the JAVA_HOME environmentvariable must be set to appropriate path. For example, to use Java6, exportJAVA_HOME to the /opt/java6 path. If the JAVA_HOME environment variableis not set or set incorrectly, the default value /opt/java1.5 is used to start andstop the RMI Server. You can start the RMI objects from the command line withthe following command:$ /opt/aaa/remotecontrol/rmistart.sh
Modifying Connection Attributes
In the Server Connections screen, select the icon corresponding to the server whoseattributes you wish to modify. The Modify Connection screen appears as shown inFigure 6-3.
Figure 6-3 The Modify Connection Screen
92 Managing HP-UX AAA Servers
HP-UX AAA Server Properties section of the form includes a list of pathnames thatcannot be modified. These pathnames must match the installation directories of theremote server.
IMPORTANT: When setting an option to a given directory, the directory must existand be editable on the machine. You must specify the logfile directory to access sessionlogs through the maintenance functions listed in the navigation tree menu.
Deleting a Server ConnectionTo delete a server connection, complete the following steps:
1. In the Server Connections screen, click the icon corresponding to the serverconnection that you want to delete.The Delete Server Connections screen appears as shown in Figure 6-4. This screenallows you to preview the properties of the server connection before you confirmdeletion.
Figure 6-4 The Delete Server Connections Screen
2. Click Delete to remove the server connection. Click Cancel to return to the ServerConnections screen without removing the server connection.
Managing Multiple ServersThe Server Status frame, located in the lower left corner of the Server Manager'sinterface, provides a list of server connections belonging to a group, as shown inFigure 6-5.
Deleting a Server Connection 93
Figure 6-5 Server Manager’s Server Status Frame
When your network includes multiple HP-UX AAA Servers, click the check box thatprecedes each listed connection to specify whether a command applies to thecorresponding server.When a server command, such as Start, is submitted, it will only be sent to checkedservers. When you retrieve server logging, statistics, active sessions, or accountinformation, only information from the checked servers will be displayed.Table 6-2 displays the icons that can appear in Server Manager’s Server Status frameand describes them briefly.
Table 6-2 Icons in Server Manager’s Server Status Frame
DefinitionIcon
Running - Indicates the server is connected and running.
Stopped - Indicates that the server is connected but is not currentlyrunning.
Failure - Indicates a communication error between the Server Managerand the AAA server.
Loading and Saving Your ConfigurationThis section describes the following:• “Loading and Saving Your Configuration Using RMI Server” (page 95)• “Enhancing Loading and Saving Performance Using Secure Copy Protocol”
(page 96)
94 Managing HP-UX AAA Servers
• “Setting up Key-Based Authentication” (page 97)• “Verifying Key-Based Authentication” (page 99)
Loading and Saving Your Configuration Using RMI ServerAAA configuration files consist of one or more entries. While accessing these filesthrough the Server Manager interface, the initial screen lists each existing entry andprovides controls to open HTML forms. You can add or modify the AAA server’sconfiguration files by entering values in these forms. You must then submit these valuesto the program. The fields in the HTML forms include text boxes, drop-down lists, andother form controls. Fields with bold labels require values for a complete configuration.Server Manager stores changes you make to the server configuration, but does notimmediately save them on a remote server. When you select the Load Configurationlink from the navigation tree, the interface (shown in Figure 6-6) displays a prompt.You can edit the server configuration settings using this prompt. Information for theaccess device, proxies, local realms, users, and server properties in the loadedconfiguration will replace the existing information for all server configuration items.
Figure 6-6 Server Manager’s Load Configuration Screen
After you have made changes to the server configuration items, you can save themodified configuration on any server that has an active connection with the ServerManager program. When you click Save Configuration, the Server Manager interface
Loading and Saving Your Configuration 95
displays a prompt (shown in Figure 6-7). Using this prompt, you can select the serverson which the settings must be saved.
CAUTION: Clicking Save saves the entire server configuration settings (access device,proxies, local realms, users, and server properties) on the specified servers.
Figure 6-7 Server Manager’s Save Configuration Screen
NOTE: If you do not wish to save changes that have been made, you can revert tothe previous settings by loading the original configuration.
A running server does not recognize configuration modifications. After the changeshave been saved on a server, you have to restart the server.
NOTE: More than one administrator cannot edit the same functional area (accessdevice, proxies, local realms, users, server properties) of a server configuration at thesame time. After you access the configuration screens for a functional area, the ServerManager does not allow others to access that functional area until you have moved toa different item.
NOTE: Selecting Save Server Attributes Only saves the group and server attributeson the host running Tomcat (HP-UX AAA Server Manager) to the host running HP-UXAAA Servers. However, the configuration files of the individual HP-UX AAA Serversare not saved.
Enhancing Loading and Saving Performance Using Secure Copy ProtocolYou can load and save configuration files using the RMI Server or the Secure CopyProtocol (SCP). SCP reduces the time required to load and save configuration files.To use SCP during saving or loading configuration, you must enable key-basedauthentication, which does not require a password, between the user account configuredto start Tomcat (HP-UX AAA Server Manager) on the local host and the user accountconfigured to start the RMI Server on the remote host. In the user account configured
96 Managing HP-UX AAA Servers
to start the RMI Server on the remote host, the default : aaa,rmiserver.aaa.userproperty in thermiserver.properties file can be modifiedto change the default aaa value.
NOTE: If you do not choose to use SCP, RMI Server is used by default.
Setting up Key-Based AuthenticationThis section describes how to set up key-based authentication between the user accountconfigured to start Tomcat (HP-UX AAA Server Manager) on the local host and theuser account configured to start the RMI Server on the remote host.Setting up key-based authentication involves creating a public-private key set withssh-keygen, generating public-private rsa key pair, and sharing the public key withthe user account configured to start the RMI Server on the remote host.This section describes the following procedures:• “Creating a Public-Private key set with ssh-keygen” (page 97)• “Sharing the Public key with Remote Hosts” (page 98)
Creating a Public-Private key set with ssh-keygenTo create a public-private key set with ssh-keygen on the local host, complete thefollowing steps:1. Log in using the name used to start Tomcat.2. To create the ssh directory, enter the following command at the HP-UX prompt:
# mkdir ~/.ssh
3. Change the permissions of the directory as follows:# chmod 700 ~/.ssh
4. Change to the ssh directory as follows:# cd ~/.ssh
Loading and Saving Your Configuration 97
5. To create the SSH key pair, complete the following steps:1. Enter the following command at the HP-UX prompt:
# ssh-keygen -t rsa
The SSH key pair is created.2. Enter the file in which you want to save the key. Click Enter to select the
default path (<your_local_home>/.ssh/id_rsa).3. Enter the passphrase. If you do not want a passphrase, click Enter.
The identification is saved in (<your_local_home>/.ssh/id_rsa) if thedefault path is selected.The public key is saved in (<your_local_home>/.ssh/id_rsa.pub) ifthe default path is selected.
Sharing the Public key with Remote HostsTo share the public key with the user account configured to start the RMI Server onthe remote host from the local host where HP-UX Server Manager GUI is running,complete the following steps:1. To transfer the public key to the remote system, enter the following command at
the HP-UX prompt:# scp <public key path> <user>@<remoteserver>:/<desired path>
NOTE: Replace public key path with the file path where the public key is saved.Replace user with the name of the user who starts the RMI server on thecorresponding host.Replace remoteserver with the name of the remote server where RMI server isrunning.Replace desired path with the path on the remote server where you want to copythe public key.
2. To log in to the remote system, enter the following command at the HP-UX prompt:# ssh <user>@<remote server>
3. Create a new directory as follows:# mkdir .ssh
4. Change the permissions of the directory as follows:# chmod 700 .ssh
5. To append the public key to the authorized_keys directory, enter the followingcommand at the HP-UX prompt:# cat <desired path>/<public key file> >> .ssh/authorized_keys
98 Managing HP-UX AAA Servers
6. Change the permissions of the directory as follows:# chmod 644 .ssh/authorized_keys
7. Log out of the system.
NOTE: You must repeat this procedure for all the user accounts on all the remoteRMI servers with which you want to share the public key.
Verifying Key-Based AuthenticationTo verify key-based authentication, log in to the remote system from the local hostwhere HP-UX Server Manager GUI is running, as follows:# ssh <user>@<remoteserver>
If a password is not required to log in, key-based authentication is configuredsuccessfully.
Loading and Saving Your Configuration 99
7 Configuring RADIUS Clients Using the Access DevicesScreen
The server configuration must include all the clients (NASs, access points and othernetwork devices) that can communicate with the HP-UX AAA Server. If an accessdevice is not included in the configuration, the server will not handle requests from,or send requests to the client. The Access Devices screen allows you to add a new client,and modify, or delete an existing client in the server configuration.
Navigating the Access Devices ScreenThe Access Devices screen shown in Figure 7-1 allows you to configure a new RADIUSclient, modify, or delete an existing RADIUS client.
Figure 7-1 Server Manager’s Access Device Screen
Adding a RADIUS ClientTo add a RADIUS client through the Access Devices screen, complete the followingsteps:
100 Configuring RADIUS Clients Using the Access Devices Screen
1. In the Access Devices screen, click corresponding to the New Access Devicelist.The Add Access Device Screen appears as shown in Figure 7-2.
Figure 7-2 Server Manager’s Access Device Attributes Screen
2. In the Access Device Attributes form, enter information according to the informationin Table 7-1.
Adding a RADIUS Client 101
Table 7-1 Add Access Device Configuration Form Options
FunctionOption
Enter the network location of the network device. This may be an IPv4 address(in dotted-quad notation), an IPv6 address (in colon-separated notation), or
Name
a valid DNS host name. When specifying Name as a DNS host name, youmust use the name returned by thehostname command.
Notes:• Ensure that your DNS is configured correctly (with both forward and
reverse entries) for your AAA server. The AAA server determines thename of the machine that it is running on. If this name does not matchwith your local DNS servers database, you cannot configure the accessdevice correctly.
• You can use wildcards to provide access for all traditional IP (IPv4) clientsin a particular subnet. Examples of valid IPv4 wildcard patterns are:
*
192.*
192.0.*
192.0.2.*
• You can use wildcards to provide access for all IPv6 clients in a particularsubnet. The allowed IPv6 wildcard patterns are constructed by appendingan ‘*’ to a partial IPv6 address or by specifying a single ‘*’. Examples ofvalid IPv6 wildcard patterns are:
*
fedc:ba98:7654:3210:fe*
fedc:ba98:7654:3210*
The special IPv6 syntax of compressing zeroes using "::" is not allowed inIPv6 Wildcard patterns. For example: ‘fedc::ba98:fe*’ is not allowed.
Enter the shared secret, or the encryption key between the client and theserver. The shared secret must be less than 255 characters. A request from aclient for which the server does not have a shared secret is silently discarded.
Shared Secret
Confirm the secret by typing it again.Confirm SharedSecret
Enter the UDP port number of the dynamic authorization server to whichthe HP-UX AAA Server must send the dynamic authorization requests. Thedefault value is 3799.
DynamicAuthorization RelayPort
Enter the number of client retry requests the HP-UX AAA Server must sendto perform a client function, such as Disconnect or Change of Authorization.The default value is 2.
Retry Count
Specifies the time interval between two successive client requests. The HP-UXAAA Server sends a client retry request at the end of the specified retry
Retry Interval
interval if the initial request does not receive a response from the respectiveserver. The default value is 3.
102 Configuring RADIUS Clients Using the Access Devices Screen
Table 7-1 Add Access Device Configuration Form Options (continued)
FunctionOption
Enter the vendor-specific attributes that must be returned to the access devicein a reply. In most applications, you can select the hardware vendor of the
Vendor
device or Generic if the device is not listed. You can make multiple selectionsby holding down the control key as you select vendor names.The server prunes vendor-specific attributes for a given vendor if thatvendor’s name is not properly defined in the vendors file, and its attributesare not properly defined in the dictionary file.
NOTE: The Generic vendor prunes all vendor-specific attributes before amessage is returned to a NAS. This attribute can be used to help preventproblems that occur if an unencapsulated vendor attribute is not correctlymapped in the vendors file.
IMPORTANT: To define a wireless access point using the MS-CHAP protocol,you must select Microsoft as one of the vendor selections.
Select any of the check boxes to specify additional message-handling options.Following are the options:
Options
RAD_RFC Verifies that the Access-Request conforms with the RADIUSRFC. Nonconforming messages are dropped.
ACCT_RFC Verifies that the Accounting-Request conforms with theAccounting RFC. Nonconforming messages are dropped.
Debug Dumps packets into the server’s debug output file.No Check Helps enhance server performance. When this option is
checked the HP-UX AAA Server does not check all attributesto determine if the request is a duplicate. Check this optionif you know that the client sends standard messages that caneasily be detected as duplicates.
No Encaps Does not encapsulate vendor response (if the client requiresunencapsulated A-V pairs)
Old Chap For clients that perform pre-RFC CHAP.
NOTE: Dynamic Authorization Relay Port, Retry Count and Retry Interval areused only if the HP-UX AAA Server is configured to perform client functionalities.
3. ClickCreate to submit the new RADIUS client to the Server Manager. ClickCancelto return to the Access Device screen without making any changes to your serverconfiguration.
Modifying a RADIUS Client’s PropertiesTo modify the properties of an existing RADIUS client, complete the following steps:
Modifying a RADIUS Client’s Properties 103
1. In the Access Device screen, click corresponding to the client whose propertiesyou want to edit.The Modify Access Device screen appears similar to the one shown in Figure 7-2.
2. Edit the fields in the Access Device Attributes form. See Table 7-1 for moreinformation on how to fill the form.
3. Click Modify to save changes.Click Cancel to return to the Access Devices screen without saving any changes.
Deleting a RADIUS ClientTo delete a RADIUS client, complete the following steps:
1. In the Access Device screen, click the icon corresponding to the RADIUSclient you want to delete.The Delete Access Device screen appears as shown in Figure 7-3. This screen allowsyou to preview the access device entry before you confirm deletion.
Figure 7-3 The Delete Access Device Screen
2. Click Delete to delete the RADIUS client. Click Cancel to return to the AccessDevices screen without deleting the RADIUS client.
104 Configuring RADIUS Clients Using the Access Devices Screen
8 Configuring RealmsA realm is a group of users who share a common characteristic, such as being customersof the same Internet Service Provider (ISP). All users of a given realm are handled inthe same way, either proxied to a remote server or locally authenticated using a specifiedmethod according to the authentication type assigned to the realm.
Using the Local Realms ScreenThe Local Realms screen (shown in Figure 7-1) allows you to configure realms for theHP-UX AAA RADIUS server by adding a new realm, modifying, or deleting an existingrealm in the server’s authfile.
Figure 8-1 Server Manager’s Local Realms Screen
Adding a RealmTo add a realm entry, complete the following steps:1. From the navigation tree, click Local Realms.
The Local Realms screen appears as shown in Figure 8-1.
2. To add a new realm, click the icon.The Add Local Realm screen appears as shown in Figure 8-2.
Using the Local Realms Screen 105
Figure 8-2 Server Manager’s Local Realm Attributes Screen
3. Complete the form on the Local Realm Attributes screen according to theinformation given in Table 8-1.
Table 8-1 Fields in the Local Realm Attributes Form
FunctionOption
Name of the realm that must be mapped. This name does not have to be aDNS host name. However HP recommends that the realm name match a
Name
domain name. The user will then be able to recognize the user@realmsyntaxthat resembles their email address.
106 Configuring Realms
Table 8-1 Fields in the Local Realm Attributes Form (continued)
FunctionOption
Identifies the authentication method used for the realm:UserAuthentication • Enable EAP: Select this option if user authentication by an EAP challenge
is required. Select one or more EAP types.At least one authenticationmethod must be selected. For PEAP (EAP-GTC), you must configure theNULL realm.The PEAP version ‘0’ only checkbox is displayed if you selectPEAP(EAP-GTC), PEAP(EAP-MSCHAP), or PEAP(EAP-MD5). Select thischeckbox if your supplicant uses the PEAP version 0 protocol.
• Enable RADIUS Standard: Default. Select this option if user authenticationvia password checking is required.
If Enable EAP and Enable RADIUS Standard are selected, authentication iscarried out based on the Authentication-Type configuration attribute set inthe RADIUS request.
To indicate the location where the AAA server must retrieve user profiles:User ProfileStorage • users: Choose this option to store user information locally in AAA Server
flat files. Choosing this option allows you to administer user informationwith Server Manager. Server Manager can administer user informationstored locally in the AAA Server flat files only.
• Database Access via SQL or LDAP Server: Choose this option if the userprofile information is stored in an external database. See the individualchapters for more information.
• OS Security Database: HP-UX operating system HP-UX operating systemsuse a number of repositories or “databases” to store information abouthosts, users, passwords, etc. User password lookup is performed throughthe name-service switch configured in /etc/nsswitch.conf. See thensswitch.conf man page for more information.
• No Store: EAP-TLS Certificates: Choose this option if you are using TLSand do not want to store user information. If you are using TLS, you arenot required to store user information because the TLS certificates providethe user information needed for authentication.
• No Store: Allow All Users: Choose this option to allow all requests from arealm.
• No Store: Deny All Users: Choose this option to deny all requests from arealm.
Identifies the location, access, and policy parameters for the selected UserProfile Storage.
User StorageParameters
Optional. A paranthesized list of one or more aliases, delimited by commas.Each realm alias is equivalent to the realm name. An alias is provided for user
Alias
convenience or other purposes, such as to save typing when logging on toyour network. Aliases are allowed on wild card entries and are interpretedas meaning *.alias.
Adding a Realm 107
Table 8-1 Fields in the Local Realm Attributes Form (continued)
FunctionOption
Optional. Allows the specification of a packet filter name to be associated withauthentication through this realm name. It overrides any explicit filter namespecified in a user profile.
Filter ID
Optional. Determines if session tracking is enabled for a realm. When youenable session tracking, accounting records are generated for a realm and
Session Tracking
active sessions can be searched using the Session option on the navigationtree.
NOTE: The EAP-LEAP authentication method is obsolete in this release of theHP-UX AAA Server. The EAP-LEAP authentication method is replaced by theEAP-PEAP authentication method. HP recommends that you use EAP-PEAP inplace of EAP-LEAP for improved security. Unlike EAP-LEAP, EAP-PEAP supportsmutual authentication and uses an encrypted tunnel to transmit the user'scredentials.The SecurID authentication is obsolete in this release of the HP-UX AAA Server.The SecurID authentication can be replaced by Open AuTHentication (OATH)standards-based One-Time Password (OTP) authentication. OATH is anindustry-wide collaboration to develop open-reference architecture for strongauthentication. The OATH standards-based OTP authentication solution supportshardware and software tokens from multiple vendors. For more information onOATH standards-based OTP authentication solution, see Chapter 16 (page 179)The Oracle authentication module is obsolete in this release of the HP-UX AAAServer. The Oracle authentication module is supported using SQL Access. HPrecommends that you set up your HP-UX AAA Server to interact with the Oracledatabase using the SQL Access feature. For more details on implementing SQLAccess, see Chapter 22 (page 338)
4. To add a new realm, click Create to submit the new realm to the Server Manager.To return to the Realms screen without making any changes to your serverconfiguration, click Cancel.
Modifying RealmsTo modify the properties of an existing realm, complete the following steps:1. From the navigation tree, click Local Realms.
The Local Realms screen appears as shown in Figure 8-1.
108 Configuring Realms
2. Click the icon corresponding to the realm whose properties you want tomodify.The Modify Local Realm screen appears similar to the screen shown in Figure 8-2.
3. Modify the properties on the Local Realm Attributes screen according to theinformation given in Table 8-1.
4. To submit changes to the realm entry to the Server Manager, click Modify.To return to the Realms screen without making any changes to your serverconfiguration, click Cancel.
NOTE: indicates that the configuration file cannot be modified using the ServerManager. Edit the file manually using a command line editor.
Special EntriesThere are a few special entries that you can use while configuring realms. Table 8-2shows the various special entries you can use.
Special Entries 109
Table 8-2 Special Entries
When to UseSpecial Entries
When specifying the primary realm for an entry, you can use a wildcard syntax such as *.realm. This syntax provides a shorthand for
Wildcard Entries
associating several related realms with a single authentication type.For example, a company may have several branches,eastern.company.com, western.company.com, andcentral.company.com. The wild card entry for that company woulddefine *.company.com as the realm. This notation would include allthree realms. HP recommends that any such wild card entry be listedafter more specific entries. This order allows the preceding, specificentries to override the wild card entry.
The DEFAULT realm acts as a matching realm entry for all realms.By default, the DEFAULT realm is configured to authenticate against
DEFAULT Realm
the default set of users. Disable the DEFAULT realm by choosing theNo Store - Deny All Users option in the User Profile Storagedrop-down list.
The Null realm authenticates users that do not identify their realmwhen requesting access (for example, the AAA server receives an
NULL Realm
access request from user, instead of [email protected]). Bydefault, the NULL realm is disabled with the No Store: Deny All Userssetting.
Deleting a RealmComplete the following steps to delete a realm:
110 Configuring Realms
1. In the Local Realms screen, click the icon corresponding to the realm youwant to delete.The Delete Local Realm screen appears as shown in Figure 8-3. This screen allowsyou to preview the realm attributes before you confirm deletion.
Figure 8-3 The Delete Local Realm Screen
2. ClickDelete to delete the realm. ClickCancel to return to the Local Realms screenwithout deleting the realm.
Configuring Realms for Authentication using an External ServerThis section discusses how to configure realms for authentication using Database viaSQL Access and Lightweight Directory Access Protocol (LDAP) module.
Configuring Realms for Database Access via SQLA realm can be configured for Database Access via SQL only after setting up the HP-UXAAA Server to connect to the database and configuring the connection parameters andSQL actions in sqlaccess.config. See Chapter 22: “SQL Access” (page 338) fordetails on setting up the HP-UX AAA Server for SQL Access.Perform the following steps to configure the realm for Database Access via SQL.1. From the navigation tree, click Local Realms.2. On the Local Realms screen, click New Local Realm to open the Local Realm
Attributes screen.
Configuring Realms for Authentication using an External Server 111
3. In the Name field, enter the name of the realm for which the user profiles are storedin a database and accessed using the SQL Access feature.The name does not have to be a DNS host name. However, HP recommends thatyou set the realm name to correspond with the domain name. This enables theuser@realm syntax to resemble the e-mail address for all the users in the domain.
4. In the User Profile Storage field, select Database Access via SQL.The user storage parameters for Database Access via SQL are displayed as shownin.
Figure 8-4 User Storage Parameters for Database Access via SQL
5. In the User Storage Parameters Field, select one of the following options:• RADIUS Attribute: Specify the RADIUS attribute in the
<vendorID>:<attribute> format. This RADIUS attribute must containthe SQL action used for authentication. If vendorID is not specified, 0 thatcorresponds to standard RADIUS attribute will be used.
NOTE: The <vendorID> component must be a value that is defined in thevendors file and the<attribute> component must be a value that is definedin the dictionary file.
• SQL Action Id: Select the SQL action from the drop-down list.
IMPORTANT: Ensure that the appropriate SQL action is selected from thedrop-down list. Selecting an incorrect SQL action can result in an authenticationfailure or unintentional changes to the database records.
6. Complete any remaining optional fields as necessary for your configuration.7. Click Create. If the realm is successfully created, the Local Realms screen will list
the new realm.8. From the navigation tree, click Save Configuration
If you have multiple remote servers, you will be prompted to select and confirmthe servers where the realm configuration will be applied.
Configuring Realms for LDAPThis section discusses how to configure realms for Lightweight Directory Access Protocol(LDAP). These realms can be configured only after setting up the LDAP server. See
112 Configuring Realms
Chapter 21: “LDAP Authentication” (page 335) for information on setting up an LDAPserver.To configure each realm using LDAP, you must specify the directory server, searchbase, and other parameters necessary to find profiles for the users in the realm.Complete the following steps to configure realms for LDAP:1. From the navigation tree, click Local Realms.2. On the Local Realms screen, click New Local Realm to open the Local Realm
Attributes screen.3. In the Name field, enter the name of the realm to map to the defined LDAP location.
This name does not have to be a DNS host name. However HP recommends thatthe realm name corresponds with the domain name. This way, the user recognizesthe user@realm syntax which resembles their e-mail address.
4. In the User Authentication Field, select the authentication methods to authenticateusers for the realm. If you are using TTLS-PAP, TTLS-MSCHAP, or TTLS-CHAP,select Enable RADIUS Standard. For all other methods, select Enable EAP andchoose at least one EAP method from the drop-down list.
5. In the User Profile Storage field, select LDAP.The user storage parameters for LDAP appear when you select LDAP from theUser Profile Storage drop-down list. These parameters identify a section of thedirectory tree on one or more LDAP servers where the HP-UX AAA software willattempt to retrieve user profiles.
6. In the User Storage Parameters Field, select New LDAP Directory or the name ofan existing LDAP Directory.
7. In the LDAP screen that appears, configure the LDAP directory using theinformation described in Table 8-3.
Table 8-3 Values for Configuring Realms for LDAP
DescriptionValue
Start of a directory configuration. Give a name to the directory,which can be an arbitrary string. If the name contains spaces or tabs,the string must be enclosed in single or double quotes.
Directory Name
Configuring Realms for Authentication using an External Server 113
Table 8-3 Values for Configuring Realms for LDAP (continued)
DescriptionValue
Name of the host on which the LDAP directory server runs. Thevalue must be a fully qualified DNS name, although an IP address
Host
also works. Both traditional IP (IPv4) and IPv6 address formats aresupported. The HP-UX AAA Server can resolve DNS name formatentries to IPv4 and IPv6 addresses.Enter an IPv4 address in dotted-quad notation. Enter an IPv6 addressin IPv6 Literal format notation. For example:IPv4 address — 192.0.2.0IPv6 address — fedc:ba98:7654:3210
Port number on which the directory server is running. Default valueis 389.
Port (Optional)
Enables or disables SSL connections between the HP-UX AAA Serverand the LDAP directory. If you are enabling SSL, you must specify
Use SSL
the server's CA certificate path or fully qualified file name in theServer Properties -> ProLDAP Properties window.
Special user ID used when an authenticated search is allowed onthe LDAP directory server. This administrator does not need to be
Administrator
a real administrator of the LDAP directory server, but must haveread access to all the users (and their passwords). Intended to beauthenticated by the AAA server.
Password for Administrator to bind (authenticate) itself to the LDAPdirectory server.
Password
Pointer into the directory where the search for users in a realm starts.Specifying a search base improves server performance by limiting
Search Base
the scope of search operations on user information for a particularrealm. A search base contains a list of A-V pairs that trace a pathfrom a location in the directory's schema to the top of the directory.For example, a search base of o=hp, c=US represents a search forone of the users on the following tree: c=US____________|_______ | o=hp____________|____________________| | | |uid=Joe uid=Bob uid=Dawn uid=Maria
The A-V pairs used depend on the schema of your particulardirectory server.
NOTE: It is more efficient to start your search lower in the directorystructure rather than higher. HP recommends that you eliminatespaces between Search Base components (i.e., instead ofou=abc,o=cde, c=us, use ou=abc,o=cde,c=us).
114 Configuring Realms
Table 8-3 Values for Configuring Realms for LDAP (continued)
DescriptionValue
Filter flag allows authentication to be based either on the LDAP uidattribute, which normally is CIS, or on the AAA Server User-Id
Filter
attribute, which is normally BIN. User-Id is a AAA Server-specificRADIUS attribute. This optional flag defaults to uid.
IMPORTANT: With multiple LDAP directory servers, the Filterused for lookups must be consistent across all directories specifiedfor a particular realm. Potential filters are uid, User-Id or some otherkey that uniquely identifies a subject to be authenticated on thesystem. Currently, the LDAP module does not enforce the use ofconsistent filters, but using inconsistent filters may produceunpredictable authentication failures.
Authentication Type • AUTO performs a search as the configured Administrator(searches anonymously if no administrator is configured),anticipating the password is in the result. It binds as the user ifthe password is not available. This mode makes the AAA serverflexible in accommodating LDAP directories. If directories areconfigured to return passwords with search, AUTO is equivalentto SEARCH.
• BIND binds as the user for authentication.• SEARCH performs a search as the configured Administrator and
expects the user's password in the search result.
8. In the LDAP screen, click Save.9. Repeat steps 6 and 7 for each redundant directory you wish to use for failover.10. Complete any remaining optional fields as necessary for your configuration.11. Click Create.12. From the navigation tree, click Save Configuration
If you have multiple remote servers you will be prompted to select and confirmwhich servers you wish to add the entry to.
Modifying a Directory ConfigurationComplete the following steps to modify a directory configuration:1. On the Local Realms screen, select the name of the directory definition you wish
to modify.2. Change the values if needed.3. Click Modify.
Deleting a Directory ConfigurationComplete the following steps to delete a directory configuration:
Configuring Realms for Authentication using an External Server 115
1. On the Local Realms screen, select the name of the directory definition you wishto delete.
2. Click Delete.
Tuning the AAA Server to LDAP Server ConnectionThe AAA server to LDAP server connection can be modified by adding the followingentry to /etc/opt/aaa/aaa.config and then stopping and starting the server:aatv.ProLDAP{ Retry-Interval 60 Retry-Wait 1 Timeout 60 TCP-Timeout 3 Debug 0}
• Retry-Interval sets the number of seconds for the AAA server to wait before tryingto reconnect to a LDAP directory server when a realm has failover directory serversconfigured. Default value is 60 seconds.
• Retry-Wait sets the number of seconds that the AAA server will wait beforeattempting to connect to the same failover LDAP server. When all failover directoryservers configured for a realm are down, the AAA server will try to reconnect toone every time an access request is received. In that situation, this parameterguarantees that the software does not spend too much time in trying to reconnectthose directory servers. Default value is 1 second.
• Timeout sets the number of seconds that an LDAP connection will remain openwhen the AAA server has not been able to successfully perform any successfulLDAP operation. This parameter allows better handling of the situation where theLDAP directory times out client connections.
• TCP-Timeout sets the number of seconds that the AAA server will wait for anLDAP server when trying to establish the Transmission Control Protocol (TCP)connection.
• Debug determines whether OpenLDAP debug messages should be written to theAAA server radius.debug file. A value of 0 disables writing these messages; avalue of -1 enables writing these messages. The syntax of this property follows ablock syntax that is different from the other aaa.config variables.
116 Configuring Realms
9 Configuring ProxiesAAA proxy is an entity that acts as both a client and a server. When a request is receivedfrom a client, the proxy acts as a AAA server. When the same request needs to beforwarded to another AAA entity, the proxy acts as a AAA client.Figure 9-1 illustrates both ends of a proxy configuration relative to the local host. Whenthe local host receives a request that it will authenticate, the server that forwarded therequest is called the proxy server. When the local host forwards a request for anotherserver to authenticate, the other server is called the remote (or home) server. A requestcan be forwarded through several networks before it reaches the home server.
Figure 9-1 Proxy Configuration
Navigating the Proxy ScreenThe server configuration must include all the servers that forward messages to orreceive forwarded messages from the AAA server. If a remote server is not includedin the configuration, the server does not handle or forward requests. The Proxies screenshown in Figure 9-2 allows you to add, modify, or delete a proxy in the serverconfiguration.
Navigating the Proxy Screen 117
Figure 9-2 Server Manager’s Proxy Screen
Changing the Default localhost Proxy SettingsThe HP-UX AAA Server includes a preconfigured proxy entry named localhost for usein loop-back testing. You must change the default shared secret value for thelocalhostproxy, or delete it if you do not plan to use loop-back testing.To change the shared secret for the default localhost proxy, complete the followingsteps:1. From the navigation tree, click Proxies.2. On the Proxies screen, click the localhost link.3. Change the default shared secret and confirm it by entering it again.4. Click Modify.
IMPORTANT: Changing the default password increases the security of your HP-UXAAA Server. HP recommends changing the default values to all customers.
Creating or Modifying a ProxyWhen adding a proxy entry to the server configuration or modifying an existing entry,you must supply values for the proxy attributes through the Server Manager’s ProxyAttributes Screen.To add a new proxy, or modify an existing proxy, complete the following steps:
118 Configuring Proxies
1. From the navigation tree, clickProxies, and then clickNewProxy if you are creatinga new proxy. If you are modifying an existing proxy, select the proxy you want tomodify.The Proxy Attributes screen appears as shown in Figure 9-3.
Figure 9-3 Server Manager’s Proxy Attributes Screen
2. Fill up the form on the Proxy Attributes screen according to the information givenin Table 9-1.
Creating or Modifying a Proxy 119
Table 9-1 Proxy Configuration Options
FunctionOption
Enter the network location of the proxy server. The name can be an IPv4address (in dotted-quad notation), an IPv6 address (in colon-separated
Name
notation), a valid fully qualified DNS name, or an IP (IPv4 or IPv6) addressthat contains a wildcard pattern.When specifying Name as a DNS host name, you must use the name returnedby the hostname command.
Notes:• To accept forwarded requests from any IPv4 address or from any IPv4
address of a particular subnet, specify a wildcard pattern. Examples ofvalid IPv4 wildcard patterns are:— *— 192.*— 192.0.*— 192.0.2.*
• To allow access from any IPv6 address or from a group of IPv6 addresses,specify an IPv6 wildcard pattern. The allowed IPv6 wildcard patterns areconstructed by appending an ‘*’ to a partial IPv6 address or by specifyinga single ‘*’. Examples of valid IPv6 wildcard patterns are:— *— fedc:ba98:7654:3210:fe*— fedc:ba98:7654:3210*The special IPv6 syntax of compressing zeroes using "::" is not allowed inIPv6 Wildcard patterns. For example- ‘fedc::ba98:fe*’ is not allowed.
Enter the shared secret held between the two authentication servers. Theshared secret must be less than 255 characters. A request from a forwarding
Shared Secret
server for which the remote server does not have a shared secret will not beauthenticated.
Enter the shared secret once more to confirm it.Confirm SharedSecret
Enter the vendor-specific attributes to be returned to the proxy server in areply. Select Generic (the default) if you do not want any vendor-specificattributes to be returned.
Vendor
If you select Generic (the default) no vendor-specific attributes are returned.You can make multiple selections by holding down the control key as youselect vendor names.
120 Configuring Proxies
Table 9-1 Proxy Configuration Options (continued)
FunctionOption
Select any of the check boxes to specify additional message-handling options.The following options are valid:
Response Options
RAD_RFC Verifies that the Access-Request conforms with the RADIUSRFC. Nonconforming messages are dropped.
ACCT_RFC Verifies that the Accounting-Request conforms with theAccounting RFC. Nonconforming messages are dropped.
CHECK_ALL Checks all attributes to determine if the request is a duplicate(for messages from a proxy server). This occurs if the remoteserver sends nonstandard messages that are not easilydetected as duplicates.
PRUNE Forces pruning as if the response is being returned to anaccess device. When this option is checked, the Genericvendor prunes all vendor-specific attributes before a messageis returned to the proxy server. This can be used to helpprevent problems that might occur if unencapsulated vendorattribute is not correctly mapped in the vendors file.
The server prunes vendor-specific attributes for a given vendor if that vendoris not properly defined in the vendors file, and its attributes are not properlydefined in the dictionary file.
IMPORTANT: If you have specified the Prune response option for the proxyserver and the HP-UX AAA server is using the MS-CHAP protocol forauthentication, you must select Microsoft as one of the vendors.
3. If you are adding a new proxy entry, click Create to submit the new proxy to theServer Manager.If you are modifying an existing entry, click Modify to submit changes made tothe proxy entry to the Server Manager.Click Cancel to return to the Proxy screen without making any changes to yourserver configuration.
4. From the navigation tree, click Save Configuration.5. On the Save Configuration screen that appears, click Save.
NOTE: Clicking Save saves the entire server configuration (access devices, proxies,local realms, users, and server properties) to the servers you specify.
Forwarding Authentication and Dynamic Authorization Requests From a Proxy ServerTo forward authentication requests from a proxy server, complete the following steps:1. Follow the steps listed in “Creating or Modifying a Proxy” (page 118).2. In the Proxy Configuration Form, configure the options described in Table 9-2.
Creating or Modifying a Proxy 121
Table 9-2 Options for Forwarding Requests
DescriptionOption
All requests originating from the realm listed in this drop-down list will beforwarded to the remote server. To add a realm to the list, select Add Realm
Realms to forward
from the list. To modify or delete a listed realm, select the realm name fromthe drop-down list. When you add or modify a realm, you specify the realmname and whether its accounting messages should be forwarded to theremote server. By default, accounting messages are forwarded to the proxyserver.
This port number value overrides the servers startup switches that specifythe UDP port used to relay authentication requests. The default (when novalue is entered in this field and no startup switch is specified) is 1812.
Authentication relayport
This port number value overrides the servers startup switches that specifythe UDP port used to relay accounting requests. The default (when no valueis entered in this field and no startup switch is specified) is 1813.
Accounting relayport
Enter the UDP port number of the dynamic authorization server to whichthe HP-UX AAA Server must send the dynamic authorization requests. Thedefault value is 3799.
DynamicAuthorization RelayPort
Enter the number of client retry requests the HP-UX AAA Server must sendto perform a client function, such as Disconnect or Change of Authorization.The default value is 2.
Retry Count
Specifies the time interval between two successive client requests. The HP-UXAAA Server sends a client retry request at the end of the specified retry
Retry Interval
interval if the initial request does not receive a response from the respectiveserver. The default value is 3.
When receiving a response from a remote server, Yes will instruct the serverto append all the forwarded A-V pairs to new A-V pairs included in the
Append Attributes
response. This setting is useful when a remote server does not return all ofthe A-V pairs that it received.
3. Click Create.4. From the Navigation pane, click Save Configuration.5. On the Save Configuration screen that appears, click Save.
CAUTION: Clicking Save saves the entire server configuration (access devices,proxies, local realms, users, and server properties) to the servers you specify.
NOTE: By default, accounting requests originating from the realm are also forwardedto the remote server.
Forwarding Authentication Requests to a Remote ServerTo forward authentication requests to a remove server, complete the following steps:
122 Configuring Proxies
1. Follow the steps listed in “Creating or Modifying a Proxy” (page 118).2. In the Realms to Forward field, select the Add Realms option.3. Complete the Proxy Realm screen that appears by entering the name of the realm.4. Select Yes if accounting requests are not to be forwarded to the proxy server.5. On the Proxy Realm screen, click Save.6. Repeat steps 2 to 4 for each realm that must be forwarded to the remote server. To
remove a realm that has been added, select the realm name from the Realms toforward drop-down list and click Delete.
7. Complete the remaining fields if necessary.8. Click Create.9. From the navigation tree, click Save Configuration.10. On the Save Configuration screen that appears, click Save.
CAUTION: Clicking Save saves the entire server configuration (access devices,proxies, local realms, users, and server properties) to the servers you specify.
NOTE: By default, accounting requests originating from the realm are alsoforwarded to the remote server.
Changing RADIUS Port NumbersIf a remote server is listening for authentication or accounting requests on ports thatare not the RADIUS defaults, you must configure the local server to forward messagesto the correct port. The current RADIUS default ports are 1812 and 1813. For DynamicAuthorization, the default port is 3799. Many older RADIUS servers listen for requestson ports 1645 and 1646.
Forwarding Requests to Alternate RADIUS PortsComplete the following steps to forward requests to alternate RADIUS ports:1. If you have not already configured the remote server, complete the steps listed in
“Creating or Modifying a Proxy” (page 118). If the proxy configuration alreadyexists, access it from the proxy screen.
2. In the Authentication relay port and Accounting relay port fields of the Proxyattributes screen, specify the alternate ports.
3. Click Create.
Changing RADIUS Port Numbers 123
4. From the navigation tree, click Save Configuration.
CAUTION: Clicking Save Configuration saves the entire server configuration(access devices, proxies, local realms, users, and server properties) to the serversyou specify.
Forwarding Accounting RequestsThe HP-UX AAA Server forwards accounting start and stop messages to the remoteproxy server. The server can be configured to suppress forwarding of accounting startand stop messages by local session logging. Table 9-3 lists the account message loggingcombinations that are possible.
Table 9-3 Accounting Logging Options
Logging LocationConfiguration
• Local• Account forwarding set to Yes for a proxyconfiguration • Proxy accounting forwarded to remote server
• No. Account forwarding to a central server
• Local only• Account forwarding set to No for a proxyconfiguration
• No Account forwarding to a central server
• No local logging• Account forwarding set to Yes for a proxyconfiguration • Proxy accounting forwarded to remote server
• Account forwarding to a central server • All accounting forwarded to central server
• No local or proxy accounting• Account forwarding set to No for a proxyconfiguration • All accounting forwarded to central server
• Account forwarding to a central server
Follow the steps in “Proxying Authentication and Accounting Messages to the SameServer” (page 124) to set account forwarding to yes for a proxy configuration. Followthe steps in “Proxying Accounting Requests to a Central Server” (page 125) to forwardaccounting requests to a central server.
Proxying Authentication and Accounting Messages to the Same Server1. If you have not already configured the remote server, follow the procedure to
create or modify proxies (see “Creating or Modifying a Proxy” (page 118)). If theproxy configuration already exists, access it from the proxy screen.
2. From the Realms to forward drop-down list, select the name for the realm thatyou want to forward the accounting messages to. If the realm is not already in thedrop-down list, select Add Realm and follow the instructions in the Proxy Realmdialog box that appears.
3. In the Proxy Realm window that appears, enter the realm name.
124 Configuring Proxies
4. In the Proxy Realm window, click Save.5. Click Create.6. From the navigation tree, click Save Configuration.
CAUTION: Clicking Save Configuration saves the entire server configuration(access devices, proxies, local realms, users, and server properties) to the serversyou specify.
NOTE: By default, accounting messages are forwarded to the remote proxy server.Select Yes for Use Local Session Tracking to Suppress Forwarding of AccountingRequests to record accounting start and stop messages locally.
Proxying Accounting Requests to a Central ServerYou can forward all received accounting messages to a central server by modifying thefinite state table. This configuration disables all local accounting.1. Copy the file /opt/aaa/examples/config/proxyacct.fsm to the
radius.fsm file.2. Open radius.fsm in a text editor and locate the following lines:
Acctwait: *.*.ACK RAD2RAD REPLYHold Xstring=”default.accounting.proxy.server” *.*.ACCT_DUP RAD2RAD REPLYHold Xstring=”default.accounting.proxy.server”
3. Replace the two instances of default.accounting.proxy.server with the DNS nameor IP address of the server that you want to forward the accounting messages to.To forward the accounting to a different port, use the following syntax:Acct:Port.
IMPORTANT: The server you specify must be added to your proxy configuration.
4. Save radius.fsm.5. Restart the server if it is already running.
Deleting a ProxyComplete the following steps to delete a proxy:
Proxying Accounting Requests to a Central Server 125
1. In the Proxies screen, click corresponding to the proxy you want to delete.The Delete Proxy screen appears as shown in Figure 9-4. This screen allows youto preview the proxy attributes before you confirm deletion.
Figure 9-4 The Delete Proxy Screen
2. Click Delete to delete the displayed proxy entry. Click Cancel to return to theProxy screen without deleting the entry.
126 Configuring Proxies
10 Configuring UsersUser profiles associate information with a user name for authentication andauthorization. This information is defined by attribute-value pairs. The serverconfiguration must include profiles for all the users that can access services throughthe AAA server. If a user profile is not included in the configuration, the server willreject the users access request.Profiles are stored in flat text files or in an external source. This section covers userprofiles stored in a text file.
IMPORTANT: You must enter the user’s fully-qualified name when adding a user tothe default users file (using the Users link in the navigation tree). For example, [email protected] instead of only entering user1.
Navigating the Users ScreenThe Users screen allows you to add, modify, or delete a user stored in a text file. Youcan access this screen by selecting the Users link from the graphic interfaces navigationtree or through the Realms screen by selecting the Users icon for a realm that isconfigured for the User File.When you create, modify, or delete a user, the correspondingscreen displays.
Figure 10-1 Server Manager’s Users Screen
Changing the Default test_user SettingsThe HP-UX AAA Server includes a preconfigured user entry named test_user foruse in loop-back testing. You must change the default password for test_user, ordelete it if you do not plan to use loop-back testing.To change the password for the default test_user settings, complete the followingsteps:
Navigating the Users Screen 127
1. From the navigation tree, click Users to access the Users screen shown inFigure 10-1.
2. Select test_user by clicking the Edit icon corresponding to it.The Modify Users pane appears similar in appearance to the Add Users paneshown in Figure 10-2.
3. Change the default password and confirm it by entering it again.4. Click Modify.
Adding a User ProfileWhen adding a new user profile to the server configuration, or modifying an existingentry, you supply values for the user profile attributes through the form in the Add /Modify Users screen. This form is tabbed according to groups of attribute-value pairs.Initially, the General tab is active. Use the other tabs to specify A-V pairs. For moreinformation, see “Tabs on the Add Users Screen” (page 130).To add, or modify a user’s profile, complete the following steps:1. From the navigation tree, click Users.
The Users screen appears as shown in Figure 10-1.
2. To add a new user, click the icon corresponding to the New user link. TheAdd Users screen appears as shown in Figure 10-2.
Figure 10-2 The Add Users Screen
3. Enter values in the form as per the instructions in Table 10-1.
128 Configuring Users
Table 10-1 General Attributes in the Add User Screen
DescriptionAttribute Name
Value to compare to the User-Name attribute value in therequest. It must be less than 64 characters. &, “, ~, \, /,%, $, ‘,and space characters cannot be used.
User Name
Use this field to supersede the Authentication type specifiedin the user’s realm. Selecting Local will use the authenticationmethod specified by the user’s realm.
Authentication Type
Enter the password in the Password field. Enter the samepassword in the Confirm Password to confirm it.
Password and Confirm Password
Choose how you want to store user passwords by selecting ahashing method. Select Plain Text to be compatible with most
Password Hashing Mechanism
client password hashing methods. If you prefer not to use PlainText, be sure the password storing mechanism you choose iscompatible with the client password hashing method.
Adding a User Profile 129
Table 10-1 General Attributes in the Add User Screen (continued)
DescriptionAttribute Name
Indicates a type of provided service. When used as a replyitem, the server returns the value to the access device as an
Service Type: Check/Reply
instruction to determine the service to provide. When used asa check item, the server will reject an Access-Request thatdoes not include a hint for the specified service type.
Sets the maximum number of seconds of service to be providedto the user before termination of the session or prompt.
Session Timeout (optional)
Sets the maximum number of consecutive seconds of idleconnection allowed to the user before termination of the sessionor prompt.
Idle Timeout (optional)
This attribute indicates the name of the filter list for this user.Different attribute values can be used to add more than one
Filter ID (optional)
Filter-ID reply item to an entry. Identifying a filter list by nameallows the filter to be used on different NAS(s) without regardto filter-list implementation details.
This attribute indicates a dialing string to be used for callback.Callback Number (optional)
This attribute indicates the name of a place to be called, to beinterpreted by the NAS.
Callback ID (optional)
4. Click Create in the User Attributes screen.5. Repeat steps 2 to 4 for each user profile you wish to add to the realm.6. From the navigation tree, click Save Configuration.
CAUTION: Clicking Save Configuration saves the entire server configuration(access devices, proxies, local realms, users, and server properties) to the serversyou specify.
Tabs on the Add Users ScreenEach of the four tabs (General, NAS/Login, Framed, and Others) corresponds to anattribute that can be used in a user profile as a check or reply item. When specifyingattribute values through these tabs, all A-V pairs that ordinarily can be used as eithercheck or reply items in a server configuration are automatically added as a reply item,unless the Free tab is used.
Specifying Attributes Using the Free Attributes PaneTo specify attributes using the Free Attributes pane, complete the following steps:1. To access the Free Attributes pane, click the Free tab.2. List A-V pairs one per line in the syntax shown below:
Attribute=Value
130 Configuring Users
3. ClickCreate if you are adding a new user profile. ClickModify if you are modifyingan existing user profile. ClickCancel to return to the Users screen without makingany changes.If each field contains a valid value, the profile will be created or modified;otherwise, an error message is displayed.
Modifying User ProfilesComplete the following steps to modify a user’s properties:1. From the navigation tree, click Users.
The Users screen appears as shown in Figure 10-1.
2. Click corresponding to the user whose profile you want to modify.The Modify Users screen appears as shown in Figure 10-3.
Figure 10-3 The Modify Users Screen
3. Fill the fields in the form according to the information given in Table 10-1.4. Click Modify to save changes.
Click Cancel to exit without saving changes
Deleting a User ProfileYou can delete a user profile in the default users file or in a realm file, which is thefile created for a realm that uses file type authentication.
Modifying User Profiles 131
To Delete a User Profile From the Default users FileTo delete a user profile in the default users file, complete the following steps:
1. In the Users screen, click the icon corresponding to the user profile you wantto delete. The Delete User screen appears as shown in Figure 10-4. This screenallows you to preview the user attributes before you confirm deletion.
Figure 10-4 The Delete Users Screen
2. Click Delete to delete the displayed user profile. Click Cancel to return to theUsers screen without deleting the user profile.
To Delete a User Profile in a Local Realms FileComplete the following steps to delete a user profile in a local realms file:
1. In the Local Realms screen, select the icon for a listed realm that is configuredfor file type authentication.The Users screen appears displaying a list of users in that realm.
2. Click the icon corresponding to the user profile you want to delete.The Delete User screen appears as shown in Figure 10-4. This screen allows youto preview the user attributes before you confirm deletion.
3. Click Delete to delete the displayed user profile. Click Cancel to return to theUsers screen without deleting the user profile.
132 Configuring Users
11 Modifying Server PropertiesYou can modify server variables to override built-in defaults. Server startup optionsoverride a corresponding server property setting. You can modify server variablesusing the Server Properties screen. Enter values for the given parameters to modify aserver variable.
Navigating the Server Properties ScreenThe Server Properties screen can be accessed by selecting the Server Properties link theServer Manager Navigation tree. In the Server Properties screen shown in Figure 11-1,you can modify the HP-UX AAA Server’s properties. Clicking on any Server Propertieslinks in the Server Properties screen takes you to the corresponding screen.
Figure 11-1 Server Manager’s Server Properties Screen
DHCP Relay PropertiesClicking the DHCP Relay Properties link takes you to the DHCP Relay Properties screenwhere you can modify the properties described in Table 11-1.
NOTE: IPv6 support is not available for DHCP Relay.
Table 11-1 DHCP Relay Properties
FunctionOption
The UDP port to send DHCP requests to. If no value is specified,67 is used.
DHCP Server Port (optional)
The UDP port to receive DHCP responses on. If no value isspecified, 67 is used.
DHCP Relay Port (optional)
Navigating the Server Properties Screen 133
Table 11-1 DHCP Relay Properties (continued)
FunctionOption
Determines which attribute in the DHCP message will carry theIP address pool name. If set to Yes, the pool name is sent in the
Send User Class
User-Class option. If set to No, the pool name is sent in theVendor-Class-Identifier option.
The time in seconds before the initial retransmission of a requestto the DHCP server. If no value is specified, 4 is used.
Initial Retransmission Interval(optional)
The maximum value in seconds for the DHCP requestretransmission interval. If no value is specified, 60 is used.
Maximum Retransmission Interval(optional)
This value is passed to the DHCP server. The valid values are 0(NONE) and 1 (ETHER). If no value is specified, or any othervalue is entered, 1 is used.
Client Hardware Type (optional)
If Yes, always select the Maximum DHCP Message Length as themessage size sent to the DHCP server. This is required by some
Send Maximum DHCP Message Size
DHCP servers. If No, use the minimum possible message size.The preselected value is No.
DNS name of the DHCP server. This value is only used if theDHCP server IP address value is not specified.
DHCP Server Name (optional)
The IP address of the DHCP server. This parameter takesprecedence over the DHCP Server Name parameter.
DHCP Server IP Address (optional)
The maximum number of DHCPDISCOVER retransmissions. Ifunspecified, there is no limit to the number of retransmissions.
Maximum Discover Retransmissions(optional)
The maximum number of DHCPREQUEST retransmissions. Ifunspecified, there is no limit to the number of retransmissions.
Maximum Request Retransmissions(optional)
The maximum size of the message that can be received from theDHCP.
Maximum DHCP Message Length
DNS Updates PropertiesClicking the DNS Update Properties link takes you to the DNS Update Propertiesscreen where you can modify the properties described in Table 11-2.
Table 11-2 DNS Update Properties
FunctionOption
Time (in seconds) used to periodically refresh the IP addresses forclients and proxies that are configured by host. If no value isspecified, 3600 (one hour) is used.
DNS Refresh Interval (optional)
When the DNS Refresh Interval for a host name has expired, allother host names that will be refreshed within the specified number
DNS Refresh Time Frame (optional)
of seconds are refreshed immediately. If no value is specified, 60 isused.
134 Modifying Server Properties
Message Handling PropertiesClicking the Message Handling Properties link takes you to the Message HandlingProperties screen where you can modify the properties described in Table 11-3.
Table 11-3 Message Handling Properties
FunctionOption
The time in seconds to store requests (and the associated replies)in the retransmission queues. The Hold Replies time is calculated
Hold Replies (optional)
from the time when the replies were initially sent. If no value isspecified, 6 will be used.
Notes:• Requests that are forwarded (proxied) to another server are
not held in the retransmission queues.• A value of zero causes the replies to be held for 30 seconds.
Specifies the maximum number of retransmissions receivedbefore a RETRY event occurs. Processing RETRY events requires
Global Retry Limit (optional)
customization of the Finite State Machine (FSM). Refer toChapter 26: “Customizing the HP-UX AAA Server Using theFinite State Machine” (page 396) for more information on theFSM.
Specifies the limit for processing requests that appear to beduplicates (created by early implementations of MS-CHAP onsome older PPP clients). If no value is specified, 0 is used.
Special Duplicate Limit (optional)
Sets the maximum number of simultaneous accounting requeststo be handled by the system. When this limit is exceeded, therequests are dropped with a message in the logfile.
Max. Accounting Requests (optional)
The time in seconds each accounting request should be held afterthe Hold Replies time. This option is used for debuggingpurposes only. If no value is specified, 0 will be used.
Hold Accounting Requests (optional)
Message Handling Properties 135
Table 11-3 Message Handling Properties (continued)
FunctionOption
The maximum number of simultaneous authentication requeststo be stored in a retransmission queue. When this limit is
Max. Authentication Requests
exceeded, all new authentication requests are discarded. HPrecommends that this value matches the value used for Max.Accounting Requests. If no value is specified, 1000 will be used.
NOTE: When this authentication queue limit is exceeded, theserver stops responding to the Status command.
The time in seconds each authentication request should be heldafter the Hold Replies time. This option is used for debuggingpurposes only. If no value is specified, 0 is used.
Hold Authentication Requests(optional)
Serves as a debugging function for certain custom HP-UX AAAServers that might transmit very large packets, and helps to
Max. Send Message Size (optional)
debug code written to prevent an excessively large packet fromcorrupting the server.
Serves as a debugging function for certain custom HP-UX AAAServers that might transmit very large packets, and helps to
Max. Receive Message Size
debug code written to prevent an excessively large packet fromcorrupting the server.
SNMP PropertiesClicking the SNMP Properties link takes you to the SNMP Properties screen where youcan modify the Enable SNMP Support property.
Enable SNMP SupportWhen this option is set to Yes, the HP-UX AAA Server automatically checks the localhost(and not the network) for an SNMP master agent. master agent to communicate with,and the server can be monitored by an SNMP workstation. When this option is set toNo, the server does not communicate with an SNMP master agent and cannot bemonitored by an SNMP workstation. The default value is No.
Tunneling PropertiesClicking the Tunneling Properties link takes you to the Tunneling Properties screenwhere you can modify Tunneling Reply Items.
136 Modifying Server Properties
Tunneling Reply Items (Optional)Use the drop-down menu to specify the behavior when the HP-UX AAA Server receivesan Access-Request that does not contain any Tunnel Hint attributes (like Tunnel-Type).The options are as follows:• Return-Configured-Tunnel-Attributes: Allows the return of tunnel attributes in
the authentication reply.• Return-No-Tunnel-Attributes: Does not return any tunnel attributes in the
authentication reply.• Reject-Access-Request: Fails the authentication by silently discarding the
Access-Request.If no value is selected, Return-Configured-Tunnel-Attributes is used.
Certificate PropertiesClicking Certificate Properties takes you to the Certificate Properties screen where youcan modify the properties described in Table 11-4.
Table 11-4 Certificate Path Properties
FunctionOption
For TLS, TTLS, and PEAP. Fully-qualified file name to theAAA server certificate in .pem or .cer format.
Server Certificate Path
Fully-qualified file name to a file in .pemor .cer formatthat contains the private key used to generate the AAAserver certificate. This file cannot be encrypted.
Server Private Key Path
For TLS only. Fully-qualified file name to the CertificateAuthority (CA) certificate for the client certificate. Used
Client Certificate Authority Path
by the AAA server to authenticate client certificates. TheCA certificate for the client certificate must be in .pemformat.
For TLS, TTLS, and PEAP. Fully-qualified file name to therandom seed used to generate keys.
Random Seed Path
Certificate Properties 137
Table 11-4 Certificate Path Properties (continued)
FunctionOption
For TLS only. Identifies the attribute in the user digitalcertificate to retrieve the user's name. This attribute must
Client User Name Attribute
match the user name configured on the supplicant (client)software. The AAA server will check the user name in thecertificate against the user name supplied in the EAP-TLSauthentication request. Select one of the options listedbelow:• Subject Common name (default): Use the
CommonName (CN) in the Subject attribute.• Subject EmailAddress: Use the Email Address(E) in
the Subject attribute.• SubjectAltName RFC822Name: Use the RFC822Name
in the SubjectAltName attribute.• Check all attributes: Search all of the above three fields
for a matching name.• Disable: Ignore comparing User name with Certificate
name.
For TLS. Fully-qualified file name to a list of prohibitedclient certificates. File must be in .pem or .cer format.
Certificate Revocation List Path
File Size PropertiesClicking File Size Properties takes you to the File Size Properties screen where you canmodify the Maximum Logfile Size property.
Maximum Logfile SizeThis property refers to the maximum size (in bytes) of the server’s logfiles andaccounting logfiles. The minimum value for this parameter is 65,536 and the maximumis 2,147,483,647. Once the configured size is reached, the file is closed and a new logfile is created. If no value is specified, 2,147,483,647 is used.
Miscellaneous PropertiesClicking Miscellaneous Properties takes you to the Miscellaneous Properties screenwhere you can modify the Permit Microsoft Client Authenticate As Computer property.
Permit Microsoft Client Authenticate As ComputerEnable (Yes) to support the Microsoft client authenticate as computer feature. TheMicrosoft supplicants must also be configured to authenticate as computers. If thisparameter is enabled (Yes), the AAA Server ignores any "host/" prefix in the user namepassed from the client request. The default setting is Yes (enable). If this parameter isenabled, the HP-UX AAA Server can still authenticate supplicants that do not have“authenticate as a computer” configured.
138 Modifying Server Properties
Local Users File PropertiesEnable (Yes) to enable case-insensitive searching in the default users file. The defaultsetting is No (case sensitive search is disabled by default).
ProLDAP PropertiesClicking ProLDAP Properties takes you to the ProLDAP Properties screen where youcan modify the properties described in Table 11-5.
Table 11-5 ProLDAP Properties
DescriptionOption
Determines whether OpenLDAP debug messagesmust be logged in the HP-UX AAA Server
Debug
radius.debug file. To disable logging OpenLDAPmessages, enter a value of 0. To enable logging,enter a value of -1. By default, logging is disabled.
Number of milliseconds that the HP-UX AAAServer waits for an LDAP server while trying to
Connection Timeout (milliseconds)
establish the TCP connection. The default value is300 milliseconds.
Number of seconds that an LDAP connectionremains open if the HP-UX AAA Server is unable
Timeout
to successfully perform any LDAP operation. Thedefault value is 60 seconds.
Number of seconds that the HP-UX AAA serverwaits before attempting to reconnect to an LDAP
Retry Wait
server, if there are no active connections. The defaultvalue is 1 second.
Used if any realm is configured with two or moreLDAP Servers and at least one of them is connected.
Retry Wait for Alternate Servers
Specifies the number of seconds the HP-UX AAAServer waits before attempting to reconnect to theLDAP servers that are not connected. The defaultvalue is 60 seconds.
Used if any of the LDAP directories are configuredto use SSL. Specifies the path of the file that contains
Certificate Authority File
one or more CA certificates used to authenticateLDAP directory server certificates. There is nodefault value.
Used if any of the LDAP directories are configuredto use SSL. Specifies the path of a directory that
Certificate Authority Directory
contains Certificate Authority Certificates inseparate individual files. If the Certificate Authorityfile is specified, Certificate Authority file is alwaysused before Certificate Authority directory. Thereis no default value.
Local Users File Properties 139
AAA Server As A Client PropertiesClicking AAA Server As A Client Properties takes you to the AAA Server As A ClientProperties screen where you can modify the properties described in Table 11-6.
Table 11-6 AAA Server As A Client Properties
DescriptionOption
Specifies the maximum number of client requests that can be storedin the client queue. Client requests exceeding the specified limitare discarded. The default value is 25000.
Max Client Requests
Specifies the maximum number of retries that the Client AATVsends. The default value is 2.
Global Client Retry Limit
The time (in seconds) after which the client initiates the retryrequest and the associated replies if it does not receive a responsefrom the server. The default value is 3.
Global Client Retry Interval
Specifies the size of the hash table that stores the client requestspresent in the retransmission queues. The default value is 32.
Client Reply Hold Table Size
NOTE: Configuring the hash table size requires a customizedvalue.
Specifies the time window (in seconds) within which theEvent-Timestamp value is valid. Any packet whose
Global Client Event TimestampWindow
Event-Timestamp value exceeds the specified limit is dropped.The default value is 9.
NOTE: This value is applicable to all incoming requests.
Enables you to perform the Reverse Path Forwarding Check forproxied dynamic authorization requests. The default value is No(disabled).
Enable Reverse Path ForwardingCheck
Lists the options to create, modify, and delete the client actions.Client Action Properties
Client Action PropertiesClicking Client Action Properties takes you to the Server Properties: Modify Propertyscreen. If you selectNewAction or an existing client action in the Client Actions menu,theClientAction Propertieswindow is displayed, where you can modify the propertiesdescribed in Table 11-7.
140 Modifying Server Properties
Table 11-7 Client Action Properties
DescriptionOption
Specifies a string used to identify a client action.Action Name
Specifies the frequency (in seconds) at which requests are createdfor a client action. The default value is 1 second.
Timer Value
Specifies the maximum numbers of requests that will be createdeach time the client action is invoked. By default, an unlimitednumber of requests is generated.
Maximum Requests
Client Action Properties 141
12 Logging and MonitoringThis chapter covers the server's diagnostic functions that allow you to search anddisplay information related to the server's operation and usage.
OverviewYou can view the log files that record the details of each AAA transaction or the sessionlogs that record information about each user's session. You can also access informationfor active sessions and manually terminate a session if necessary.These functions can be accessed by selecting the Maintenance menu items from theServer Manager navigation tree. When you use any of these functions, you will retrieveinformation from all servers selected in the Server Manager’s Server Status pane.
Server Log FilesThe log file of the AAA server contains all the information concerning the functioningof the server such as: start/stop of the server, all of the RADIUS requests, and someinternal events. The data is automatically stored each day in a different file. They areavailable as long as the corresponding files are still on the disk.• /var/opt/aaa/logs/logfile: the server log file• /var/opt/aaa/logs/logfile_part<01-09>.yyyymmdd: compressed daily
log file
NOTE: If the logfile exceeds its size limit (as configured in the File Size Propertyin the Server Properties link), a new logfile for that day will be created andidentified by the part<01-09> portion logfile file name string.
Using Server Manager to Retrieve Logfile InformationSelecting the Server Logfile link in Server Manager’s navigation tree allows you toretrieve information from log files.
142 Logging and Monitoring
Figure 12-1 Server Manager’s Logfile Screen
Search ParametersYou can filter what dates and times to retrieve from the logfile.
Table 12-1 Filter Parameters for Searching Logfiles
DescriptionOption
The date and time of the first record in the range of data to retrieve.Begin (server time)
The date and time of the last record in the range of data to retrieve.End (server time)
Limits the result of the search command to messages related to a specific user.For example, you can choose to find out why a user is not able to authenticate.
User
Limits the result of the search command to the specified number of messages.Number of Messages
Server Log Files 143
Message TypesYou can filter what data to retrieve according to the type of messages. For each messagetype, you indicate whether the message type should or should not be retrieved byselecting the Yes or No radio buttons. The different message types are:
• Server FailureThis type of message indicates a server internal error or a problem with theconfiguration files.
• WarningThis type of message indicates a problem with the server, but the server is stillable to process RADIUS requests.
• Information MessagesAll the messages that do not fall into any other category. By default, they are notdisplayed.
• Server start / re-startThis message is generated during each server startup or restart.
• Server stopThis message is generated when the administrator shuts down the server.
• Authentication requestThis icon represents an Access-Request message.
• Authentication FailureThis icon represents an Access-Reject message.
• Authentication SuccessThis icon represents an Access-Accept message.
• Accounting RequestThis icon represents an Accounting-Request message.
Using Server Manager to Retrieve StatisticsFrom the Server Manager’s navigation tree, click Statistics to retrieve a count of eventsthat occurred on the AAA server within a time range. The statistics are displayed usinga bar graph.
144 Logging and Monitoring
Figure 12-2 Server Manager’s Statistics Screen
Table 12-2 Statistic Search Parameters
DescriptionOption
The date and time of the first record in the range of data to retrieve.Begin (server time)
The date and time of the last record in the range of data to retrieve.End (server time)
The AAA server statistics are displayed in a bar graph similar to the example inFigure 12-3.
Figure 12-3 AAA Server Statistics Example
Accounting Log FilesThe Local Authorization Server (LAS) generates accounting log files when theLAS_ACCT module is called by the Finite State Machine. Those files have names inthe format session.yyyy-mm-dd.log, where yyyy is the year, mm the month, dd theday when the file was generated.
Accounting Log Files 145
NOTE: If the logfile exceeds its size limit (as configured in the File Size Property inthe Server Properties link), a new logfile for that day will be created and identified bya part<01-09> portion of the logfile file name string. For example, /var/opt/aaa/acct/session.yyyy-mm-dd_part<01-09>.log
By default, the radius.fsm (logall.fsm) state table calls the LAS_ACCT modulewhen the server receives an Accounting-Request to start or stop the session.
Using Server Manager to Retrieve Accounting LogfilesFrom the navigation tree, clickAccounting to retrieve information from the AAA serveraccounting logfiles.
Figure 12-4 Accounting Logfile Search Screen in Server Manager
Table 12-3 Accounting Logfile Search Parameters
DescriptionOption
The date and time of the first record in the range of data to retrieve.Begin
The date and time of the last record in the range of data to retrieve.End
Only searches for sessions that used the specified ID.User
An accounting search returns a list of users. When you select a user to retrieveinformation for, Server Manager parses the corresponding accounting records anddisplays the information in the Accounting: Detailed Records screen similar to theexample shown in Figure 12-5.
146 Logging and Monitoring
Figure 12-5 Detailed Accounting Record for a Selected User
Format of Accounting Records in the Default Merit StyleRADIUS accounting records store both the users account information and the usershistorical session information. Each record begins with a tab-delimited line of valuesthat represent the default AAA server session information. This information includestime-based values, as well as HP-UX-specific and standard RADIUS A-V pairs. If avalue does not exist, N/A will appear in the values placeholder.The first line of a record appears as:Started-at Reason Log-time resrvd Connect-time Access-ID resrvd Session Token Time-limit From Service-class Filter Service-type
After the first line of a session record, each A-V pair in the accounting message thattriggered the logging activity is listed.
NOTE: The default session format (Merit) corresponds to the log_v2_0 setting for theaatv parameter in the log.config file, refer to “The log.config File ” (page 539).Alternate formats, Livingston for example, may be specified.
Time-Based ValuesStarted at: This is the time when the session first arrived at the RADIUS
server. It is the number of seconds since 00:00:00 GMT, Jan. 1,1970.
Accounting Log Files 147
Log-time: This is the difference between the time on the machine where andwhen this log was written, and the start-time. This field is usedto compress the data.
Connect time: How long (in seconds) the session was known to the local AAAServer host.
Client A-V PairsRepresent attribute values that describe the client used for authentication andauthorization.
User Entry A-V PairsThe Access-ID, Time-limit, Service-class, and Filter values correspond to A-V pairs(User-Name, Inner-Identity, Session-Timeout, Service-Class, and Filter-Id) that existin the user profile that corresponds to the session record.
Session TrackingThese non-configurable attributes are used by the server to track sessions.Reason: Why the record was generated. This is an integer that may be any one of
the following:
Table 12-4 Reasons Why The Record Was Generated
DescriptionBilled/InfoIntegerReason
Normal disconnect: Modem-Stop record wasreceived for this session.
Billed0AC_NORMAL
Rejected by this LAS: Access rejected by this LAS.Info1AC_REJECT
Access rejected by someone: Access was rejected aftersession was authorized. Modem-Cancel record wasreceived for this session.
Info2AC_CANCEL
Session over maximum time allowed: Session wason for longer than was authorized.
Billed4AC_OVERTIME
Session ended for unknown reason: Stop (instead ofModem-Stop) record was received for this session.
Billed5AC_UNKNOWN
Rejected by LAS: no token was available for thissession.
Info6AC_NOTOKEN
Session not local: This session was not local to thisLAS, but Modem-Stop was received.
Billed7AC_NOTLOCAL
Session suspended: No checkpoint was received forthis session for SESSIONIDLETIME seconds.
Billed8AC_SUSPEND
Authentication failed.Info9AC_FAILED
148 Logging and Monitoring
Table 12-4 Reasons Why The Record Was Generated (continued)
DescriptionBilled/InfoIntegerReason
Session authorized: This record is intended forstatistics only.
Info10AC_AUTHORIZED
The session is released due to NAS reboot.Info11AC_NASREBOOT
The session is for a remote server, failed to forward.Info12AC_REMOTE
Duplicate accounting record received: This record isintended for statistics only.
Info13AC_DUPLICATE
The session is released due to a NAS and portcollision.
Billed14AC_COLLISION
Session: Session identifier, an arbitrary string with a maximum length of eight.The algorithm used to generate a session identifier. The first fourcharacters are the least significant four hexadecimal digits from the timewhen the session first arrived at the access server. the last four charactersrepresent an internal counter, displayed in hexadecimal notation, in theaccess server.
NOTE: The session identifier is stored in the RADIUS Class attribute and usedinternally by the AAA server.
Writing Livingston CDR Accounting RecordsIt is not possible to make these changes through the Server Manager graphic interface,you must modify configuration files with a text editor.1. Open the log.config configuration file (found in/etc/opt/aaa by default).2. Locate the following lines, which should be found at the beginning of the file:
# Default logging configuration if there is no log.config file. # stream *default* { aatv log_v2_0 buffer 1 close on filename session.%Y-%m-%d.log update 900 wrap 3 } end
3. Change aatv log_v2_0 to aatv log_acct.4. Save and close the file.5. Restart the server if it is currently running.
Accounting Log Files 149
Livingston CDR Session Record FormatEach record of a user’s session begins with Date and Time and a list of Attribute-Valuepairs, one below the other. This information includes time-based values as well asspecific and standard RADIUS A-V pairs.Date and time User-Name = <> NAS-IP-Address = <> NAS-Port = <> Class = <> Acct-Status-Type = <> User-Identifier = <> NAS-Identifier = <> Date-Time = <> Time-Of-Day = <> Day-Of-Week = <> User-Realm = <> LAS-Start-Time = <> LAS-Code = <> LAS-Duration = <>
The above session record will also include any additional A-V pairs that were includedin an Accounting-Request message. The attribute value pair displayed above may differdepending on the server configuration.
NOTE: Merit is the default logging format.
Changing the Accounting Log Filename1. Open the log.config configuration file (found in /etc/opt/aaa by default).2. Locate the following lines, which should be found at the beginning of the file:
# Default logging configuration if there is no log.config file. #stream *default* { aatv log_v2_0 buffer 1 close on filename session.%Y-%m-%d.log update 900 wrap 3 } end
3. Change session.%Y-%m-%d.log to the filename syntax you wish to use.4. Save and close the file.5. Restart the server if it is currently running.
150 Logging and Monitoring
Changing the Accounting Log Rollover IntervalThe log rollover interval (how often a new log file is created to store accounting records)is determined by the timestamp portion of the filename. To change the interval followthe steps in “Changing the Accounting Log Filename” (page 150). The logging intervalwill change to the smallest unit of time in the timestamp portion of the filename. Forexample,%Y-%m-%d-%H, will change the rollover interval to hourly.
Rolling Over the Log File and Accounting Stream and Setting the Log LevelYou can roll over the server log file and accounting stream and set the log level usingthe radsignal command as follows:radsignal [-h] [-v] [[-di ipcdir] pid level ] [[-di ipcdir] pidroll logfile ] [[-di ipcdir] pid roll stream [stream-name]] [[-diipcdir] log level msg_type msg_sub_type log_level ]
Where:pid The process ID of radiusd. This can be determined with
the command% ps -eaf | grep radiusd.
level One of the following debug levels to set: 0 Debug loggingdisabled. 1 Minimal information. 2 Level 1 information,high-level FSM output and some function tracing. 3 Level2 information and complete function tracing. 4 Level 3information along with low-level FSM and configurationfile output.
roll Immediately roll the log file or an accounting stream. Thisshould be used along with the keywords logfile or stream.
logfile The AAA Server log file.stream stream-name The AAA server accounting stream. If stream-name is
not specified then the default stream ( *default* ) willbe used. This should be used along with the keywordroll.
radsignal has the following options:-h Displays a help message.-v Displays version information.-di ipcdir The directory where the radiusd shared memory
files are located. If omitted, the default is /var/opt/aaa/ipc.
log level msg_typemsg_sub_type log_level
Sets the log level for the specified RADIUSmessage type. msg_type specifies the RADIUS
Accounting Log Files 151
message type for which the log level should beset. msg_type should be one of the following:• auth: Authentication messages.• acct: Accounting messages.• disconn: Disconnect messages.• coa: Change-Of-Authorization messages.• all: All the above messages.msg_sub_type specifies the sub type of msg_typefor which the log level should be set.msg_sub_type should be one of the following:• req: Request messages.• resp: Response messages.• ack: Ack response messages.• nak: Nak response messages.• all: All the above messages.log_level specifies the log level to be set formsg_type and msg_sub_type. log_level should beone of the following:• suppress: Suppresses all the log messages
for msg_type and msg_sub_type.• low: Provides minimal information in the
log messages formsg_type andmsg_sub_type.• default: Provides detailed information in the
log messages formsg_type andmsg_sub_type.This is the default value.
See the radsignal man page for more information.
152 Logging and Monitoring
Part III Advanced Configuration InformationThis part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 13: “Securing LAN Access With EAP” (page 159)• Chapter 14: “Managing Sessions” (page 169)• Chapter 15: “Assigning IP Addresses” (page 174)• Chapter 16: “OATH Standards-Based OTP Authentication” (page 179)• Chapter 17: “Configuring EAP-SIM and EAP-AKA Authentication Methods” (page 224)• Chapter 18: “Configuring HP-UX AAA Server for Scalability and High-Availability ”
(page 273)• Chapter 19: “Configuring the HP-UX AAA Server for Client Functionality ” (page 291)• Chapter 20: “Configuring the HP-UX AAA Server for Dynamic Authorization” (page 297)
153
Table of Contents13 Securing LAN Access With EAP.............................................................................................159
Overview...........................................................................................................................159The Secure LAN Advisor............................................................................................159
Preparing Your LAN ........................................................................................................160Determining the EAP Authentication Method to Use......................................................161Securing WLANs with the HP-UX AAA Server..............................................................164Digital Certificate Administration....................................................................................164
Using the “Self-Signed” Digital Certificates................................................................165Installing Your Own Digital Certificates and Keys.....................................................166
Installing Server Certificates and Keys..................................................................166Installing Client Certificates and Keys...................................................................167Defining Certificate Locations on the HP-UX AAA Server...................................167
14 Managing Sessions...............................................................................................................169Session Logs......................................................................................................................169
Displaying Session Attributes.....................................................................................169Stopping a Session.......................................................................................................170
Session Limits...................................................................................................................170Setting Limits on a User-by-User Basis.......................................................................171
Setting Timeout Values..........................................................................................171Establishing a Filter................................................................................................171Limiting Access Points (NAS-Port, NAS-ID, Calling-Station ID, and others).......171Denying Access (Called-Station-ID and others)....................................................172Limiting Simultaneous Sessions............................................................................172
Setting Limits for Users on a Global Basis..................................................................173Setting Limits for All User Profiles Grouped by Realms.......................................173
15 Assigning IP Addresses..........................................................................................................174Assigning Static IP Addresses..........................................................................................174
To Assign a Static IP (IPv4) Address to a Profile in Flat Files.....................................174To Assign a Static IPv6 Address to a Profile in Flat Files............................................175To Assign Static Traditional IP (IPv4) Addresses to a User Profile in an LDAP LDIFFile...............................................................................................................................177To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF File..................178
Assigning Dynamic IP Addresses Using DHCP..............................................................17816 OATH Standards-Based OTP Authentication.............................................................................179
OTP and OATH Overview................................................................................................179HP-UX AAA Server and OATH Support.........................................................................180Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAP v2....182Components Required to Configure OTP Authentication...............................................182Configuring OTP Authentication on the HP-UX AAA Server ........................................183
OTP Authentication Configuration Flowchart............................................................183
154 Table of Contents
Basic or Typical Configuration....................................................................................186Advanced Configuration.............................................................................................187
Advanced OTP Authentication Configuration Concepts......................................187Attributes for Configuring OTP Authentication..............................................192
Advanced Deployment Scenarios..........................................................................199Validating OTP Alone.......................................................................................200Configuring Two-Factor Authentication..........................................................202OTP or Password Validation at External RADIUS Server................................210
Predefined Mapping and Conversion Functions........................................................217Sample Configuration Files.........................................................................................217
The sqlaccess.config Sample File..................................................................217Sample Policy Files.................................................................................................220
The oath-request-ingress.grp Sample File...........................................221The oath-reply-egress.grp Sample File..................................................221The oath-proxy-egress.grp Sample File..................................................222
17 Configuring EAP-SIM and EAP-AKA Authentication Methods......................................................224EAP-SIM............................................................................................................................224
Overview.....................................................................................................................224EAP-SIM Authentication Using HP-UX AAA Server.................................................225Features........................................................................................................................227Benefits........................................................................................................................228Configuring EAP SIM..................................................................................................228
EAP-SIM Client Configuration..............................................................................228EAP-SIM User Credential Lookup Configuration.................................................228EAP-SIM Realm-Based Configurations.................................................................229
Realm-Based EAP-SIM Configuration Information in authfile........................229Realm-Based EAP-SIM Configuration Information in EAP.authfile................232
Global EAP-SIM Configuration in aaa.config........................................................235EAP-AKA..........................................................................................................................236
Overview.....................................................................................................................236EAP-AKA Authentication Using HP-UX AAA Server...............................................236Features........................................................................................................................237Benefits........................................................................................................................238Configuring EAP-AKA................................................................................................239
EAP-AKA Client Configuration.............................................................................239EAP-AKA User Credential Lookup Configuration...............................................239EAP-AKA Realm-Based Configurations................................................................240
Realm-Based EAP-AKA Configuration Information in authfile......................240Realm-Based EAP-AKA Configuration Information in EAP.authfile..............242
Global EAP-AKA Configuration in aaa.config......................................................247Fast Re-Authentication.....................................................................................................248
Configuring for Fast Re-Authentication......................................................................248Configuring for Fast Re-Authentication in EAP.authfile.................................248
Table of Contents 155
Sample EAP.authfile Configuration for Fast Re-authentication.................250Configuring for Fast Re-Authentication in aaa.config File..............................251
Sample aaa.config Configuration for Fast Re-authentication.....................251Guidelines to Write EAP-SIM and EAP-AKA Fast Re-Authentication DatabaseAATVs.........................................................................................................................252
Fast Re-Authentication Database Update AATV...................................................253Update AATV Inputs........................................................................................253Update AATV Outputs.....................................................................................254AATV Functionality and Return Events...........................................................254
Fast Re-Authentication Database Lookup AATV..................................................254Lookup AATV Inputs.......................................................................................254Lookup AATV Outputs....................................................................................255Lookup AATV Functionality and Return Events.............................................256
Pseudonym Identities.......................................................................................................256Random Pseudonyms..................................................................................................256Algorithm-Based Pseudonyms....................................................................................257Configuring for Pseudonym Identity Support............................................................258
Sample EAP.authfile Configuration for Random Pseudonym IdentitySupport...................................................................................................................260SampleEAP.authfileConfiguration for Algorithm-based Pseudonym IdentitySupport...................................................................................................................261Sample aaa.config Configuration for Algorithm-based Pseudonym IdentitySupport...................................................................................................................262
Guidelines to Write EAP-SIM and EAP-AKA Pseudonym Database AATVs............262Pseudonym Database Update AATV.....................................................................264
Update AATV Inputs........................................................................................264Update AATV Outputs.....................................................................................265AATV Functionality and Return Events...........................................................265
Pseudonym Database Lookup AATV....................................................................265Lookup AATV Inputs.......................................................................................265Lookup AATV Outputs....................................................................................266Lookup AATV Functionality and Return Events.............................................268
Generating Authentication Vectors Using A3, A8, and AKA Algorithms.......................2683GPP Milenage A3, A8, and AKA Algorithm.............................................................269
18 Configuring HP-UX AAA Server for Scalability and High-Availability .........................................273Overview...........................................................................................................................273Scalability and High-Availability Concepts......................................................................274
Grouping HP-UX AAA Servers..................................................................................274HP-UX AAA Server Attributes...................................................................................274
HP-UX AAA Server Deployment for Scalability and High-Availability.........................274Managing Multiple HP-UX AAA Servers For Scalability and High-Availability............276
Administering HP-UX AAA Servers Using HP-UX AAA Server Manager...............276Logging In..............................................................................................................277
156 Table of Contents
Adding a Group.....................................................................................................278Modifying a Group................................................................................................279Deleting a Group....................................................................................................279Adding a Server.....................................................................................................280Modifying a Server.................................................................................................284Deleting a Server....................................................................................................284Cloning a Server.....................................................................................................284
Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool(Command Line)..........................................................................................................287
rad_admin Syntax..................................................................................................287Examples of Administering Multiple HP-UX AAA Servers.................................288Administering HP-UX AAA Servers Using Interactive User Interface.................288
Disaster Recovery of the HP-UX AAA Server Manager..................................................28919 Configuring the HP-UX AAA Server for Client Functionality .......................................................291
Overview...........................................................................................................................291CLIENT AATV..................................................................................................................292
Configuring CLIENT AATV........................................................................................292Working of the CLIENT AATV...................................................................................292
Supported APIs.................................................................................................................294Internal Attributes and Mapping Functions.....................................................................295
20 Configuring the HP-UX AAA Server for Dynamic Authorization..................................................297Dynamic Authorization Overview...................................................................................297HP-UX AAA Server and Dynamic Authorization...........................................................297Processing of Dynamic Authorization Requests..............................................................298Configuring for Dynamic Authorization..........................................................................300
Basic Configuration.....................................................................................................301Advanced Configuration.............................................................................................302
Migrating Existing SQL Access Deployments for Dynamic Authorization..........302Configuring Multiple HP-UX AAA Servers as a Group........................................304
Configuring for Disconnect and CoA Request Processing...............................306Dedicated HP-UX AAA Servers for Dynamic Authorization..........................311
Dynamic Authorization in Authorize Only Mode................................................316Configuring for Dynamic Authorization in Authorize Only Mode.................317
Configuring for Proxy Functionality.....................................................................319Configuring for Dynamic Authorization Proxy Functionality.........................320
Configuring for Failover........................................................................................321Security Consideration in Dynamic Authorization...............................................321
Replay Protection..............................................................................................321Message-Authenticator.....................................................................................324Reverse Path Forwarding Check for Proxies....................................................324
Sample Configuration Files..............................................................................................326The client-request-init.grp.dynauth Sample File......................................327The client-reply-ingress.grp.dynauth Sample File....................................327
Table of Contents 157
The sqlaccess.config.dynauth Sample File......................................................327The sqlaccess.config.dynauth_server_group Sample File.........................329The dbsetup.sql.dynauth_server_group Sample File....................................331
158 Table of Contents
13 Securing LAN Access With EAP
IMPORTANT: The EAP-LEAP authentication method is obsolete in this release of theHP-UX AAA Server. The EAP-LEAP authentication method is replaced by theEAP-PEAP authentication method. HP recommends that you use EAP-PEAP in placeof EAP-LEAP for improved security. Unlike EAP-LEAP, EAP-PEAP supports mutualauthentication and uses an encrypted tunnel to transmit the user's credentials.
This chapter provides information about securing LANs with EAP using the HP-UXAAA Server. Refer to the Secure LAN Advisor in the Server Manager interface forstep-by-step instructions.
OverviewThe HP-UX AAA Server provides security framework to support EAP authenticationmechanisms for LAN users. The HP-UX AAA Server allows authentication of wirelessusers with password or non-password based mechanisms and supports dynamic keygeneration for data encryption between the access point and wireless stations.
The Secure LAN AdvisorThe Secure LAN Advisor is an HTML tutorial/help system in the Server Manager GUIthat walks you through the tasks and Server Manager screens for securing WLANswith the HP-UX AAA Server. The Secure LAN Advisor provides information only—itdoes not edit configuration files. Follow the Secure LAN Advisor and use ServerManager to create and deploy basic AAA configurations for securing WLANs.For information on EAP-SIM and EAP-AKA, see Chapter 17 (page 224)The following graphic shows the Secure LAN Advisor used to quickly secure WLANswith the HP-UX AAA Server:
Overview 159
Figure 13-1 The Secure LAN Advisor For Securing WLANs
Preparing Your LANA LAN requires you to synchronize items on the supplicant, access point, and AAAserver. The following table lists the items you need to synchronize on each node andprovides notes on configuring each item.
160 Securing LAN Access With EAP
Table 13-1 LAN Configuration Items
NotesNodesItem
The shared secret configured on the access device andAAA server must match for the two to communicate.
Shared Secret • Access Device• AAA Server
Use the Access Devices link to configure this item onAAA servers.
Most access devices require you to enable EAP. You donot need to specify an EAP method, but you must enablesupport for EAP.
• Access DeviceEAP Support
Verify the supplicants support the EAP methods theAAA server supports. Enable EAP on the supplicants.
EAP Method • Client Supplicant• AAA Server
Configure the same EAP method on the supplicant andthe AAA server. Use the Local Realms link to configurethis item on AAA servers.
Required for TTLS. Verify the supplicant has ananonymous user configured on it, and configure a tunnel
EAP Tunnel Realm • Client Supplicant• AAA Server
realm for that anonymous user on the AAA server. Forexample, if supplicant's anonymous user is:[email protected], you should configure a realmfor: tunnel.com. You must configure tunnel realms forTTLS. Configuring tunnel realms for PEAP is optional.Use the Local Realms link to configure this item on AAAservers.
The AAA server must have access to a repository withinformation for each user. Use the Local Realms link
• AAA ServerUsers
and select the users icon to administer a specific set ofUsers associated with a realm.
For TLS only. The digital certificate identifying the client• Client SupplicantClient Certificate
For TLS only. Used by AAA server to authenticate clientcertificates. Use the Server Properties link and select
• AAA ServerClient CACertificate
Certificate Path Properties. In the Certificate AuthorityPath field, configure the location of the client CAcertificate on the AAA server.
For TLS, TTLS, and PEAP only. The digital certificateidentifying the AAA server. Use the Server Properties
• AAA ServerServer Certificate
link and select Certificate Path Properties. In theCertificate Path field, configure the location of the clientCA certificate on the AAA server.
For TLS, TTLS, and PEAP only. Used by clients toauthenticate the AAA server certificate.
• Client SupplicantServer CACertificate
Determining the EAP Authentication Method to UseChoose EAP methods based on your security requirements and the clients you support.First, create an inventory of the clients you support. Clients need specific supplicant
Determining the EAP Authentication Method to Use 161
software for each EAP method (LAN access devices must only support EAP). Forwireless clients, you must use supplicants that support the hardware platforms,operating systems, and WLAN cards in your environment. Ideally, you should try touse client hardware and software that allows you to use one EAP method for all yourclients. This may mean avoiding solutions that are proprietary or support only a smallvariety of clients.Next, determine which of the following features are important to you:1. Dynamic Key Exchange—Distributes a user-specific encryption key to the client
and access device during the authentication process. Without this feature, all clientsmust share the same static encryption key.
2. Mutual Authentication—Protects against unauthorized (rogue) access devices byallowing clients to authenticate the network they are connecting to.
3. Password-based Authentication—Clients provide a password to authenticate tothe network. Typically the password is sent to the server in a hashed (one-wayencrypted) form. If you are integrating with an existing password storage format,be sure the EAP method you chose is compatible with the password storage format.For the most flexibility, choose an EAP method that allows the AAA server toaccess the password in clear text (for example, the PAP password format). Storingpasswords in clear text requires you to use EAP methods that encrypt the channelbetween the client and the access point (like TTLS or PEAP).
4. Digital Certificate/Token Card-based Authentication—Uses a token card, smartcard, or digital certificate assigned to each user for authentication. This featuremust be deployed in an environment with supporting infrastructure—for example,an organization with a PKI and user-specific certificates.
5. Encrypted Tunnel—Establishes an encrypted channel to securely deliverauthentication messages and encryption keys. The encrypted tunnel encapsulatesanother EAP method that provides the actual user authentication. Encryptedtunnels are good for securing authentication methods that are vulnerable whennot encapsulated in an encrypted tunnel.
6. OATH standards-based OTP and two-factor authentication — Uses the OATHstandards-based HOTP algorithm to provide OTP authentication. Typically, OTPcan be used to provide two-factor authentication, thus providing a higher level ofsecurity than using passwords alone.
162 Securing LAN Access With EAP
NOTE: The HP-UX AAA Server supports only the following EAP authenticationmethods for OTP authentication:• PEAP (EAP-GTC)• TTLS (PAP and MS-CHAP v2)The HP-UX AAA Server also supports EAP-SIM and EAP-AKA for mobilecommunication networks. For information on EAP-SIM and EAP-AKA, seeChapter 17 (page 224)
The following table lists the EAP methods the HP-UX AAA Server supports and whichof the above features each method offers. Use the table and your inventory informationto help decide which EAP method to use.
Table 13-2 Supported EAP Methods and Their Features
DescriptionFeatureEAP Method
Tunneled TLS: Can carry additional EAP or legacyauthentication methods like PAP and CHAP. Integrates with
1, 2, 3, 5, 6TTLS
the widest variety of password storage formats and existingpassword-based authentication systems. Supplicants availablefor a large number of clients
Protected EAP: Functionally very similar to TTLS, but does notencapsulate legacy authentication methods.
1, 2, 5, 6PEAP
Transport Layer Security: Uses TLS (also known as SSL) toauthenticate the client using its digital certificate.
NOTE: Some supplicants require specific extensions tosupport certificates for EAP.
1, 2, 4, 5TLS
Message Digest 5: Passwords are hashed using the MD5algorithm. Can be deployed for protecting access to LAN
3MD5
switches where the authentication traffic will not be transmittedover airwaves. Can also be safely deployed for wirelessauthentication inside EAP tunnel methods (see feature 5 above).
Microsoft Challenge Handshake Accept Protocol: Passwordsare hashed using a Microsoft algorithm. Can be deployed for
2, 3MS-CHAP
protecting access to LAN switches where the authenticationtraffic will not be transmitted over airwaves. Can also be safelydeployed for wireless authentication inside EAP tunnel methods(see feature 5 above).
Generic Token Card: Carries user specific token cards forauthentication.
4, 6GTC
Determining the EAP Authentication Method to Use 163
NOTE: If you are using TLS, TTLS, or PEAP, be sure you configure the requireddigital certificates after you configure all you r realms.
Securing WLANs with the HP-UX AAA ServerThe following is the list of the steps for securing WLANs with the HP-UX AAA Server.Use the Secure LAN Advisor and refer to each specific section in this guide for moreinformation on each step.1. Access Server Manager. See “Accessing the Server Manager” (page 71) for more
information.2. Open the Secure LAN Advisor for online reference by selecting Secure LAN Advisor
in the navigation tree. See “The Secure LAN Advisor” (page 159) for moreinformation.
3. Load a AAA server configuration to Server Manger by selecting Load in thenavigation tree. See “Loading and Saving Your Configuration” (page 94) for moreinformation.
4. Identify the RADIUS clients that will send access requests to the AAA server byselecting Access Devices in the navigation tree. See “Navigating the Access DevicesScreen” (page 100) for more information.
5. Configure realms for the encrypted tunnels if you are using TTLS, or optionallyfor PEAP. See “Adding a Realm” (page 105) for more information).
6. Configure your realms to set the authentication methods the AAA will server useto authenticate your users, and to indicate where it the AAA server should lookfor user information. See “Adding a Realm” (page 105) for more information.
7. Configure digital certificates if you are using TLS, TTLS, or PEAP. See “DigitalCertificate Administration” (page 164) for more information.
8. Configure user profiles to identify each user accessing services through the AAAserver.
9. Deploy the AAA configuration to secure your LAN by:a. saving the configuration to one or more AAA serversb. stopping and starting the AAA servers in the configuration
Digital Certificate AdministrationSome security methods (like TLS, TTLS, or PEAP) use digital certificates assigned toeach user for authentication. If your organization has a Public Key Infrastructure (PKI),you can deploy digital certificates for user authentication. The following is a list of thecertificates involved:• Server certificate—digital certificate identifying the server.• Server CA certificate—a copy of the certificate for the authority that issued the
server certificate.
164 Securing LAN Access With EAP
• Client certificate—if clients will be authenticated by digital certificates (EAP-TLS),install a certificate on each client and add the client CA to the AAA server’s CAlist.
• Client CA certificate—a copy of the certificate for the authority that issued theclient certificate.
NOTE: If you are supporting multiple realms, configure digital certificates after youadd all of your realms.
Using the “Self-Signed” Digital CertificatesThe HP-UX AAA Server creates a unique set of “self-signed” digital certificates duringinstallation that are based on its DNS name. Server Manager uses these certificates bydefault. You can use the self-signed certificates in production environments for TTLSand PEAP, and in testing environments for TLS. The self-signed server certificates arein/etc/opt/aaa/security/.The following is a list of the self-signed certificates located in /etc/opt/aaa/security/:• rsa_cert.pem — AAA server certificate• rsa_key.pem — AAA server key• ca_list.pem — list of client CA certificates• demouser.p12 — sample client certificate• root.cer — CA for AAA server certificate
For TTLS and PEAPIf you are using TTLS or PEAP, the default certificates are safe to deploy in yourproduction environment. The AAA server is its own Certificate Authority. If you aremanaging multiple AAA servers, you must have the same set of digital certificates oneach server in your configuration. Pick one of your AAA servers and copy the set ofself-signed digital certificates to every AAA server in the configuration. You shouldsave each AAA server's original self-signed certificates for future use.Copy/etc/opt/aaa/security/root.cer to the CA storage on supplicants thatenable server certificate checking.
For TLSIf you are using TLS, use the default certificates to familiarize yourself with TLScertificate administration before you deploy your own enterprise certificates.1. Copy/etc/opt/aaa/security/root.cer to the CA storage on the supplicant.
Digital Certificate Administration 165
2. Copy/etc/opt/aaa/security/demouser.p12 to user the certificate storageon the supplicant:• the pass phrase for demouser.p12 is: 1234• the user name fordemouser.p12 is: [email protected]
3. Configure a TLS realm for eap.realm on the AAA server
Installing Your Own Digital Certificates and KeysYou can use your own certificates if your organization has a PKI and you don’t wantto use the self-signed certificates included with the HP-UX AAA Server. Refer to thesupplicant documentation to determine each supplicant’s specific certificaterequirements.
NOTE: HP recommends using the self-signed certificates included with the HP-UXAAA Server to simulate your certificate administration before deploying your ownpersonal certificates in a production environment.
The HP-UX AAA Server has the following digital certificate requirements:• all certificate files stored on the HP-UX AAA Server must be in .pem or .cer
format• the server’s certificate must be generated with a key file that is not encrypted with
a pass-phrase• For TLS only, the Common Name (CN) on the client certificate will be used to as
the user name and therefore must be less than 128 characters ASCII characters andcannot include the < > ( ) [ ] \ / . , ; : or space characters.
NOTE: Refer to the supplicant documentation to determine each supplicant’s specificcertificate requirements. For example, some supplicants require the client and servercertificate to have the Enhanced Key Usage (EKU) field. For the client certificate, theEnhanced Key Usage (EKU) field must contain the Client Authentication certificatepurpose (OID "1.3.6.1.5.5.7.3.2"); and, for the server certificate, the EKU field mustcontain the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1").
Installing Server Certificates and KeysCopy the server certificate and key file to the HP-UX AAA Server in the /etc/opt/aaa/security/directory.• If you are using TLS, copy the client CA certificate to the /etc/opt/aaa/
security/directory. You can combine multiple CA files into one file.• For TLS users whose certificates have been revoked, copy or append their
certificates to the Certificate Revocation List (CRL) file.
166 Securing LAN Access With EAP
Installing Client Certificates and Keys1. Copy the server CA certificate to the client.2. Copy the client certificate to the client (for TLS only).3. Use your supplicant’s utility to install and configure the certificates.
Defining Certificate Locations on the HP-UX AAA ServerThe HP-UX AAA Server uses its self-signed certificates by default. If you want to useyour own certificates, you must define where the required certificates reside on theAAA server. Following steps illustrate how to define certificate locations:1. In the navigation tree, click Server Properties in the navigation tree.2. Click Certificate Properties.
The Certificate Properties pane opens as shown in Figure 13-2.
Figure 13-2 Server Manager’s Certificate Properties Screen
Digital Certificate Administration 167
3. Define the locations to certificates by entering the path, and clicking Create.Following list explains how to enter the path names in these fields:• Server Certificate Path: For TLS, TTLS, and PEAP. Enter the fully-qualified
file name to the AAA server certificate in .pem or .cer format.• Server Private Key Path: Enter the fully-qualified file name to a file in .pem
or .cer format that contains the private key used to generate the AAA servercertificate. This file cannot be encrypted.
• Client Certificate Authority Path: For TLS only. Enter the fully-qualified filename to the CA certificate for the client certificate. Used by the AAA serverto authenticate client certificates. The CA certificate for the client certificatemust be in .pem format.
• Random Seed Path: For TLS, TTLS, and PEAP. Enter the fully-qualified filename containing any random data used to seed the random engine for TLSbased EAP mechanisms. This file can contain any random data.
• Certificate Revocation List Path: For TLS. Enter the fully-qualified file nameto a list of prohibited client certificates. File must be in .pem or .cer format.
• Client User Name Attribute: Used for EAP-TLS based authentication. Identifiesthe attribute in the user digital certificate to retrieve the user’s name. Thismust match the user name configured on the supplicant (client) software. TheHP-UX AAA Server then checks the user name in the certificate against theuser name supplied in the EAP-TLS authentication request. Select “Disable”to disable this check. You can select any one of the following attribute values:— Subject:CommonName (default)- Use the CommonName (CN) in the
Subject attribute— Subject:EmailAddress- Use the Email Address (E) in the Subject attribute— SubjectAltName:RFC822Name- Use the RFC822Name in the
SubjectAltName attribute— Check All Attributes-Search all the above three fields for a matching name— Disabled- Ignore comparing User name with Certificate name
168 Securing LAN Access With EAP
14 Managing Sessions
NOTE: This chapter does not apply to session management using the SQL Accessfeature. See Chapter 22: “SQL Access” (page 338) for more information on sessionmanagement using the SQL Access feature.
This chapter covers two procedures: reading records of active sessions, and manuallystopping sessions.
Session LogsAfter a user is successfully authenticated and the AAA server sends an Access-Accept,the access device will send an Accounting-Request message to start the session. TheAAA server stores information about the session in an active session record. When theusers session is terminated, the client sends an Accounting-Request message to stopthe session. When a AAA server receives the stop message, it clears its active recordfor the session and writes the session information to a file.
NOTE: This chapter does not apply to session management using the SQL Accessfeature. See Chapter 22: “SQL Access” (page 338) for more information on sessionmanagement using the SQL Access feature.HP recommends that you do not enable local session tracking for realms that areconfigured for session management via the SQL Access feature.
Displaying Session Attributes1. From the navigation tree, click Sessions.2. Enter search parameters in the Session Filter screen that appears. Retrieved session
will be restricted to the specified search parameters.
Figure 14-1 Sessions Search Filter Screen
3. Click Display.The AAA server manager will display a list of active sessions as shown inFigure 14-2.
Session Logs 169
Figure 14-2 Example Return for a Sessions Search
4. Select a session. The AAA server manager will display the attributes for the selectedsession similar to the example shown in Figure 14-3.
Figure 14-3 Example of a Session’s Attributes
5. Click OK when you are done reading the session.
Stopping a SessionThis procedure is intended for sessions that were terminated on the access device butare maintained as active by the AAA server.1. Follow the procedure described in “Displaying Session Attributes” (page 169).2. On the Session Attributes screen, click Stop. The AAA server will clear its record
of the active session, but no action is taken by the access device.
Session LimitsYou can set session limits to control how long the user has access to the network, whatservices the user has access to, and how many active sessions the user may maintain
170 Managing Sessions
on the network. Session limits are defined through A-V pairs. These limits can beenforced on a user-by-user or global basis.
Setting Limits on a User-by-User BasisIf the user profile does not currently exist, follow the appropriate procedure to createa new profile. If the user profile does exist, access the user profile from the text file ordatabase that stores the profile.
Setting Timeout ValuesIf the user profile is stored in a AAA server flat file:1. Select the General tab from the User Attributes screen.2. Assign a Session Timeout value to limit how many seconds the user can access
the service.3. Assign an Idle Timeout value to limit how many consecutive seconds of idle
connection time can pass before the session is terminated.If the user profile is stored in an LDAP LDIF file, add the following lines to the userprofile:aaaReply: Session-Timeout = Number-secondsaaaReply: Idle-Timout = Number-seconds
Establishing a Filter1. Define the filter on your network device according to the hardware instructions.
The filter definition should include a filter ID.2. Associate the user profile with the filter ID.
• If the user profile is stored in a AAA server users file (grouped by realm orthe default file), select the General tab from the User Attributes screen andspecify the ID in the Filter ID field.
• If the user profile is stored in an LDAP LDIF file, add the following line to theuser profile:aaaReply: Filter-ID = value
Limiting Access Points (NAS-Port, NAS-ID, Calling-Station ID, and others)You can control what connection point a user must use to access your network byrestricting access to specific NASs or phone numbers.
Session Limits 171
If the user profile is stored in a AAA server users file (grouped by realm or the defaultfile), assign values to the User Attributes fields that can limit access:• Assign a NAS Port value (under the NAS/Login tab) to limit access to a specific
dial-in connection identified by port.• Assign a NAS ID value (under the NAS/Login tab) to limit access to a specific
dial-in connection identified by NAS.• Assign a Calling-Station-ID value (under the Others tab) if the user must always
access service from a single location (defined by a phone number).If the user profile is stored in an LDAP LDIF file, add the following lines to the userprofile:aaaCheck: NAS-Port = Port-numberaaaCheck: NAS-ID = valueaaaCheck: Calling-Station-ID = Phone-number
Denying Access (Called-Station-ID and others)You can deny users access through a connection point by adding deny items to theuser profile.• If the user profile is stored in a AAA server users file (grouped by realm or the
default file), select the Free tab from the User Attributes screen and then enter thefollowing in the Check text box according to the limits you want to set:NAS-Port != Port-numberNAS-ID != value Calling-Station-ID != Phone-number
• If the user profile is stored in an LDAP LDIF file, add the following lines to theuser profile:aaaCheck: NAS-Port = Port-number aaaCheck: NAS-ID = value aaaCheck: Calling-Station-ID = Phone-number
Limiting Simultaneous SessionsYou can limit the number of concurrent sessions a user can maintain when accessingyour network. Before you can configure the simultaneous sessions limit for a userprofile, you must identify the users realm in the servers configuration even if the useris not grouped by realm.1. From the navigation tree, click Local Realms.2. If the users realm is not already identified, follow the appropriate procedure to
add a realm to the server configuration. If the realm is already configured, selectthe realm name from the Realms screen.
3. In addition to completing the other required fields in the Realm Attributes screen,select the Yes radio button for Session Tracking.
4. Save the realm.
172 Managing Sessions
5. Access the user profile and set the simultaneous session limit.• If the user profile is stored in a AAA server users file, select the Free tab from
the User Attributes screen and then enter the following in the Check text boxaccording to the limits you want to set.Simultaneous-Sessions = Max-number-sessions
• If the user profile is stored in an LDAP LDIF file, add the following lines tothe user profile:aaaCheck: Simultaneous-Sessions = Max-number-sessions
Setting Limits for Users on a Global Basis
Setting Limits for All User Profiles Grouped by RealmsYou can set limits to all users by modifying the DEFAULT profile in the default usersfile. The limits specified for the DEFAULT user profile are appended to all requests forall users that are grouped by realm.1. Access the Server Manager ( See “Accessing the Server Manager” (page 71)).2. From the navigation tree, click Local Realms.
3. Click the icon to access the Users screen.4. Assign values for session limits by follow the same procedures for setting limits
to individual users stored in the users file.
Session Limits 173
15 Assigning IP AddressesThe following information explains how the HP-UX AAA Server can be used to assignstatic or dynamic IP addresses to users.
IMPORTANT: Currently, only static IPv6 addresses and prefixes can be assigned usingthe HP-UX AAA Server. Dynamic assignment of IPv6 addresses is not supported.
Assigning Static IP AddressesThe procedure for assigning the static IP (IPv4 and IPv6) addresses depends on wherethe user profile is stored.
To Assign a Static IP (IPv4) Address to a Profile in Flat FilesTo assign a static traditional IP (IPv4) address to a user profile stored in AAA serverflat files, complete the following steps:1. From the navigation tree, click Local Realms.2. Choose the users icon for the realm the user is in.
The Users screen appears as shown in Figure 15-1.
Figure 15-1 The Users Screen
3. Click the Edit icon next to the user whose static IP address you want to modify.The Modify Users screen appears.
4. Click the Framed tab.The Framed User Attributes form is displayed on the screen as shown inFigure 15-2.
174 Assigning IP Addresses
Figure 15-2 The Framed User Attributes Form
5. Enter the static IP for the user in the Framed IP Address field.6. Click Modify.
To Assign a Static IPv6 Address to a Profile in Flat FilesTo assign a static IPv6 address to a user profile stored in AAA server flat files, completethe following steps:1. From the navigation tree, click Local Realms.2. Choose the users icon for the realm the user is in.
The Users screen appears as shown in Figure 15-3.
Assigning Static IP Addresses 175
Figure 15-3 The Users Screen
3. Click the Edit icon next to the user whose static IP address you want to modify.The Modify Users screen appears.
4. Click the Framed tab.The Framed User Attributes form is displayed on the screen as shown inFigure 15-4.
176 Assigning IP Addresses
Figure 15-4 The Framed User Attributes Form
5. Enter the static IPv6 Interface Id for the user in the Framed Interface ID field.6. Enter the static value for the prefix that needs to be assigned to the user in the
Framed IPv6 Prefix field.
NOTE: See “Syntax of IPv6 Attributes” (page 528) for more information on IPv6attributes.
7. Click Modify.
To Assign Static Traditional IP (IPv4) Addresses to a User Profile in an LDAP LDIF FileTo assign static IP addresses (only IPv4 addresses) to a user profile stored in an LDAPLDIF file, complete the following steps:1. From the command line, open the LDIF file the user profile is stored in.2. Add the following lines to the user profile:
aaaReply: Framed-IP-Address = <value>
3. Save the file.
Assigning Static IP Addresses 177
To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF FileTo assign static IPv6 addresses to a user profile stored in an LDAP LDIF file, completethe following steps:1. From the command line, open the LDIF file the user profile is stored in.2. Add the following lines to the user profile:
aaaReply: Framed-IPv6-Prefix = <value> aaaReply: Framed-Interface-Id = <value>
3. Save the file.
Assigning Dynamic IP Addresses Using DHCPYou can assign dynamic IP (traditional IPv4) addresses using DHCP.
NOTE: The following steps do not apply to session management using the SQL Accessfeature. See Chapter 22: “SQL Access” (page 338) for more information on sessionmanagement using the SQL Access feature.
To assign dynamic IP addresses using DHCP, complete the following steps:1. Define the DHCP address pools. See “Defining DHCP Address Pools for Specific
Users” (page 390).2. Configure the AAA Server’s DHCP Server Properties. See “DHCP Relay Properties”
(page 133).3. Configure the DHCP Server to synchronize with the AAA server’s DHCP
properties. See “DHCP Relay Properties” (page 133).4. Stop and start the AAA server. See “Accessing the Server Manager” (page 71).
NOTE: Be sure the following properties on the DHCP server do not conflict with theHP-UX AAA Server’s DHCP properties:• The DHCP server’s DHCP Lease value must be greater than the Session-Clear
values.• The DHCP server must be configured to match the DHCP Send User Class setting
configured on the AAA server.
178 Assigning IP Addresses
16 OATH Standards-Based OTP Authentication
IMPORTANT: The SecurID authentication is obsolete in this release of the HP-UXAAA Server. The SecurID authentication can be replaced by Open AuTHentication(OATH) standards-based One-Time Password (OTP) authentication. OATH is anindustry-wide collaboration to develop open-reference architecture for strongauthentication. The OATH standards-based OTP authentication solution supportshardware and software tokens from multiple vendors.
This chapter introduces the Open AuTHentication (OATH) standards-based One-TimePassword (OTP) authentication. It also describes how to enable the HP-UX AAA Serverto provide OTP, and OTP and password (two-factor) authentication in differentdeployment scenarios. The term OTP authentication is used throughout this documentto refer to the functionality that enables OTP authentication. The term two-factorauthentication is used for password and OTP authentication.This chapter addresses the following topics:• “OTP and OATH Overview”• “HP-UX AAA Server and OATH Support” (page 180)• “Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAP
v2” (page 182)• “Components Required to Configure OTP Authentication” (page 182)• “Configuring OTP Authentication on the HP-UX AAA Server ” (page 183)
— “OTP Authentication Configuration Flowchart” (page 183)— “Basic or Typical Configuration” (page 186)— “Advanced Configuration” (page 187)
◦ “Advanced OTP Authentication Configuration Concepts” (page 187)◦ “Advanced Deployment Scenarios” (page 199)
— “Predefined Mapping and Conversion Functions” (page 217)— “Sample Configuration Files” (page 217)
OTP and OATH OverviewLike a password, OTP can be used to authenticate the user to obtain access to a network.OTP can be used alone or along with a password for authentication. Typically, OTP isused for two-factor authentication. For example, in large organizations, VPN accessoften requires the use of user-name, password, and OTP for remote user two-factorauthentication. Added security is provided when an OTP is used for authentication,because a user must enter a different OTP each time to authenticate to a validationserver.
OTP and OATH Overview 179
OATH is an industry-wide collaboration to develop open-reference architecture forstrong authentication. OATH consortium has developed a set of open royalty-freealgorithms for one-time passwords. The OATH standards-based OTP authenticationsolution uses the HMAC-based One-Time Password (HOTP) algorithm to generate anOTP using a shared secret and sequence counter.The HOTP algorithm is a sequence-based algorithm. Any OATH-compliant clientdevice can interoperate with an HOTP algorithm-enabled OTP validation server.For more information on OATH and the HOTP algorithm, see the following webaddresses:• http://www.openauthentication.org/• ftp://ftp.rfc-editor.org/in-notes/rfc4226.txt
HP-UX AAA Server and OATH SupportThe HP-UX AAA Server supports the OATH standards sequence-based OTPauthentication, which enables the HP-UX AAA Server to interoperate with other OATHcompliant clients.Normally, the authentication process used by the HP-UX AAA Server is confined tovalidating the user password against the password stored in the database. However,with OTP support, the HP-UX AAA Server can now perform the following additionalfunctions:• Validate the OTP• Proxy the OTP or password to an external RADIUS server for OTP or password
validationThe OATH standards-based OTP authentication feature enables the HP-UX AAA Serverto offer the following benefits:• Secures the applications by providing an additional factor (OTP)• Provides a low-cost solution for implementing OATH standards-based
authentication• Provides compatibility with different types of client devices• Offers flexibility to configure OATH standards-based OTP authentication for
various deployment scenariosFigure 16-1 illustrates the role of the HP-UX AAA Server and its components in handlingOTP, or OTP and password authentication requests.
180 OATH Standards-Based OTP Authentication
Figure 16-1 OATH Standards-Based OTP Authentication Flow and the HP-UX AAA Server.
Following is the OTP authentication process flow:1. The user requests access to a protected resource by sending the user credentials
(password or OTP, or password and OTP), which is encrypted with the sharedsecret, to the authenticator.The OTP can contain either six, seven, or eight digits.
2. The authenticator forwards the request to the HP-UX AAA Server.3. The HP-UX AAA Server validates the OTP and password locally.
NOTE:a. If RADIUS standard Password Authentication Protocol (PAP) is used, the
HP-UX AAA Server can split the user password in to password and OTP andperform one of the following actions:• Validate the OTP, or password, or password and OTP.• Proxy the OTP or password to an external RADIUS server for validation.Splitting of the user password into password and OTP is not supported forMS-CHAP v2 authentication protocol as the user password is a hash. Therefore,partial validation of either OTP or password locally and the remaining part atan external RADIUS server is not possible. The complete validation must beperformed at the local HP-UX AAA Server or at an external RADIUS server.
b. The HP-UX AAA Server can be configured to generate OTPs that can bedelivered to customers through the secondary channel using SMS, e-mail, FTP,and so on. Contact your HP Support representative for assistance whileconfiguring the HP-UX AAA Server to use the secondary channel for OTPdelivery.
If the validation is performed locally, the HP-UX AAA Server updates the databasewith the incremented sequence counter after successful OTP authentication. If thevalidation is performed by an external RADIUS server, the external RADIUS serverupdates the database with the incremented sequence counter after successful OTPauthentication.
HP-UX AAA Server and OATH Support 181
Based on the success or failure of authentication, the HP-UX AAA Server sendsan Access-Accept or Access-Reject message to the user.
Supported OTP Functions for RADIUS Standard Password (PAP) andMS-CHAP v2
OTP support for MS-CHAP v2 is compatible with RFC 4226. Table 16-1 describes thesupported functions for PAP and MS-CHAP v2.
Table 16-1 Supported OTP Functions for PAP and MS-CHAP v2
MS-CHAP v2RADIUS Standard Password (PAP)Functions
YesYesValidate OTP
YesYesValidate Password
YesYesStore OTP
YesYesValidate OTP and Password
YesYesProxy the OTP and password toanother RADIUS server for OTPand password validation
NoYesSplitting the OTP and password,and proxying the OTP orpassword to another RADIUSserver for OTP or passwordvalidation
For information on supported action ids, see Table 16-3 (page 190).
Components Required to Configure OTP AuthenticationThe following components, which are required to configure OTP authentication, areprovided with the HP-UX AAA Server:• Modified Finite State Machine (FSM)• Database schema files• The following sample configuration files:
— sqlaccess.config
— Policy configuration files:◦ oath-proxy-egress.grp
◦ oath-request-ingress.grp
◦ oath-reply-egress.grp
— User Database Administration Manager (This web-based interface enables youto administer user profiles and token information in the SQL databaseeffectively.) For more information, see “Administering Users and Tokens Storedin an SQL Database” (page 374).
182 OATH Standards-Based OTP Authentication
The following components required to configure OTP authentication are not providedwith the HP-UX AAA Server:• SQL database• OTP generators (typically, token devices or software that generates OTP) with
their inventory files (files that contain the shared secret and other token information)
Configuring OTP Authentication on the HP-UX AAA ServerThe HP-UX AAA Server uses SQL Access, the FSM, and policy actions to support OTPauthentication. This feature offers the flexibility to customize OTP authenticationdepending on the deployment scenarios.Sample policy files are provided to simplify the process of configuring the HP-UX AAAServer to provide password and OTP authentication.If you are not using the basic or typical configuration (“Basic or Typical Configuration”)append the contents of the sample OTP reference implementation files (located in/opt/aaa/examples/config) to the default policy files (located in/etc/opt/aaa)using the following commands:# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp# cat /opt/aaa/examples/config/oath-proxy-egress.grp >> /etc/opt/aaa/proxy-egress.grp
In addition, you must complete the necessary configuration to use SQL Access. Formore information, see Chapter 22 (page 338).
NOTE: The oath-proxy-egress.grp file is required only if you are proxying theOTP or password to another RADIUS server.
OTP Authentication Configuration FlowchartThe OTP authentication configuration flowchart (Figure 16-2) included in this sectiondocuments some common deployment scenarios. Read the scenarios discussed in theflowchart against your deployment requirements and click the relevant links for moreinformation about the procedure to be followed.To customize your deployment further, additional configuration attributes and itemsare provided that can be configured on a per-user, per-realm, or on a system-widelevel. For more information on these attributes, see “Attributes for Configuring OTPAuthentication” (page 192). For information on actions and customizing actions, see“Advanced OTP Authentication Configuration Concepts” (page 187).
Configuring OTP Authentication on the HP-UX AAA Server 183
Notes:1. The HP-UX AAA Server supports only the token information that is stored in the
SQL database.2. The HP-UX AAA Server supports only the following EAP authentication methods
for OTP authentication:• PEAP (EAP-GTC)• TTLS (PAP and MS-CHAP v2)
IMPORTANT NOTES:• After using the sample reference implementation and before deploying your
implementation in a production environment, you must change the defaultpasswords for database user, test user, and the shared secret of the test user.
• If the shared secret provided by the token vendor is in ASCII format, edit the/etc/opt/aaa/sqlaccess.config file to change the following entry in theRetrieveUserAndToken SQL action:DBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString)
toDBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) RAD(Otp-Shared-Secret, REPLY)
and reload the configuration changes.If you are using the RetrieveToken SQL action, then the following entry mustbe modified as follows:DBC(shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString)
toDBC(shared_secret, 128, CHAR) RAD(Otp-Shared-Secret, REPLY)
and reload the configuration changes.
184 OATH Standards-Based OTP Authentication
Figure 16-2 OTP Authentication Configuration Flowchart for RADIUS Standard Password
Configuring OTP Authentication on the HP-UX AAA Server 185
Figure 16-3 OTP Authentication Configuration Flowchart for MS-CHAP v2
Basic or Typical ConfigurationA basic or typical scenario involves configuring the HP-UX AAA Server to providetwo-factor authentication when user and token information is stored in different tablesin the same SQL database. For more information on configuring two-factorauthentication in this scenario, follow the instructions in the README file at:• /opt/aaa/example/sqlaccess/oracle-1/README - if you are using an
Oracle database• /opt/aaa/example/sqlaccess/mysql-1/README - if you are using a MySQL
database
186 OATH Standards-Based OTP Authentication
IMPORTANT NOTES:• After using the sample reference implementation and before deploying your
implementation in a production environment, you must change the defaultpasswords for database user, test user, and the shared secret of the test user.
• If the shared secret provided by the token vendor is in ASCII format, edit the/etc/opt/aaa/sqlaccess.config file to change the following entry in theRetrieveUserAndToken SQL action:DBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString)
toDBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) RAD(Otp-Shared-Secret, REPLY)
and reload the configuration changes.If you are using the RetrieveToken SQL action, then the following entry mustbe modified as follows:DBC(shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString)
toDBC(shared_secret, 128, CHAR) RAD(Otp-Shared-Secret, REPLY)
and reload the configuration changes.
Advanced ConfigurationAdvanced configuration typically requires some extra customization of the feature tosuit your needs. This section also discusses various deployment scenarios. For moreinformation, see “Advanced Deployment Scenarios” (page 199)Use the following information to understand how to configure the HP-UX AAA Serverand the attributes you can use to customize actions on varying levels.• “Advanced OTP Authentication Configuration Concepts” (page 187)
— “Attributes for Configuring OTP Authentication” (page 192)◦ “System-Wide OTP Configuration Items” (page 195)◦ “Realm Level OTP Attributes” (page 196)◦ “User Level OTP Attributes” (page 198)
Advanced OTP Authentication Configuration ConceptsThe HP-UX AAA Server processes all OTP authentication requests depending on thebit mask set in the OTP-ActionId attribute in the request-ingress.grp file.You can configure the HP-UX AAA Server to perform various OTP authenticationtasks by setting the bit masks in the OTP-ActionId attribute and by configuring otherconfiguration files. For more information on the OTP-ActionId attribute, see
Configuring OTP Authentication on the HP-UX AAA Server 187
“Attributes for Configuring OTP Authentication” (page 192). Table 16-2 lists the bitmasks that can be used to configure the HP-UX AAA Server to perform various tasks.
Table 16-2 Bit Masks to Configure OTP Authentication Tasks
Action
Support forMS-CHAPv2
Support forRADIUSStandardPasswordBit MaskTask
On receiving the incoming request, theHP-UX AAA Server splits the request into
NoYes7Splits the incomingpassword in topassword and OTP. password and OTP based on the number
of digits specified in OTP token length asfollows:If the number of digits specified in theOTP token length is 7, the last 7 charactersare identified as OTP.
The HP-UX AAA Server validates thepassword from the User-Passwordattribute.
YesYes6Validates thepassword.
The HP-UX AAA Server validates theincoming OTP.
YesYes5Validates the OTP.
The HP-UX AAA server generates andstores the OTP in the Generated-OTPattribute.
YesYes4Stores the generatedOTP inGenerated-OTPattribute.
The HP-UX AAA Server removes thepassword from the incoming password
NoYes3Removes thepassword
and replaces the User-Password attributewith OTP. This bit mask must be used ifthe User-Password attribute contains thepassword and OTP.
188 OATH Standards-Based OTP Authentication
Table 16-2 Bit Masks to Configure OTP Authentication Tasks (continued)
Action
Support forMS-CHAPv2
Support forRADIUSStandardPasswordBit MaskTask
The HP-UX AAA Server removes the OTPfrom the incoming password and replaces
NoYes2Removes the OTP
the User-Password attribute withpassword. This bit mask must be used ifthe User-Password attribute contains thepassword and OTP.
The HP-UX AAA Server returns a proxyevent to the FSM. Proxy files can be
NoYes1Sets the proxy eventcode
configured to proxy the request to theproxy target server.
NOTE: The HP-UX AAA Server executes the actions, listed in Table 16-2, in thepredefined descending order of bit masks (from bit mask 7 to bit mask 1).
You can use the bit masks, listed in Table 16-2, in various combinations to configureOTP authentication, two-factor authentication, and other operations depending onyour deployment scenario.For example, to validate the password and the OTP (two-factor authentication) usingRADIUS standard password, the HP-UX AAA Server must perform the followingactions:• Split the password and the OTP (bit mask 7)• Validate the password (bit mask 6)• Validate the OTP (bit mask 5)Figure 16-4 illustrates how you can set the bit mask to validate both password and OTP(two-factor authentication).
Configuring OTP Authentication on the HP-UX AAA Server 189
Figure 16-4 Usage of Bit Masks to set OTP Authentication Actions
The OTP-ActionId attribute is set at 112 by converting the binary value 01110000 intodecimal.Table 16-3 lists some common actions along with the bit masks that must be used forconfiguration.
Table 16-3 Common OTP Authentication Actions
Bit Mask SetMS-CHAP v2 OTP-ActionIdValue
RADIUSStandard
Action
PasswordOTP-ActionIdValue
01110000 (forOTP-ActionID value112)
48112Validates the password andOTP (two-factor authentication)if the incoming requestcontains password and OTP. 00011000 (for
OTP-ActionID value48)
01101000Not applicable104Validates only the passwordand stores the generated OTPin to Otp-In-Attributeattribute if the incomingrequest contains password andOTP.
01100101Not applicable101Validates only the password,replaces User-Password withthe incoming OTP and sets theproxy event to proxy the
190 OATH Standards-Based OTP Authentication
Table 16-3 Common OTP Authentication Actions (continued)
Bit Mask SetMS-CHAP v2 OTP-ActionIdValue
RADIUSStandardPasswordOTP-ActionIdValueAction
request to the configured proxytarget server in theproxy-egress.grp policyfile, for OTP validation, if theincoming request containspassword and OTP.
01010011Not applicable83Validates only the OTP,replaces User-Password withthe incoming password andsets the proxy event to proxythe request to the configuredproxy target server in theproxy-egress.grp policyfile, for password validation, ifthe incoming request containspassword and OTP.
01010000Not applicable80Validates only the OTP if theOTP is sent with the password.
01000101Not applicable69Forwards only the OTP to theconfigured proxy target serverin the proxy-egress.grppolicy file if the incomingrequest contains password andOTP.
01000100Not applicable68Removes the password andstores only the OTP in theUser-Password attribute.
01000011Not applicable67Forwards only the password tothe configured proxy targetserver in theproxy-egress.grp policyfile if the incoming requestcontains password and OTP.
01000010Not applicable66Removes the OTP and storesonly the password inUser-Password A-V pair.
Configuring OTP Authentication on the HP-UX AAA Server 191
Table 16-3 Common OTP Authentication Actions (continued)
Bit Mask SetMS-CHAP v2 OTP-ActionIdValue
RADIUSStandardPasswordOTP-ActionIdValueAction
001010004040Validates only the passwordand stores the generated OTPin the Otp-In-Attributeattribute if the incomingrequest contains onlypassword.
001000003232Validates only the passwordwhen the incoming requestcontains only the password.This action is equivalent to theconfiguration for passwordauthentication. HPrecommends using the defaultconfiguration for betterperformance.
000100001616Validates the OTP if theincoming request contains onlythe OTP.
0000100088Stores the generated OTP in theOtp-In-Attribute attribute.
00000001Not applicable1Returns the proxy event toproxy the request to theconfigured proxy target serverin the proxy-egress.grppolicy file. This is equivalent tothe default proxyconfiguration. HP recommendsusing the default configurationfor better performance.
Attributes for Configuring OTP Authentication
Table 16-4 lists attributes that provide additional options for customizing yourconfiguration. These attributes can be configured on a user, realm, or a system-widelevel.
Table 16-4 Attributes for Configuring OTP Authentication
DescriptionConfiguration TypeAttribute Name
Specifies the size of the look ahead window.This enables the HP-UX AAA Server
User, realm, orsystem-wide level
Otp-Lookup-Window
192 OATH Standards-Based OTP Authentication
Table 16-4 Attributes for Configuring OTP Authentication (continued)
DescriptionConfiguration TypeAttribute Name
recalculate the next OTP values and checkagainst the received OTP to synchronize thesequence counter. If this attribute is notspecified, the value of system wideconfiguration entry otp_lookup_window isused as the default value.Default Value 10Value Type integer
Specifies an eight-byte counter value. TheHMAC algorithm requires this counter valueto generate an OTP.This counter value must be synchronizedbetween the OTP generator and the HP-UX
User level configurationonly
HOtp-Seq-Counter
AAA Server. This attribute is mandatory foreach user.Value Type unsigned char
Specifies the unique shared secret between theOTP generator and the HP-UX AAA Server
User level configurationonly
Otp-Shared-Secret
that generates the OTP. The HMAC algorithmrequires this counter value to generate an OTP.The length of the shared secret must be at least128 bits (RFC 4226 recommends 160 bits). Thisattribute is mandatory for each user.Value Type binary string
A unique serial number for OTP generators(token devices or software that generatesOTP).
User level configurationonly
Otp-Token-Serial-Number
Specifies the lock counter. If the number ofconsecutive failed authentication attempts is
User, realm, orsystem-wide levelconfiguration
Otp-Token-Lock-Counter
greater than the configuredOtp-Token-Lock-Counter value, wherethe time interval between two consecutivefailed authentication attempts is less than 60seconds, the HP-UX AAA Server updates thetoken status to LOCKED. If this attribute is notspecified, the value of system-wideconfiguration itemotp_token_lock_counter is used as thedefault value.Default Value 6
Specifies the OTP length. Tokens can generateOTPs having six, seven, or eight digits. If this
User, realm, orsystem-wide levelconfiguration
Otp-Token-Length
attribute is not specified, the value of
Configuring OTP Authentication on the HP-UX AAA Server 193
Table 16-4 Attributes for Configuring OTP Authentication (continued)
DescriptionConfiguration TypeAttribute Name
system-wide configuration itemotp_token_length is used as the defaultvalue.Default Value 6Value Type integer
Specifies the OTP actions to be processed.Realm level configurationonly
Otp-ActionId
Value Type integer
194 OATH Standards-Based OTP Authentication
Table 16-4 Attributes for Configuring OTP Authentication (continued)
DescriptionConfiguration TypeAttribute Name
Specifies the action to add the checksum whilevalidating the OTP. If this attribute value is
User, realm, orsystem-wide levelconfiguration
Otp-Add-Checksum
yes, the HP-UX AAA Server calculates thechecksum for the generated OTP.While validating the OTP, if the calculatedchecksum is identical, the HP-UX AAA Servercontinues with the OTP validation. If thecalculated checksum is not identical, theHP-UX AAA Server attempts to resynchronize.Default Value no
Specifies the SQL action for retrieving thetoken information from the database.
Realm level configurationonly
Otp-Retrieve-TokenInfo-ActionId
Sets the SQL action to be processed afterapplying the reply-egress policy (for example,
Realm level configurationonly
Reply-Egress-ActionId
updating the success or failed authenticationcounter).
NOTE: The attributes listed in Table 16-4 are defined in the dictionary file.The HP-UX AAA Server uses the following precedence rules while executing OTPauthentication requests:• Attributes configured at the user level are given highest precedence• Attributes configured at the realm level are given second highest precedence• If the attributes are not configured on a user or realm level, the system-wide
attributes are given precedence
System-Wide OTP Configuration Items
To configure OTP attributes on a system-wide level, you must use the following syntaxto add the system-wide configurable items, listed in Table 16-5, to the /etc/opt/aaa/aaa.config file as follows:otp_lookup_window <10>otp_token_length <6>otp_token_lock_counter <6>otp_add_checksum <no>
Configuring OTP Authentication on the HP-UX AAA Server 195
Table 16-5 System-Wide OTP Configuration Items
DescriptionConfiguration Item
Specifies the size of the look ahead window. This enablesthe HP-UX AAA Server recalculate the next OTP values
otp_lookup_window
and check against the received OTP to synchronize thesequence counter.Default Value 10
Specifies the OTP length. Tokens can generate OTPshaving six, seven, or eight digits.
otp_token_length
Default Value 6
Specifies the lock counter. If the number of consecutivefailed authentication attempts is greater than the
otp_token_lock_counter
configured value, where the time interval between twoconsecutive failed authentication attempts is less than 60seconds, the HP-UX AAA Server updates the token statusto LOCKED.Default Value 6
Specifies the action to add the checksum while validatingthe OTP. If this attribute value is yes, the HP-UX AAAServer calculates the checksum for the generated OTP.While validating the OTP, if the calculated checksum isidentical, the HP-UX AAA Server continues with the OTP
otp_add_checksum
validation. If the calculated checksum is not identical, theHP-UX AAA Server attempts to resynchronize.Default Value no
Realm Level OTP Attributes
To configure OTP attributes on a realm level, you must modify the sample entry in therequest-ingress.grp file using the following syntax:
if ((count (User-Name) > 0) && (substr (User-Name after "@" ) = "<realm>")) { # Add Otp-ActionId attribute, if it is not present in the user request. # if (count (Otp-ActionId) = 0) { insert Otp-ActionId = <OTP-ActionId> insert Otp-Retrieve-TokenInfo-ActionId = "<SQL action>" } exit "ACK" }
In this example, the OTP-ActionID and Otp-Retrieve-TokenInfo-ActionIdattributes are configured on a realm-basis. Other realm-level OTP attributes can beadded depending on your configuration.
196 OATH Standards-Based OTP Authentication
Configuring OTP Authentication for Tunneled EAP Mechanisms
If you have created EAP tunneled realms using the Server Manager for PEAP (EAP-GTC)or TTLS (PAP or MS-CHAP v2) , refer to the following rules for specifying the realmswhen configuring OTP authentication:
If you have configured the same inner and outer realms
• If you are using PEAP (EAP-GTC) as the authentication mechanism, replace thevariable <realm> with the configured inner realm name, using the followingsyntax in the request-ingress.grp and reply-egress.grp files:
if ( (count (User-Realm) > 0) && (User-Realm = "<realm>/peap"))
If you are proxying the OTP to an external RADIUS server for validation, you mustmodify the reply-egress.grp file as follows, and replace the variable<proxyrealm> with the configured inner realm:
if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT") || (Interlink-Proxy-Action = "LAS_ACCT") ) || ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>/peap") ) )
• If you are using TTLS (PAP or MS-CHAP v2) as the authentication mechanism,replace the variable <realm> with the configured inner realm name, using thefollowing syntax in the request-ingress.grp and reply-egress.grp files:
if ( (count (User-Realm) > 0) && (User-Realm = "<realm>/ttls"))
If you are proxying the OTP to an external RADIUS server for validation, you mustmodify the reply-egress.grp file as follows, and replace the variable<proxyrealm> with the configured inner realm name:
if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT") || (Interlink-Proxy-Action = "LAS_ACCT") ) || ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>/ttls") ) )
NOTE: When a response from the proxy is returned, the HP-UX AAA Serverimplements the reply-egress policy, and does not increment the sequence counter andthe success or failed authentication counters (since they are incremented by the externalRADIUS server).
If you have configured different inner and outer realms
If you have configured different inner and outer realms, you must specify the innerrealm name when configuring OTP authentication. For example, if you have configuredan inner realm called otprealm that uses TTLS (PAP or MS-CHAP v2) as the
Configuring OTP Authentication on the HP-UX AAA Server 197
authentication mechanism, specify the realm name in the request-ingress.grp asfollows:
if ( (count (User-Name) > 0) && (substr (User-Name after "@" ) = "otprealm" ) )
Specify the realm name in the reply-egress.grp file as follows:
if ( (count (User-Realm) > 0) && (User-Realm = "otprealm"))
NOTE: Creating different inner and outer realms for OTP authentication is supportedonly for TTLS (PAP and MS-CHAP v2). For information on creating tunneled EAPrealms, see “Adding a Realm” (page 105).
If you are proxying the OTP to a remote server for validation, you must modify thereply-egress.grp file:
if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT") || (Interlink-Proxy-Action = "LAS_ACCT") ) || ( (count (User-Realm) > 0) && (User-Realm = "otprealm" ) ) )
NOTE:• When a response from the proxy is returned, the HP-UX AAA Server implements
the reply-egress policy, and does not increment the sequence counter and thesuccess or failed authentication counters (since they are incremented by the externalRADIUS server).
User Level OTP Attributes
To configure OTP attributes on a user level, you must modify the RetrieveTokenSQLAction in the sqlaccess.config file. You can choose to include the user-specificOTP attributes, listed in Table 16-4 (page 192), using the following syntax:
198 OATH Standards-Based OTP Authentication
SQLAction RetrieveToken { { input RAD(User-Id, REPLY) DBP(userid, 253, CHAR)
output DBR(100:*) RET(RETRIEVE_ERROR) DBR(-1:*) RET(ERROR) DBC(serial_number, 128, CHAR) RAD(Otp-Token-Serial-Number, REPLY) DBC(token_status, 128, CHAR) FUNC(AAATokenStatusCheck) DBC(seq_counter, 38, CHAR) RAD(HOtp-Seq-Counter, REPLY) DBC(shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString) DBR(0:0) RET(RETRIEVE_SUCCESS) DBR(*:*) RET(RETRIEVE_ERROR)
SQLStatement db_oci { SELECT serial_number, token_status, seq_counter, shared_secret FROM RAD_TOKENS_TABLE WHERE user_name=:userid } }}
In this example, the Otp-Token-Length attribute has been added in the last row. Ifyou are using RetrieveUserAndToken SQL action, similar changes will be requiredthere to configure OTP attributes at a user level.
NOTE: The corresponding values for the attributes configured in thesqlaccess.config file must be stored in the user profile and inRAD_TOKENS_TABLEin the database.
Advanced Deployment ScenariosThis section documents the procedures for configuring OTP and two-factorauthentication in the following deployment scenarios:• “Validating OTP Alone” (page 200)• “Configuring Two-Factor Authentication” (page 202)
— “If User and Token Information is in Different SQL Database Tables” (page 202)— “If User and Token Information is in the Same SQL Database Table” (page 204)— “If User and Token Information is in Different Databases” (page 207)
• “OTP or Password Validation at External RADIUS Server” (page 210)— “Validating Password on the Local Server and Forwarding OTP to Another
RADIUS Server” (page 210)— “Validating OTP on the Local Server and Forwarding Password to Another
RADIUS Server” (page 214)— “Forwarding OTP and Password to Another RADIUS Server for Validation”
(page 217)
Configuring OTP Authentication on the HP-UX AAA Server 199
Notes:• The scenarios described in this section are applicable whether you are using
RADIUS standard password authentication or EAP authentication.• The HP-UX AAA Server supports only the following EAP authentication methods
for OTP authentication:— PEAP (EAP-GTC)— TTLS (PAP and MS-CHAP v2)
• Creating different inner and outer realms for OTP authentication is supportedonly for TTLS (PAP and MS-CHAP v2). For information on creating tunneled EAPrealms, see “Adding a Realm” (page 105).
Validating OTP Alone
To configure the HP-UX AAA Server to validate OTP alone, complete the followingsteps:1. Configure the realm using the Realms Screen of the Server Manager. While
configuring the realm, use the procedure listed in “Configuring Realms for DatabaseAccess via SQL” (page 111). In the User Storage Parameters field, ensure that theRetrieveToken SQL action is selected and the configuration is saved. For moreinformation on configuring the realm, see “Adding a Realm” (page 105).
2. If not appended , append the contents of the sample OTP reference implementationpolicy files (located in /opt/aaa/examples/config) to the default policy files(located in /etc/opt/aaa) using the following commands:# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp
# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp
3. In the/etc/opt/aaa/request-ingress.grp file, replace the<realm>variableand configure the Otp-ActionId attribute according to the following rules:
Then …If you haveconfigured...
Replace the<realm> variable in the following syntax with the realm name configuredin Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
The realmfor RADIUSstandardpassword or
insert Otp-ActionId = 16MS-CHAP exit "ACK"}v2
authentication
200 OATH Standards-Based OTP Authentication
Then …If you haveconfigured...
Replace the <realm> variable in the following syntax with the inner realm nameconfigured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
Tunneledrealms withdifferentinner and
insert Otp-ActionId = 16outer exit "ACK"}realms for
EAPauthentication
Tunneledrealms with
1. Delete the following (default) condition in the request-ingress.grp file:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){ same inner insert Otp-ActionId = 112and outer exit "ACK"}realms for
EAPauthentication 2. Based on the EAP authentication method you have configured, add one of the
following conditions in the /etc/opt/aaa/request-ingress.grp file, andreplace the <realm> variable with the inner realm name configured in step 1:• If you have configured the realm for PEAP (EAP-GTC), add the following
condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap")){ insert Otp-ActionId = 16 exit "ACK"}
• If you have configured the realm for TTLS (PAP) or TTLS (MS-CHAP v2), addthe following condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 16 exit "ACK"}
4. In the /etc/opt/aaa/reply-egress.grp file, replace the <realm> variablewith the configured realm name in step 1 as follows:if ( (count (User-Realm) > 0) && (User-Realm = “<realm>”) )
Use the following rules while replacing the <realm> variable, with the realmname:
Then…If you have configured …
Replace <realm> with the realm nameconfigured in step 1
The realm for RADIUS standard passwordauthentication
Replace <realm> with the inner realm nameconfigured in step 1
Tunneled realms with different inner and outerrealms for EAP authentication
Configuring OTP Authentication on the HP-UX AAA Server 201
Then…If you have configured …
Replace <realm> with the inner realm nameconfigured in step 1 using the following syntax:
Tunneled realms with the same inner and outerrealms for EAP authentication
• PEAP (EAP-GTC):<realm>/peap
Or
• TTLS (PAP) or TTLS (MS-CHAP v2):<realm>/ttls
5. Reload the configuration changes by selecting Reload from the Administrationscreen of the Server Manager. If the server is not running, start the HP-UX AAAServer to read the configuration information.
The HP-UX AAA Server is now configured to validate OTP alone.
Configuring Two-Factor Authentication
This section describes how to configure two-factor authentication in the followingdeployment scenarios:• “If User and Token Information is in Different SQL Database Tables” (page 202)• “If User and Token Information is in the Same SQL Database Table” (page 204)• “If User and Token Information is in Different Databases” (page 207)
If User and Token Information is in Different SQL Database Tables
This is the default configuration.To configure two-factor authentication if user and token information is in differenttables in the same SQL database, complete the following steps:1. Configure the realm using the Realms Screen of the Server Manager. While
configuring the realm, use the procedure listed in “Configuring Realms for DatabaseAccess via SQL” (page 111). In the User Storage Parameters field, ensure that theRetrieveUserAndToken SQL action is selected and the configuration is saved.For more information on configuring the realm, see “Adding a Realm” (page 105).
2. If not appended , append the contents of the sample OTP reference implementationpolicy files (located in /opt/aaa/examples/config) to the default policy files(located in /etc/opt/aaa) using the following commands:# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp
# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp
3. In the/etc/opt/aaa/request-ingress.grp file, replace the<realm>variableand configure the Otp-ActionId attribute according to the following rules:
202 OATH Standards-Based OTP Authentication
Then …If you haveconfigured...
For RADIUS Standard Password, replace the <realm> variable in the followingsyntax with the realm name configured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
The realmfor RADIUSstandardpassword or
insert Otp-ActionId = 112MS-CHAP exit "ACK"}v2
authentication For MS-CHAP v2, replace the <realm> variable in the following syntax with therealm name configured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){ insert Otp-ActionId = 48 exit "ACK"}
Replace the <realm> variable in the following syntax with the inner realm nameconfigured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
Tunneledrealms withdifferentinner and
insert Otp-ActionId = 112outer exit "ACK"}realms for
EAPauthentication
Tunneledrealms with
1. Delete the following (default) condition in the request-ingress.grp file:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){ same inner insert Otp-ActionId = 112and outer exit "ACK"}realms for
EAPauthentication 2. Based on the EAP authentication method you have configured, add one of the
following conditions in the /etc/opt/aaa/request-ingress.grp file, andreplace the <realm> variable with the inner realm name configured in step 1:• If you have configured the realm for PEAP (EAP-GTC), add the following
condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap")){ insert Otp-ActionId = 112 exit "ACK"}
• If you have configured the realm for TTLS (PAP), add the following condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 112 exit "ACK"}
• If you have configured the realm for TTLS (MS-CHAP v2), add the followingcondition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 48 exit "ACK"}
Configuring OTP Authentication on the HP-UX AAA Server 203
4. In the /etc/opt/aaa/reply-egress.grp file, replace the <realm> variablewith the configured realm name in step 1 as follows:if ( (count (User-Realm) > 0) && (User-Realm = “<realm>”) )
Use the following rules while replacing the <realm> variable, with the realmname:
Then…If you have configured …
Replace <realm> with the realm nameconfigured in step 1
The realm for RADIUS standard passwordauthentication
Replace <realm> with the inner realm nameconfigured in step 1
Tunneled realms with different inner and outerrealms for EAP authentication
Replace <realm> with the inner realm nameconfigured in step 1 using the following syntax:
Tunneled realms with the same inner and outerrealms for EAP authentication
• PEAP (EAP-GTC):<realm>/peap
Or
• TTLS (PAP) or TTLS (MS-CHAP v2):<realm>/ttls
5. Reload the configuration changes by selecting Reload from the Administrationscreen of the Server Manager. If the server is not running, start the HP-UX AAAServer to read the configuration information.
The HP-UX AAA Server is now configured for two-factor authentication.
If User and Token Information is in the Same SQL Database Table
The default configuration enables you to store user and token information in differentdatabase tables.To store user and token information in a single table, you must merge the two tables(RAD_USERS_TABLE and RAD_TOKENS_TABLE) into a single table.To configure two-factor authentication if user profile and token information is storedin the same table in the SQL database, complete the following steps:1. Configure the realm using the Realms Screen of the Server Manager. While
configuring the realm, use the procedure listed in “Configuring Realms for DatabaseAccess via SQL” (page 111). In the User Storage Parameters field, ensure that theRetrieveUserAndToken SQL action is selected and the configuration is saved.For more information on configuring the realm, see “Adding a Realm” (page 105).
2. Modify the RetrieveUserAndToken SQL action in the /etc/opt/aaa/sqlaccess.config file to retrieve user and token information from the combinedtable.
204 OATH Standards-Based OTP Authentication
3. Modify the following stored procedures in the SQL database for the combinedtable:• update_seq_and_success_count
• update_failedcount_tokenstatus
4. If not appended, append the contents of the sample OTP reference implementationpolicy files (located in /opt/aaa/examples/config) to the default policy files(located in /etc/opt/aaa) using the following commands:# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp
# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp
5. In the/etc/opt/aaa/request-ingress.grp file, replace the<realm>variableand configure the Otp-ActionId attribute according to the following rules:
Then …If you haveconfigured...
For RADIUS Standard Password, replace the <realm> variable in the followingsyntax with the realm name configured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
The realmfor RADIUSstandardpassword or
insert Otp-ActionId = 112MS-CHAP exit "ACK"}v2
authentication For MS-CHAP v2, replace the <realm> variable in the following syntax with therealm name configured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){ insert Otp-ActionId = 48 exit "ACK"}
Replace the <realm> variable in the following syntax with the inner realm nameconfigured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
Tunneledrealms withdifferentinner and
insert Otp-ActionId = 112outer exit "ACK"}realms for
EAPauthentication
Configuring OTP Authentication on the HP-UX AAA Server 205
Then …If you haveconfigured...
Tunneledrealms with
1. Delete the following (default) condition in the request-ingress.grp file:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){ same inner insert Otp-ActionId = 112and outer exit "ACK"}realms for
EAPauthentication 2. Based on the EAP authentication method you have configured, add one of the
following conditions in the /etc/opt/aaa/request-ingress.grp file, andreplace the <realm> variable with the inner realm name configured in step 1:• If you have configured the realm for PEAP (EAP-GTC), add the following
condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap")){ insert Otp-ActionId = 112 exit "ACK"}
• If you have configured the realm for TTLS (PAP), add the following condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 112 exit "ACK"}
• If you have configured the realm for TTLS (MS-CHAP v2), add the followingcondition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 48 exit "ACK"}
6. In the /etc/opt/aaa/reply-egress.grp file, replace the <realm> variablewith the configured realm name in step 1 as follows:if ( (count (User-Realm) > 0) && (User-Realm = “<realm>”) )
Use the following rules while replacing the <realm> variable, with the realmname:
Then…If you have configured …
Replace <realm> with the realm nameconfigured in step 1
The realm for RADIUS standard passwordauthentication
Replace <realm> with the inner realm nameconfigured in step 1
Tunneled realms with different inner and outerrealms for EAP authentication
206 OATH Standards-Based OTP Authentication
Then…If you have configured …
Replace <realm> with the inner realm nameconfigured in step 1 using the following syntax:
Tunneled realms with the same inner and outerrealms for EAP authentication
• PEAP (EAP-GTC):<realm>/peap
Or
• TTLS (PAP) or TTLS (MS-CHAP v2):<realm>/ttls
7. Reload the configuration changes by selecting Reload from the Administrationscreen of the Server Manager. If the server is not running, start the HP-UX AAAServer to read the configuration information.
The HP-UX AAA Server is now configured for two-factor authentication.
If User and Token Information is in Different Databases
To configure two-factor authentication if user profile and token information is storedin different databases, complete the following steps:1. Configure the realm using the Realms Screen of the Server Manager. Based on the
user profile, configure the realm for the local users file, LDAP, Oracle or MySQLdatabase using SQL Access and save the configuration. For more information onconfiguring the realm, see “Adding a Realm” (page 105).
2. If not appended, append the contents of the sample OTP reference implementationpolicy files (located in /opt/aaa/examples/config) to the default policy files(located in /etc/opt/aaa) using the following commands:# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp
# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp
3. In the/etc/opt/aaa/request-ingress.grp file, replace the<realm>variableand configure the Otp-ActionId attribute according to the following rules:
Then …If you haveconfigured...
For RADIUS Standard Password, replace the <realm> variable in the followingsyntax with the realm name configured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
The realmfor RADIUSstandardpassword or
insert Otp-ActionId = 112MS-CHAP insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken"v2
authentication exit "ACK"}
For MS-CHAP v2, replace the <realm> variable in the following syntax with therealm name configured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
Configuring OTP Authentication on the HP-UX AAA Server 207
Then …If you haveconfigured...
insert Otp-ActionId = 48 insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK"}
208 OATH Standards-Based OTP Authentication
Then …If you haveconfigured...
Replace the <realm> variable in the following syntax with the inner realm nameconfigured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
Tunneledrealms withdifferentinner and
insert Otp-ActionId = 112outer insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken"realms for exit "ACK"}EAP
authentication
Tunneledrealms with
1. Delete the following (default) condition in the /etc/opt/aaa/request-ingress.grp file:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
same innerand outer
insert Otp-ActionId = 112realms for exit "ACK"}EAP
authentication2. Based on the EAP authentication method you have configured, add one of the
following conditions in the /etc/opt/aaa/request-ingress.grp file, andreplace the <realm> variable with the inner realm name configured in step 1:• If you have configured the realm for PEAP (EAP-GTC) , add the following
condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap")){ insert Otp-ActionId = 112 insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK"}
• If you have configured the realm for TTLS (PAP), add the following condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 112 insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK"}
• If you have configured the realm for TTLS (MS-CHAP v2), add the followingcondition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 48 insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK"}
NOTE: In this example, the Otp-Retrieve-TokenInfo-ActionId attributeis configured to retrieve token information from the SQL database.
4. In the /etc/opt/aaa/reply-egress.grp file, replace the <realm> variablewith the configured realm name in step 1 as follows:if ( (count (User-Realm) > 0) && (User-Realm = “<realm>”) )
Configuring OTP Authentication on the HP-UX AAA Server 209
Use the following rules while replacing the <realm> variable, with the realmname:
Then…If you have configured …
Replace <realm> with the realm nameconfigured in step 1
The realm for RADIUS standard passwordauthentication
Replace <realm> with the inner realm nameconfigured in step 1
Tunneled realms with different inner and outerrealms for EAP authentication
Replace <realm> with the inner realm nameconfigured in step 1 using the following syntax:
Tunneled realms with the same inner and outerrealms for EAP authentication
• PEAP (EAP-GTC):<realm>/peap
Or
• TTLS (PAP) and TTLS (MS-CHAP v2):<realm>/ttls
5. Reload the configuration changes by selecting Reload from the Administrationscreen of the Server Manager. If the server is not running, start the HP-UX AAAServer to read the configuration information.
The HP-UX AAA Server is now configured for two-factor authentication.
OTP or Password Validation at External RADIUS Server
This section discusses different deployment scenarios where the OTP or passwordmust be validated by an external RADIUS server. This section discusses the followingdeployment scenarios:• “Validating Password on the Local Server and Forwarding OTP to Another RADIUS
Server” (page 210)• “Validating OTP on the Local Server and Forwarding Password to Another RADIUS
Server” (page 214)• “Forwarding OTP and Password to Another RADIUS Server for Validation”
(page 217)
NOTE: For MS-CHAP v2 authentication protocol, partial validation of either OTP orpassword locally and the remaining part at an external RADIUS server is not possible.The complete validation must be performed at the local HP-UX AAA Server or at anexternal RADIUS server.
Validating Password on the Local Server and Forwarding OTP to Another RADIUS Server
To configure the HP-UX AAA Server to validate the password and forward the OTPto another RADIUS server for validation, complete the following steps:
210 OATH Standards-Based OTP Authentication
1. Configure the realm using the Realms Screen of the Server Manager. Based on theuser profile, configure the realm for the local users file, LDAP, Oracle or MySQLdatabase using SQL database. For more information on configuring the realm, see“Adding a Realm” (page 105).
2. Configure the proxy target server using the Server Manager and save theconfiguration. For more information on configuring proxies, see “ConfiguringProxies” (page 117)
3. If not appended , append the contents of the sample OTP reference implementationpolicy files (located in /opt/aaa/examples/config) to the default policy files(located in /etc/opt/aaa) using the following commands:# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp
# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp
# cat /opt/aaa/examples/config/oath-proxy-egress.grp >> /etc/opt/aaa/proxy-egress.grp
4. In the/etc/opt/aaa/request-ingress.grp file, replace the<realm>variableand configure the Otp-ActionId attribute according to the following rules:
Then …If you haveconfigured...
Replace the<realm> variable in the following syntax with the realm name configuredin Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
The realmfor RADIUSstandardpasswordauthentication insert Otp-ActionId = 101
exit "ACK"}
Replace the <realm> variable in the following syntax with the inner realm nameconfigured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
Tunneledrealms withdifferentinner and
insert Otp-ActionId = 101outer exit "ACK"}realms for
EAPauthentication
Configuring OTP Authentication on the HP-UX AAA Server 211
Then …If you haveconfigured...
Tunneledrealms with
1. Delete the following (default) condition in the /etc/opt/aaa/request-ingress.grp file:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
same innerand outer
insert Otp-ActionId = 112realms for exit "ACK"}EAP
authentication2. Based on the EAP authentication method you have configured, add one of the
following conditions in the /etc/opt/aaa/request-ingress.grp file, andreplace the <realm> variable with the inner realm name configured in step 1:• If you have configured the realm for PEAP (EAP-GTC) , add the following
condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap")){ insert Otp-ActionId = 101 exit "ACK"}
• If you have configured the realm for TTLS (PAP), add the following condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 101 exit "ACK"}
5. In the proxy-egress.grp file, replace the <proxyrealm> variable with therealm name, and the <Proxy Target Server or IP Address> variable withthe proxy target server host name (FQDN) or the IP Address that is configured inStep 2, as follows:if ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>") ){ modify Interlink-Proxy-Target = "<Proxy Target Server or IP Address>" exit "ACK"}
Use the following rules while replacing the <realm> variable, with the realmname:
Then…If you have configured …
Replace <realm> with the realm nameconfigured in step 1
The realm for RADIUS standard passwordauthentication
Replace <realm> with the inner realm nameconfigured in step 1
Tunneled realms with different inner and outerrealms for EAP authentication
212 OATH Standards-Based OTP Authentication
Then…If you have configured …
Replace <realm> with the inner realm nameconfigured in step 1 using the following syntax:
Tunneled realms with the same inner and outerrealms for EAP authentication
• PEAP (EAP-GTC):<realm>/peap
Or
• TTLS (PAP):<realm>/ttls
6. Reload the configuration changes by selecting Reload from the Administrationscreen of the Server Manager. If the server is not running, start the HP-UX AAAServer to read the configuration.
7. Configure the proxy target server for OTP validation as follows:• If the target proxy server is an HP-UX AAA Server:
1. Configure the proxy server as a client using the same shared secret of theproxy server. For more information, see “Configuring RADIUS ClientsUsing the Access Devices Screen” (page 100).
2. Configure the proxy target server to validate OTP. For more information,see “Validating OTP Alone” (page 200).
IMPORTANT: While specifying the realm in the remote server’srequest-ingress.grp file always use the following syntax:if ((count (User-Name) > 0) && (substr (User-Name after
"@") = "<realm>"))
{
insert Otp-ActionId = 16
exit "ACK"
}
If you have configured tunneled realms with different inner and outerrealms for EAP authentication, then replace the <realm> variable withthe inner realm name.
• If the target proxy server is not an HP-UX AAA Server, see the documentationof the target RADIUS server to configure OTP authentication.
NOTE: While configuring the proxy target server you must configure it usingthe realm name that you have configured in Step 1.
The HP-UX AAA Server is now configured for validating password on the local serverand forwarding the OTP to another RADIUS server for validation.
Configuring OTP Authentication on the HP-UX AAA Server 213
Validating OTP on the Local Server and Forwarding Password to Another RADIUS Server
To configure the HP-UX AAA Server to validate the OTP and forward the passwordto another RADIUS server for validation, complete the following steps:1. Configure the realm using the Realms Screen of the Server Manager. While
configuring the realm, use the procedure listed in “Configuring Realms for DatabaseAccess via SQL” (page 111). In the User Storage Parameters field, ensure that theRetrieveToken SQL action is selected and the configuration is saved. For moreinformation on configuring the realm, see “Adding a Realm” (page 105).
2. Configure the proxy target server using the Server Manager and save theconfiguration. For more information on configuring proxies, see “ConfiguringProxies” (page 117).
3. If not appended , append the contents of the sample OTP reference implementationpolicy files (located in /opt/aaa/examples/config) to the default policy files(located in /etc/opt/aaa) using the following commands:# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp
# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp
# cat /opt/aaa/examples/config/oath-proxy-egress.grp >> /etc/opt/aaa/proxy-egress.grp
4. In the/etc/opt/aaa/request-ingress.grp file, replace the<realm>variableand configure the Otp-ActionId attribute according to the following rules:
Then …If you haveconfigured...
Replace the<realm> variable in the following syntax with the realm name configuredin Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
The realmfor RADIUSstandardpasswordauthentication insert Otp-ActionId = 83
exit "ACK"}
214 OATH Standards-Based OTP Authentication
Then …If you haveconfigured...
Replace the <realm> variable in the following syntax with the inner realm nameconfigured in Step 1:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
Tunneledrealms withdifferentinner and
insert Otp-ActionId = 83outer exit "ACK"}realms for
EAPauthentication
Tunneledrealms with
1. Delete the following (default) condition in the /etc/opt/aaa/request-ingress.grp file:if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>")){
same innerand outer
insert Otp-ActionId = 112realms for exit "ACK"}EAP
authentication2. Based on the EAP authentication method you have configured, add one of the
following conditions in the /etc/opt/aaa/request-ingress.grp file, andreplace the <realm> variable with the inner realm name configured in step 1:• If you have configured the realm for PEAP (EAP-GTC) , add the following
condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap")){ insert Otp-ActionId = 83 exit "ACK"}
• If you have configured the realm for TTLS (PAP), add the following condition:if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls")){ insert Otp-ActionId = 83 exit "ACK"}
5. In the /etc/opt/aaa/reply-egress.grp file, replace the <realm> variablewith the configured realm name in step 1 as follows:if ( (count (User-Realm) > 0) && (User-Realm = “<realm>”) )
Use the following rules while replacing the <realm> variable, with the realmname:
Then…If you have configured …
Replace <realm> with the realm nameconfigured in step 1
The realm for RADIUS standard passwordauthentication
Replace <realm> with the inner realm nameconfigured in step 1
Tunneled realms with different inner and outerrealms for EAP authentication
Configuring OTP Authentication on the HP-UX AAA Server 215
Then…If you have configured …
Replace <realm> with the inner realm nameconfigured in step 1 using the following syntax:
Tunneled realms with the same inner and outerrealms for EAP authentication
• PEAP (EAP-GTC):<realm>/peap
Or
• TTLS (PAP):<realm>/ttls
6. In the proxy-egress.grp file, replace the <proxyrealm> variable with therealm name, and the <Proxy Target Server or IP Address> variable withthe proxy target server host name (FQDN) or the IP Address that is configured inStep 2, as follows:if ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>") ){ modify Interlink-Proxy-Target = "<Proxy Target Server or IP Address>" exit "ACK"}
NOTE: While specifying the realm, ensure the following:• The realm name used is identical with the name used while configuring the
realm (step 1).• The realm is specified using the realm specification rules listed in step 5.
7. Reload the configuration changes by selecting Reload from the Administrationscreen of the Server Manager. If the server is not running, start the HP-UX AAAServer to read the configuration.
8. Configure the proxy target server for password validation as follows:• If the target proxy server is an HP-UX AAA Server:
1. Configure the proxy server as a client using the same shared secret of theproxy server. For more information, see “Configuring RADIUS ClientsUsing the Access Devices Screen” (page 100).
2. Configure the proxy target server to validate password. For moreinformation, see “Adding a Realm” (page 105).
• If the target proxy server is not an HP-UX AAA Server, see the documentationof the target RADIUS server to configure OTP authentication.
NOTE: While configuring the proxy target server you must configure it usingthe realm name that you have configured in Step 1.
The HP-UX AAA Server is now configured for OTP validation at local server andpassword validation at external server.
216 OATH Standards-Based OTP Authentication
Forwarding OTP and Password to Another RADIUS Server for Validation
To forward the OTP and password (complete request) to another RADIUS server, HPrecommends that you use the Server Manager to forward the complete request to theRADIUS server. For more information on forwarding requests, see “ConfiguringProxies” (page 117).
Predefined Mapping and Conversion FunctionsHP provides the following additional predefined mapping functions to configure OTPauthentication:• The AAASerConvertedHexToBinaryString Conversion Function: This
conversion function is used when the shared secret for the token generators areprovided in hexadecimal string. The HMAC algorithm (on which the HOTP isbased) requires shared secrets only in binary format. In such scenarios, you canuse theAAASetConvertedHexToBinaryString function to convert hexadecimalshared secret to binary format.
• The AAATokenStatusCheck Function: This mapping function is used to verifywhether the status of the token is ACTIVE. If the status is ACTIVE, then the HP-UXAAA Server allows the user to continue with the OTP authentication process. Ifthe status is ASSIGN, the user has to activate the token using the User DatabaseAdministration Manager. For any other token status, the HP-UX AAA Serverrejects the request and prompts the user to contact the administrator. For moreinformation about token status, see “Valid Token Status Values” (page 383).
Sample Configuration FilesThis section discusses the syntax of the sample configuration files that are used toconfigure OTP authentication in the HP-UX AAA Server. This section addresses thefollowing topics:• “The sqlaccess.config Sample File” (page 217)• “Sample Policy Files”
The sqlaccess.config Sample FileTo support OTP authentication, the dbsetup.sql sample file creates an additionaldatabase table, RAD_TOKENS_TABLE, with the following columns:
Configuring OTP Authentication on the HP-UX AAA Server 217
RAD_TOKENS_TABLE serial_number user_name manufacturer token_status seq_counter shared_secret otp_length lookup_window checksum activation_code success_auth_count failed_auth_count failed_lock_count locktime
The SQL actions and stored procedures listed in Table 16-6 are added in thesqlaccess.config file to support OTP authentication.
Table 16-6 SQL actions and Stored Procedures that Support OTP Authentication
OperationTable Operated OnSQL action
Retrieves token information. UsesSQL result mapping to ensure that
RAD_TOKENS_TABLERetrieveToken
at least one row is returned. It alsosets the event toRETRIEVE_SUCCESS on exitingto the FSM.
Retrieves user and tokeninformation. Uses SQL result
RAD_TOKENS_TABLE andRAD_USERS_TABLE
RetrieveUserAndToken
mapping to ensure that at least onerow is returned. It also sets theevent to RETRIEVE_SUCCESS onexiting to the FSM.
A stored procedure that is createdusing dbsetup.sql. This
RAD_TOKENS_TABLEUpdateSequenceCounterAndSuccessAuthCount
procedure updates the sequencecounter that is passed as anargument. This action is calledafter successful OTPauthentication. This storedprocedure also increments thesuccess authentication count.
218 OATH Standards-Based OTP Authentication
Table 16-6 SQL actions and Stored Procedures that Support OTP Authentication (continued)
OperationTable Operated OnSQL action
A stored procedure that is createdusing dbsetup.sql. This
RAD_TOKENS_TABLEUpdateFailedAuthCountAndTokenStatus
procedure increments the failedauthentication count after a failedauthentication.This stored procedure alsoincrements the lock counter foreach failed authentication. If thenumber of consecutive failedauthentication attempts is greaterthan the configured token lockcounter value (default 6), wherethe time interval between twoconsecutive failed authenticationattempts is less than 60 seconds, itupdates the token status toLOCKED.Based on your requirements, youcan modify this stored procedureto configure the time interval.You can also modify this storedprocedure to lock the user accountusing a different method.
Configuring OTP Authentication on the HP-UX AAA Server 219
IMPORTANT NOTES:• After using the sample reference implementation and before deploying your
implementation in a production environment, you must change the defaultpasswords for database user, test user, and the shared secret of the test user.
• If the shared secret provided by the token vendor is in ASCII format, edit the/etc/opt/aaa/sqlaccess.config file to change the following entry in theRetrieveUserAndToken SQL action:DBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString)
toDBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) RAD(Otp-Shared-Secret, REPLY)
and reload the configuration changes.If you are using the RetrieveToken SQL action, then the following entry mustbe modified as follows:DBC(shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString)
toDBC(shared_secret, 128, CHAR) RAD(Otp-Shared-Secret, REPLY)
and reload the configuration changes.
In addition, the RAD_USERS_TABLE is extended with the following entries:RAD_USERS_TABLE security_question security_answer mailing_address mailing_city mailing_state mailing_pin mailing_country email_id work_phone mobile_phone
Sample Policy FilesThis section describes the sample policy files that are used for configuring OTPauthentication. This section addresses the following topics:• “The oath-request-ingress.grp Sample File.”• “The oath-reply-egress.grp Sample File” (page 221)• “The oath-proxy-egress.grp Sample File” (page 222)
220 OATH Standards-Based OTP Authentication
The oath-request-ingress.grp Sample File
Theoath-request-ingress.grp file is the primary sample reference implementationfile for configuring OTP authentication. You can configure OTP authentication-relatedactions by setting the bitmask in the Otp-ActionId attribute, and configuring theOTP-specific attributes listed in “Attributes for Configuring OTP Authentication”(page 192).To configure OTP authentication on a realm level, insert the OTP-ActionId valueand the realm name as follows:
if (( count (User-Name) > 0 ) && (substr (User-Name after "@") = "<realm>")){ # # Add Otp-ActionId attribute if it is not present in the authreq # if (count (Otp-ActionId) = 0) { insert Otp-ActionId = <decimal representation of bit mask value> } exit "ACK"}
For more information on the OTP authentication actions and the bit masks to be set,see “Advanced OTP Authentication Configuration Concepts” (page 187).
The oath-reply-egress.grp Sample File
The oath-reply-egress.grp sample file is the reference implementation policyfile that enables you to increment the sequence counter that is required to completeOATH standards-based One Time Password (OTP) authentication. It also helps toupdate user authentication count and the token status.The following condition checks the value of theInterlink-Proxy-Action attribute,and does not update the counters and token status if the value is anything other thanACK or NAK. For example, in the case of ACCT_START, ACCT_STOP, and ACC_CHALevents, the sequence counter is not updated:
if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT") || (Interlink-Proxy-Action = "LAS_ACCT") ) ){ exit "ACK"}
If authentication is successful for the OTP configured realm, the following sample setsthe SQL action to update the sequence counter and success authentication count. Ifauthentication fails, it sets the SQL action to update the failed authentication count andfailed lock counter to update the token status.Replace <realm> with the realm name that is configured in therequest-ingress.grp.oath file as follows:
Configuring OTP Authentication on the HP-UX AAA Server 221
if ( (count (User-Realm) > 0) && (User-Realm = "<realm>") )
{In the case of successful authentication, the following sample inserts the Reply-Egress-ActionId attribute with the SQL action UpdateSeqenceCounterAndSuccessAuthCount and returns the POST_REPLY_EGRESS event to update the sequence counter and success authentication count using SQLAccess.
if (Interlink-Reply-Status = "ACK") { if (count (Reply-Egress-ActionId) = 0) { insert Reply-Egress-ActionId = "UpdateSequenceCounterAndSuccessAuthCount" } exit "POST_REPLY_EGRESS" }
}
In the case of failed authentication, the following sample inserts theReply-Egress-ActionId attribute with the SQL actionUpdateFailedAuthCountAndTokenStatus and returns thePOST_REPLY_EGRESSevent to update the failed authentication count and failed lock counter using SQLAccess.
if (Interlink-Reply-Status = "NAK"){ if (count (Reply-Egress-ActionId) = 0) { insert Reply-Egress-ActionId = "UpdateFailedAuthCountAndTokenStatus" } exit "POST_REPLY_EGRESS"}
If the number of consecutive failed authentication attempts is greater than the configuredtoken lock counter value (default 6), where the time interval between two consecutivefailed authentication attempts is less than 60 seconds, the HP-UX AAA Server updatesthe token status to LOCKED.
The oath-proxy-egress.grp Sample File
The oath-proxy-egress.grp sample reference implementation file can be used toproxy OTP, or password, or both to the remote server for validation.To proxy the request to the proxy target server, replace the variable <proxyrealm>with the realm name that is configured in the request-ingress.grp file. You mustalso replace the variable<Proxy Target Server or IP Address>with the proxytarget server host name (FQDN) or the IP Address.
if ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>") ){
222 OATH Standards-Based OTP Authentication
modify Interlink-Proxy-Target = "<Proxy Target Server or IP Address>" exit "ACK"}
Configuring OTP Authentication on the HP-UX AAA Server 223
17 Configuring EAP-SIM and EAP-AKA AuthenticationMethods
This chapter introduces you to Extensible Authentication Protocol (EAP) for GlobalSystem for Communications (GSM) Subscriber Identity Module (SIM) and EAP forUniversal Mobile Telecommunications System (UMTS) Authentication and KeyAgreement (AKA) authentication methods.The chapter discusses the following topics:• “EAP-SIM” (page 224)• “EAP-AKA” (page 236)• “Fast Re-Authentication” (page 248)• “Pseudonym Identities” (page 256)• “Generating Authentication Vectors Using A3, A8, and AKA Algorithms” (page 268)
EAP-SIMThis section discusses the EAP-SIM authentication method and its configurations. Thissection addresses the following topics:• “Overview” (page 224)• “EAP-SIM Authentication Using HP-UX AAA Server” (page 225)• “Features” (page 227)• “Benefits” (page 228)• “Configuring EAP SIM” (page 228)
OverviewEAP-SIM is an authentication method capable of operating in wireless networks.EAP-SIM is used for authentication and session key distribution using the GSM SIM.GSM mobile network standard authentication builds on the challenge-responsemechanism. Based on the algorithms specified by the operators, the SIM uses the 128-bitchallenge and the secret key (subscriber key), Ki, to generate a 32-bit response and a64-bit long cipher key, Kc, as output. Kc is used to derive the keying material. The Ki,which is also known as the authentication key, is a 128-bit value used to authenticateSIMs in the network. Each SIM is associated with a unique Ki, which is assigned bythe operator. Therefore, the security of the protocol depends on Kc. However, for datanetworks that require stronger and longer keys, Kc is not very secure. To enhancesecurity, the EAP-SIM mechanism combines multiple challenges to generate several64-bit Kc long cipher keys. Collectively, these keys form stronger keying material.The security of EAP-SIM builds on the GSM mechanism. If the SIM credentials areused only for EAP-SIM, and are not re-used from GSM/GPRS, EAP-SIM is a moresecure method than the underlying GSM mechanisms.
224 Configuring EAP-SIM and EAP-AKA Authentication Methods
EAP-SIM Authentication Using HP-UX AAA ServerEach mobile device that is authorized to use the network has a unique identifier, calledInternational Mobile Subscriber Identity (IMSI), which identifies the subscriber containedin the SIM. The SIM is also embedded or burnt with a unique secret (subscriber) key,Ki, which is pre-shared with the HP-UX AAA Server user storage (also referred to asAuthentication Center, AuC). This forms the basis for securing the access to the network.The authentication software on the user’s mobile device for EAP/802.1x authenticationis referred to as supplicant. The supplicant accessing the SIM card informationcommunicates with the HP-UX AAA Server via the authenticator (access point) to gainaccess to the network. The supplicant sends its messages via EAP over LAN to theaccess point. The access point encapsulates the EAP message and uses the RADIUSprotocol to communicate with the HP-UX AAA Server. The following is the processfor a successful EAP-SIM authentication.Figure 17-1 shows the EAP-SIM authentication using the HP-UX AAA Server.
Figure 17-1 EAP-SIM Authentication Using HP-UX AAA Server
1. The supplicant communicates with the access point.2. The access point responds with an EAP request message asking for its identity.3. The supplicant sends an EAP response message with the IMSI information stored
in the SIM. The EAP response message is encapsulated in the RADIUSAccess-Request message and forwarded to the HP-UX AAA Server.
4. The HP-UX AAA Server responds to the supplicant via the access point, with thelist of supported versions for EAP-SIM key calculating algorithm.
5. The supplicant responds with the selected key algorithm version and a randomnumber (NONCE_MT). TheNONCE_MT is used to derive the key for the HP-UX AAAServer and the supplicant during subsequent requests, and to prevent replayattacks.
6. The HP-UX AAA Server does a lookup of the IMSI’s pre-shared Ki in the user’sprofile storage and calculates the triplets (RAND, Signed RESponse (SRES),Kc) or directly gets the triplets from the user profile storage.The HP-UX AAA Server can use the LDAP directory server or the SQL CompliantSQL Access to retrieve the Ki and calculate ‘n’ GSM triplets (RAND, SRES,
EAP-SIM 225
Kc). Typically, n=2 or n=3. The HP-UX AAA Server also allows adding a customizedplug-in using the Software Development Kit (SDK) to contact any AuC in thenetwork, to directly retrieve the ‘n’ triplets.After calculating the triplets, the HP-UX AAA Server responds with an EAP requestchallenge containing each of the random numbers (RAND), and their respectivemessage authentication codes (AT_MAC).
7. The supplicant first verifies the message authentication code received from theHP-UX AAA Server for each of the RAND. After successfully validating the messageauthentication code for the received SRES, it generates the encryption key (Kc)used for deriving keying material and the signed response (SRES) values for eachof the RAND value it received.The supplicant and the HP-UX AAA Server generate multiple RAND, to generatemultiple encryption key (Kc) to derive stronger keying material.Subsequently, it sends only the message authentication code for each of the SRESvalues in the EAP request challenge message.
8. The HP-UX AAA Server on receiving the challenge compares the received messageauthentication code by calculating its own message authentication code for theSRES values it already has. After the validation is successful, the HP-UX AAAServer derives the keying material for session encryption and sends it with anAccess-Acceptmessage to the access point. TheAccess-Acceptmessage alsohas an encapsulated EAP Success message.
9. The access point forwards the EAP Successmessage to the supplicant, and keepsthe keying material for encrypting the subscriber’s session. The supplicant alsoderives the same encryption key and therefore, the access point does not forwardto the supplicant.
10. With the common session key, the network traffic between the access point andthe supplicant can now be encrypted and the supplicant can securely access thenetwork.
EAP-SIM includes an optional identity privacy support, wherein the supplicant cansend a temporary (pseudonym) identity instead of using the clear text permanentidentity (IMSI) to prevent eavesdroppers. In such cases, the HP-UX AAA Server hasto do a lookup of the real user name (permanent identity) on receiving the pseudonymidentity. The mapping of the permanent identity with the pseudonym and vice-versacan be done using algorithms built inside the HP-UX AAA Server or using an externalstorage like an SQL-compliant database with the mapping information.EAP-SIM also includes an optional fast re-authentication support, wherein thepreviously generated master session key during full authentication process will beused to generate a fresh master session key. Therefore, a new set of triplets is notrequired. A supplicant requesting the fast re-authentication will send the fastre-authentication identity received during the previous full authentication. The HP-UXAAA Server internally maps the fast re-authentication identity to the permanent identity
226 Configuring EAP-SIM and EAP-AKA Authentication Methods
either using an optional internal cache or using an external storage like anSQL-compliant database with the mapping information.
FeaturesThe EAP-SIM authentication method is fully compliant with RFC 4186. It offers thefollowing features:• International Mobile Subscriber Identity (IMSI) permanent identities on a per realm
basis.• Non-IMSI permanent identities on a per realm basis.• Protected success indications on a per realm basis.• Fast re-authentication on a per realm basis.• Pseudonyms generated using algorithms or randomly, on a per realm basis.• To ensure that permanent user names, pseudonyms, and fast re-authentication
user names are distinct, and can be easily distinguished, the server generatespseudonyms, whose leading character is 2 and fast re-authentication user names,whose leading character is 3. In accordance with the RFC, permanent user namesderived from the IMSI are prefixed with the leading character 1.
• A user's Subscriber key, Ki, along with the names of the appropriate A3 and A8algorithms, can be stored in an external database or a local file. and algorithmsare standard algorithms. If Ki is stored in one of these locations, the serverautomatically generates GSM authentication triplets using this information.
• A set of GSM authentication triplets can be stored in a local file. This is intendedfor use in a lab environment, and requires no additional user-written plug-ins.
• If the customer implements an AATV, the user credentials can be retrieved froman Authentication Center (AuC) that the AATV communicates with. The AuCfunction authenticates SIM cards that attempt to connect to the GSM network bygenerating data known as triplets.
• A3 or A8 (3rd Generation Partnership Project) 3GPP Milenage algorithms areprovided with parameters that can be configured.
• The Milenage A3 or A8 algorithm can be customized with a simple plug-in.• Additional customer-supplied A3 or A8 algorithms can be plugged into the server.• Occurrences and values of received SIM attributes are validated.• Support for pseudonym and fast re-authentication identity mapping is built-in
without the need for an external database. Support is also provided using SQLAccess and built-in AATVs.
EAP-SIM 227
BenefitsEAP-SIM offers the following benefits:• Offers more reliable security than the GSM mechanisms.• Supports protection of the subscriber identity based on pseudonyms or temporary
identifiers.• Supports a fast re-authentication procedure.
Configuring EAP SIMThe configuration files must be edited manually, because EAP-SIM cannot be configuredusing the HP-UX AAA Server Manager.This section addresses the following topics:• “EAP-SIM Client Configuration” (page 228)• “EAP-SIM User Credential Lookup Configuration” (page 228)• “EAP-SIM Realm-Based Configurations” (page 229)• “Global EAP-SIM Configuration in aaa.config” (page 235)
NOTE: Subsequently, you must restart the RADIUS Server for the configurations totake effect.
EAP-SIM Client ConfigurationYou can configure the access point or the access device for the HP-UX AAA Server touse EAP-SIM, using the HP-UX AAA Server Manager. For more information on howto configure, see Chapter 7 (page 100).
EAP-SIM User Credential Lookup ConfigurationThe HP-UX AAA Server on receiving a SIM request does a lookup of the uniqueidentifiers' (real username) credentials. The credentials can be the pre-shared subscriberkey or the triplets from an external storage (like AuC). The following information mustbe provided for the EAP-SIM module to continue processing of the user request:• User's Subscriber's key, Ki. For more information on these Attribute Value Pairs
(AVPs), see “Generating Authentication Vectors Using A3, A8, and AKA
228 Configuring EAP-SIM and EAP-AKA Authentication Methods
Algorithms” (page 268). The server uses the following AVPs as input to generateauthentication vectors:— Subscriber's key is a string attribute that contains the binary encoded 128-bit
user secret key, Ki. The encoding must be in the network byte order (big-endian).— A3 algorithm is a string attribute that indicates the name of the A3 algorithm
to be applied in GSM triplet generation. The value is case-sensitive.— A8 algorithm is a string attribute that indicates the name of the A8 algorithm
to be applied in GSM triplet generation. Most lines in the configuration filesare limited to 1023 characters. This value is case-sensitive.
• GSM triplets. A GSM triplet is a fixed length binary string (octets) attribute, whichholds an EAP-SIM authentication vector. The attribute value is a 224-bit (28 bytes)binary string. It is partitioned as follows:RAND= The first 128 bits (16 bytes) of value.Kc= The next 64 bits (8 bytes) of value.SRES= The last 32 bits (4 bytes) of value.
The user credentials (Ki) can be stored in any of the following supported data repository:• local realm users file• LDAP database• SQL-compliant database using SQL AccessThe following is an example of a local realm users file:# IMSI configured with 128 bit Subscriber-Key 801448005551000 Subscriber-Key ="\x6d\x37\x71\x8a\xcc\xec\x37\x01\x4e\xdb\xf0\xf0\x3b\xe5\x77\ xda",
NOTE: Subscriber's key is a binary string, and is configured as quoted strings ofhex-escaped octets.
EAP-SIM Realm-Based ConfigurationsMany EAP-SIM parameters can be configured on a per realm basis. These parametersare configured in realm entries stored in the authfile and EAP.authfile files.
Realm-Based EAP-SIM Configuration Information in authfile
The user's SIM credentials lookup information is configured in the authfile on a perrealm basis.The EAP-SIM realm must be configured with the -SIM switch. The following syntaxis used to configure the user credential storage:eapsimrealm.com –SIM <AATV name> <xstring, if any>
EAP-SIM 229
If user-specific plug-in is added for user lookup, the AATV name is replaced with theplug-in name. The following section describes configuration of HP-UX AAA Serveruser, flat file, LDAP directory server and SQL-compliant database for credential lookup(subscriber key).The HP-UX AAA Server receives GSM triplets directly when the external storage(typically an AuC) generates the triplets. An AATV must be written for this. Forinformation on how to write an AATV, see Chapter 28 (page 446)
NOTE: The xstring field in the realm configuration must not have spaces.
iaaaFile Authentication Type
If the user credentials are available in the flat file, the iaaaFile AATV is used for lookup.The configuration of a realm, which employs iaaaFile, is followed by a required {}block. The {} block enables you to configure the following parameters:• Request-Attribute-For-Search
• Policy-Pointer
The iaaaFile authfile configuration parameters are described in Table 17–1.
Table 17-1 The iaaaFile authfile Configuration Parameters
DescriptionParameter
Indicates the search attribute to use for a userlookup. The attribute must be a string-type, suchas string, tag-str, or octets.
Request-Attribute-For-Search
When iaaaFile is used for EAP-SIM, the value oftheRequest-Attribute-For-Searchparametermust be Real-Username.The default value is User-Id.
For information on Policy-Pointer, see“Authorization to Control Sessions and Access toServices ” (page 44).
Policy-Pointer
NOTE: This parameter is optional.
The following is an example of a iaaaFile configuration for credentials lookup:eapsimrealm.com -SIM iaaaFile isp{ Request-Attribute-For-Search Real-Username }}
The following must is the sample content of the isp.users file:########################################################################## file: /etc/opt/aaa/isp.users#######################################################################123456789000000
230 Configuring EAP-SIM and EAP-AKA Authentication Methods
Subscriber-Key = "\x01\x47\x17\x49\x11\xe3\x96\xc9\x63\x1a\xc1\xb9\x22\x86\xf0\x1f"
123456789000000 Subscriber-Key = "\x11\x1a\xf1\xc7\x11\x20\x26\x08\x4a\x58\xc7\xd8\x22\xe7\xca\x55"
123456789000000 Subscriber-Key = "\x11\x48\xf2\xd4\x68\x71\x59\x11\x3c\x81\x27\xe6\x14\xfb\x64\x66"
PROLDAP Authentication Type
ThePROLDAPAATV is enhanced to support theRequest-Attribute-For-Searchattribute. The Request-Attribute-For-Search attribute indicates the searchattribute to use for a user lookup. The attribute must be a string-type, such as, string,tag-str, and octets. The default value is User-Id. When PROLDAP is used for EAP-SIM,the value of the Request-Attribute-For-Search parameter must beReal-Username.The LDAP Directory server must return the Subscriber-Key (Ki) on successful lookup.The following is an example of PROLDAP authfile configuration for credentialslookup:# This realm uses an LDAP databaseeapsimrealm.com -SIM PROLDAP "LDAP_lookup"{ Request-Attribute-For-Search Real-Username Directory "Directory 1" { Host ldap1.ispx.com Port 389 Administrator "cn=...,ou=...,ou=...,o=radius" Password password SearchBase "...,ou=...,o=radius" Authenticate Search }}
NOTE: The comment field (xstring) (in the above example, "LDAP_lookup") inthe realm configuration must not have spaces.
SQL Access Authentication Type
To use the SQL Access authentication type, you must include the following entry inthe authfile :eapsimrealm.com –SIM SQLAccess ActionId=RetrieveSimUser
Also, you must include theRetrieveSimUser SQL action in thesqlaccess.configfile.The following SQL Action RetrieveSimUser is configured to return the subscriberkey. After successfully retrieving from a SQL compliant database (db_oci) the SQLAction returns RETRIEVE_SUCCESS, else it returns RETRIEVE_ERROR.
EAP-SIM 231
SQLAction RetrieveSIMUser {
{ input RAD(Real-Username, REPLY) DBP(runame, 253, CHAR)
output DBR(100:0) RET(RETRIEVE_ERROR) DBR(-1:*) RET(ERROR) DBC(subscriber_key, 64, CHAR) FUNC(StoreInSubscriberKey) AAAHexToBinaryString DBR(0:0) RET(RETRIEVE_SUCCESS) DBR(*:*) RET(RETRIEVE_ERROR)
SQLStatement db_oci { SELECT subscriber_key FROM RAD_USERS_TABLE WHERE user_name=:runame } }}
NOTE: The subscriber_key column must be added in RAD_USERS_TABLE.StoreInSubscriberKey is the pre-defined mapping function, which stores thebinary string into Subscriber-Key attributes respectively and inserts these AV-Pairsinto AUTHREQ_REPLY_QUEUE.
For more information on SQL Access, see Chapter 22 (page 338).
Realm-Based EAP-SIM Configuration Information in EAP.authfile
The EAP.authfile entry for a realm that supports EAP-SIM can contain an optional{} configuration block following the EAP-Type SIM specification. This block containsrealm-specific EAP-SIM configuration information, such as the algorithm to use forthe realm users, Fast-Reauth and Psueodnym parameters discussed later in thechapter. For more information on Fast-Reauth and Psueodnym, see “PseudonymIdentities” (page 256).If certain parameters are not specified in the EAP-Type SIM{} configuration block,default values are assigned. For those parameters that do not have a default value, youmust specify those values to ensure that the capability is supported.The following rules apply to the EAP-Type SIM{} configuration block parameters:• The parameter names are case-insensitive.• For parameters with on and off binary values, the values, enabled, yes, on,
and true are synonymous, and the values, disabled, no, off, and false aresynonymous.
• String parameter values must be enclosed within single or double quotes.The EAP-Type SIM{} configuration block can contain any subset, including emptysubsets. The EAP.authfile configuration parameters are described in Table 17–3.
232 Configuring EAP-SIM and EAP-AKA Authentication Methods
Table 17-2 EAP.authfile Configuration Parameters
DescriptionParameter
Specifies the default A3 algorithm for the realm. Ifan A3 algorithm is needed to produce the GSM
A3 Algorithm
triplets for this user's authentication, then the A3algorithm specified in this field is used. There is nodefault value. For information on availablealgorithms, see “Generating Authentication VectorsUsing A3, A8, and AKA Algorithms” (page 268).
Specifies the default A8 algorithm for the realm. Ifan A8 algorithm is needed to produce the GSM
A8 Algorithm
triplets for this user's authentication, then the A8algorithm specified in this field is used. There is nodefault value. For information on availablealgorithms, see “Generating Authentication VectorsUsing A3, A8, and AKA Algorithms” (page 268).
Indicates whether the server must accept permanentidentities of the form 1 + IMSI, for this realm.
Prefixed-IMSI-Permanent-IDs
EAP-SIM RFC 4186 indicates that the permanentidentity must be derived from the IMSI. However,an implementation may choose a permanentidentity that is not based on IMSI. The serversupports both options.The valid values are Enabled and Disabled.The default value is Enabled.
Indicates whether the server must accept genericpermanent identities that are not based on an IMSI,for this realm. For example, fred.
Generic-Permanent-IDs
EAP-SIM RFC 4186 indicates that the permanentidentity must be derived from the IMSI. However,an implementation may choose a permanentidentity that is not based on the IMSI. The serversupports both options.The valid values are Enabled and Disabled.The default value is Disabled.
Specify the minimum and maximum length of IMSIsthat the server accepts.
Minimum-Length-IMSI andMaximum-Length-IMSI
The server performs sanity checks on a permanentidentity that is offered as an IMSI to ensure that theidentity is neither too short nor too long to be anIMSI. EAP-SIM RFC 4186 explicitly states that 15 isthe maximum length. The minimum length is six,based on a three digit MCC, a two digit MNC, anda one digit MSIN. This is a theoretical absolute
EAP-SIM 233
Table 17-2 EAP.authfile Configuration Parameters (continued)
DescriptionParameter
minimum length of an IMSI. Therefore, the checkmade is as follows:6 <= Minimum-Length-IMSI <= Maximum-Length-IMSI <= 15
The default values are 6 and 15.
Indicates how many GSM triplets are needed forauthentication. EAP-SIM RFC 4186 indicates thisvalue must be 2 or 3.
Number-Of-Triplets-For-Authentication
The default value is 2.
Protected success indications are an optionalEAP-SIM feature. The
Protected-Success-Indications
Protected-Success-Indications parameterindicates whether the server offers protected successindications to the peer. The valid values areEnabled and Disabled.The default value is Enabled.
The following is an example of a EAP.authfile file that configures the EAP-SIMprotocol for a SIM realm:########################################################################## Append the following to /etc/opt/aaa/EAP.authfile#######################################################################
eapsimrealm.com -EAP EAP "comment"{ EAP-Type SIM {
# Following parameters specify the name of A3 and A8 algorithm to generate # triplets. You need not configure these values if triplets are retrieved from # an external AuC.
A3-Algorithm "3GPP-Milenage" A8-Algorithm "3GPP-Milenage"
############################################################ # Following are optional parameters ############################################################# Prefixed-IMSI-Permanent-IDs "Enabled" Generic-Permanent-IDs "Enabled" Minimum-Length-IMSI 6 Maximum-Length-IMSI 15
Number-Of-Triplets-For-Authentication 2 Protected-Success-Indications "Enabled" }}
234 Configuring EAP-SIM and EAP-AKA Authentication Methods
NOTE: The comment field in realm configuration must not have spaces.
Global EAP-SIM Configuration in aaa.configThe aatv.EAP-SIM{} configuration block, located within the aaa.config filecontains global EAP-SIM configuration information. These parameters represent globaldefault values, which do not correspond to any realm-based parameter.The following rules apply to the aatv.EAP-SIM{} configuration block parameters:• The parameter names are case-insensitive.• For parameters with on and off binary values, the values, enabled, yes, on,
and true are synonymous, and the values, disabled, no, off, and falseare synonymous.
• String parameter values must be enclosed in single or double quotes.The aatv.EAP-SIM{} configuration block, in aaa.config file, can contain anysubset, including empty subsets. These parameters are global. Table 17-3 lists theconfiguration block parameters.
Table 17-3 The aaa.config Configuration Block Parameters
DescriptionParameter
Directs the output of EAP-SIM statistics to thelogfile when the server shuts down.
Statistics
The valid values are Enabled and Disabled.If not explicitly configured, the default value isEnabled.
The following is an example of a aaa.config configuration file:aatv.EAP-SIM{# =====================================# The following parameters are global.# =====================================
Statistics "Enabled"
# Enabled or Disabled
}
EAP-SIM 235
EAP-AKAThis section discusses the EAP-AKA authentication method and its configurations.This section addresses the following topics:• “Overview” (page 236)• “EAP-AKA Authentication Using HP-UX AAA Server” (page 236)• “Features” (page 237)• “Benefits” (page 238)• “Configuring EAP-AKA” (page 239)
OverviewEAP AKA is an authentication and session key distribution mechanism used in thethird generation mobile networks: UMTS and CDMA2000. AKA is based on thechallenge-response mechanism and symmetric cryptography.
EAP-AKA Authentication Using HP-UX AAA ServerThe HP-UX AAA Server authenticates the EAP-AKA supplicant to the IP networkusing Wireless LAN (WLAN) access. The authentication process is described as follows:1. The supplicant associates with the access point.2. The access point responds first with an EAP Request message asking for its identity.3. The supplicant sends an EAP response message with the subscriber’s International
Mobile Subscriber Identity (IMSI) contained in the UMTS Subscriber IdentityModule (USIM) or CDMA2000 User Identity Module. The EAP Response messageis encapsulated in the RADIUS Access-Request message and forwarded to theAAA Server.
4. The HP-UX AAA Server on receiving the EAP Response message does a lookupfor the user’s identity to retrieve the pre-shared key and per-user sequence number(SQN) to generate an authentication vector. The SQN is incremented sequentiallyfor every authentication of the user to the network. The authentication vector isactually a security quintet which consists of five numbers: RAND (a 128-bit randomnumber), XRES (a 32 bit signed response to RAND), CK ( a 128-bit sessionencryption key), IK ( a 128bit integrity key) and AUTN ( a 128-bit networkauthentication token). The AAA Server can also be configured to connect to anexternal storage like an Authentication Centre AuC, to provide the authenticationvector.
5. The AAA Server then sends a EAP Request Challenge message with the randomnumber RAND, network authentication token AUTN and the messageauthentication code for EAP Packet.
6. The supplicant runs the AKA algorithm to compare the AUTN it generates withthe received AUTN. If it matches, it has successfully authenticated the AAA Server.The supplicant now sends a EAP Response Challenge via the Access Point contain
236 Configuring EAP-SIM and EAP-AKA Authentication Methods
the result parameter (RES) generated using the RAND and the pres-hared secretkey. It also includes a message authentication code for integrity protection.
7. The AAA Server on receiving the EAP Response message compares the resultparameter with XRES parameter in corresponding authentication vector. Onsuccessfully comparison and validating the message authentication code, the AAAServer sends an EAP Success message encapsulated inside Access-Accept messageto the Access point with the session key.
8. The Access point forwards the EAP Success message to the supplicant, and keepsthe keying material for encrypting the user’s session. The supplicant also hasderived the same encryption key so the Access point does not forward to thesupplicant.
9. With the common session key, the network traffic between the access point andthe supplicant can now be encrypted and the supplicant can securely access thenetwork.
The EAP-AKA uses an example algorithm for key generation that can be customizedor replaced with operator specific key generation algorithm.EAP-AKA includes optional identity privacy support, wherein the supplicant can senda temporary (pseudonym) identity instead of using the clear text permanent identityto prevent eavesdroppers. In such cases the HP-UX AAA Server has to do a lookup ofthe Real user name i.e the permanent identity on receiving the pseudonym identity.The mapping of the permanent identity with the pseudonym and vice versa can bedone using algorithms built inside the Server or using an external storage like SQLcompliant database with the mapping information.EAP-AKA also includes optional fast re-authentication support, wherein the previouslygenerated Master Session Key during full authentication process will be used to generatea fresh Master Session Key. A supplicant requesting the fast re-authentication will sendthe fast re-authentication identity got during previous full authentication. The HP-UXAAA Server internally maps the fast re-authentication identity to the permanent identityeither using an optional internal cache or using an external storage like SQL compliantdatabase with the mapping information.
NOTE: The HP-UX AAA Server can also generate the AV.
FeaturesThe EAP-AKA authentication method is fully compliant with RFC 4187. It supportsthe following features:• IMSI permanent identities are supported on a per realm basis.• Non-IMSI permanent identities are supported on a per realm basis.• Protected success indications are supported on a per realm basis.• Fast re-authentication is supported on a per realm basis.
EAP-AKA 237
• Protected Identity Exchanges using AT_CHECKCODE is supported on a per realmbasis.
• Authentication Management Field (AMF) is supported on a per realm basis.• Algorithmically or randomly generated pseudonyms are supported on a per realm
basis.• To ensure that permanent user names, pseudonyms, and fast re-authentication
user names are distinct and can be easily distinguished from one another, theserver generates pseudonyms with the leading character 4 and fast re-authenticationuser names with the leading character 5. In accordance with the RFC, permanentuser names derived from the IMSI are prefixed with the leading character 0.
• A user's subscriber key, Ki, sequence number, mode, and the name of theappropriate AKA algorithms, can be stored in an external database or a local file.The server automatically generates the authentication vector from this information.
• An authentication vector can be stored in a local file. This is intended for use in alab environment, and requires no additional user-written plug-ins.
• The user credentials can be retrieved from an AuC if the customer implements anAATV, which communicates with the AuC.
• AKA 3GPP Milenage algorithms are provided with parameters that can beconfigured.
• The Milenage AKA algorithm can be customized with a simple plug-in.• Additional AKA algorithms provided by the customer can be plugged into the
server.• Occurrences and values of received AKA attributes are validated.• Support for pseudonym and fast re-authentication identity mapping is built-in,
without the need for an external database.
BenefitsEAP-AKA offers the following benefits:• In devices that already contain an identity module, AKA can be used as a secure
Point-to-Point Protocol (PPP) authentication method.• Enables the use of third generation mobile network authentication infrastructure
in wireless LANs.• Supports the co-existence of the existing infrastructure with any other EAP
technology.• Supports identity privacy.• Supports result indications.• Supports fast re-authentication.
238 Configuring EAP-SIM and EAP-AKA Authentication Methods
Configuring EAP-AKAThe configuration files must be edited manually, because EAP-AKA cannot beconfigured using the HP-UX AAA Server Manager.This section addresses the following topics:• “EAP-AKA Client Configuration” (page 239)• “EAP-AKA User Credential Lookup Configuration” (page 239)• “EAP-AKA Realm-Based Configurations” (page 240)• “Global EAP-AKA Configuration in aaa.config” (page 247)
NOTE: Subsequently, you must restart the RADIUS Server for the configurations totake effect.
EAP-AKA Client ConfigurationYou can configure the access point or the access device for the HP-UX AAA Server touse EAP-AKA, using the HP-UX AAA Server Manager. For more information on howto configure, see Chapter 7 (page 100).
EAP-AKA User Credential Lookup ConfigurationThe HP-UX AAA Server supports configuration of EAP-AKA user credentials as ReplyItems in two forms, as follows:The HP-UX AAA Server on receiving a AKA request does a lookup of the uniqueidentifiers' (real username) credentials. The credentials can be the pre-shared user'sSubscriber-Key (Ki), AKA-Sequence-Number (SQN), AKA-Mode (AMF), andAKA-Algorithm. The following information must be provided for the EAP-AKA moduleto continue processing of the user request:• The first form includes the configuration of the user's Subscriber-Key (Ki),
AKA-Sequence-Number (SQN), AKA-Mode (AMF), and AKA-Algorithm. For adescription of the algorithm, see “Generating Authentication Vectors Using A3,A8, and AKA Algorithms” (page 268). The server uses these AVPs as input togenerate an authentication vector.— Subscriber-Key is a string attribute containing the binary encoded 128-bit user
secret key, often referred to as Ki. The encoding must be in network byte order(big-endian).
— AKA-Sequence-Number is a string attribute containing the binary encoded48-bit user sequence number, often referred to as SQN. The encoding must bein network byte order (big-endian).
— AKA mode is a string attribute containing the binary encoded 16-bit userauthentication management field, often referred to as AMF. The encoding mustbe in network byte order (big-endian).
— AKA algorithm is a string attribute indicating the name of the AKA algorithmto be applied in AKA vector generation. Most lines in the configuration files
EAP-AKA 239
are limited to 1023 characters, which places a limit on the length of this string.The value is case-sensitive.
• The second form is the configuration of an AKA vector. An AKA vector is a fixedlength binary string (octets) attribute, which holds an EAP-AKA authenticationvector. The attribute value is a 576-bit binary string (72 bytes) partitioned asdescribed in Table 17-4. Table 17-4 lists the AKA Vector parameters.
Table 17-4 AKA Vector Parameters
DescriptionParameter
The first 128 bits (16 bytes) of the valueRAND
The next 64 bits (8 bytes) of the valueXRES
The next 128 bits (16 bytes) of the valueCK
The next 128 bits (16 bytes) of the valueIK
The last 128 bits (16 bytes) of the valueAUTN
The user credentials can be stored in any supported data repository, such as a localrealm users file, an LDAP database, SQL-compliant database using SQL Access, or acustomer-supplied database.
NOTE: SQL Access feature can be used to retrieve user credentials as well as manageSQN. For SQL Access sample configuration, see “Realm-Based EAP-AKA ConfigurationInformation in authfile” (page 240). Configuring user credentials in realm user's fileand LDAP database requires Finite State Machine (FSM) modifications and a modulethat manages SQN.
EAP-AKA Realm-Based ConfigurationsMany EAP-AKA parameters can be configured on a per realm basis. These parametersare configured in realm entries stored in the authfile and EAP.authfile files.
Realm-Based EAP-AKA Configuration Information in authfile
The user's AKA credentials lookup information is configured in the authfile on aper realm basis.The EAP-AKA realm must be configured with the -AKA switch. The following syntaxis used to configure the user credential storage:eapakarealm.com –AKA <AATV name> <xstring, if any>
If user-specific plug-in is added for user lookup, the AATV name is replaced with theplug-in name. The following section describes configuration of HP-UX AAA Serverand SQL-compliant database for credential lookup (subscriber key).
240 Configuring EAP-SIM and EAP-AKA Authentication Methods
The HP-UX AAA Server receives AKA vector directly when the external storage(typically an AuC) generates the vector. An AATV must be written for this. Forinformation on how to write an AATV, see Chapter 28 (page 446)
NOTE: The xstring field in the realm configuration must not have spaces.
SQL Access Authentication Type
To use the SQL Access authentication type, you must include the following entry inthe authfile :eapakarealm.com –AKA SQLAccess ActionId=RetrieveAkaUser
Also, you must include theRetrieveAkaUser SQL action in thesqlaccess.configfile.The following SQL Action RetrieveAkaUser is configured to return the subscriberkey, AKA Mode, and SQN. After successfully retrieving from a SQL compliant database(db_oci) the SQL Action returns RETRIEVE_SUCCESS, else it returnsRETRIEVE_ERROR.SQLAction RetrieveAKAUser {
{ input RAD(Real-Username, REPLY) DBP(runame, 253, CHAR)
output DBR(100:0) RET(RETRIEVE_ERROR) DBR(-1:*) RET(ERROR) DBC(subscriber_key, 64, CHAR) FUNC(StoreInSubscriberKey) AAAHexToBinaryString DBC(aka_mode, 16, CHAR) FUNC(StoreInAkaMode) AAAHexToBinaryString DBC(aka_sequence_num, 32, CHAR) FUNC(StoreInAkaSeqNum) AAAHexToBinaryString DBR(0:0) RET(RETRIEVE_SUCCESS) DBR(*:*) RET(RETRIEVE_ERROR)
SQLStatement db_oci { SELECT subscriber_key, aka_mode, aka_sequence_num FROM RAD_USERS_TABLE WHERE user_name=:runame } }}
NOTE: The subscriber_key, aka_mode, and aka_sequence_num columnsmust be added in RAD_USERS_TABLE.StoreInSubscriberKey, StoreInAkaMode, and StoreInAkaSeqNum are thepre-defined mapping functions which stores the binary string into Subscriber-Key,AKA-Mode, AKA-Sequence-Number attributes respectively and inserts these AV-Pairsinto AUTHREQ_REPLY_QUEUE.
For more information on SQL Access, see Chapter 22 (page 338).
EAP-AKA 241
Realm-Based EAP-AKA Configuration Information in EAP.authfile
The EAP.authfile entry for a realm that supports EAP-AKA can contain an optional{} configuration block following the EAP-Type AKA specification. This block containsrealm-specific EAP-AKA configuration information, such as the algorithm to use forthe realm users, Fast-Reauth and Psueodnym parameters discussed later in thechapter. For more information on Fast-Reauth and Psueodnym, see “PseudonymIdentities” (page 256).If certain parameters are not specified in the EAP-Type AKA {} configuration block,default values are assigned. For those parameters that do not have a default value, youmust specify those values to ensure that the capability is supported.The following rules apply to the EAP-Type AKA{} configuration block parameters:• The parameter names are case-insensitive.• For parameters with on and off binary values, the values, enabled, yes, on,
and true are synonymous, and the values, disabled, no, off, and false aresynonymous.
• String parameter values must be enclosed within single or double quotes.The EAP-Type AKA{} configuration block can contain any subset, including emptysubsets. The EAP.authfile configuration parameters are described in Table 17-5.
Table 17-5 EAP.authfile Configuration Parameters
DescriptionParameter
Specifies the default AKA algorithm for the realm.If the profile for a user in this realm does not specify
AKA Algorithm
an AKA algorithm, and if an AKA algorithm isneeded to produce the AKA vector for this user'sauthentication, the AKA algorithm specified by thisparameter is used. For information on availablealgorithms, see “Generating Authentication VectorsUsing A3, A8, and AKA Algorithms” (page 268).There is no default value.
Indicates whether the server must accept permanentidentities of the form 0 + IMSI, for this realm.
Prefixed-IMSI-Permanent-IDs
EAP-AKA RFC 4187 indicates that the permanentidentity must be derived from the IMSI. However,an implementation may choose a permanentidentity that is not based on IMSI. The serversupports both options.The valid values are Enabled and Disabled.The default value is Enabled.
Indicates whether the server must accept genericpermanent identities that are not based on an IMSI,for this realm. For example, fred.
Generic-Permanent-IDs
242 Configuring EAP-SIM and EAP-AKA Authentication Methods
Table 17-5 EAP.authfile Configuration Parameters (continued)
DescriptionParameter
EAP-AKA RFC 4187 indicates that the permanentidentity must be derived from the IMSI. However,an implementation may choose a permanentidentity that is not based on the IMSI. The serversupports both options.The valid values are Enabled and Disabled.The default value is Disabled.
Specify the minimum and maximum length of IMSIsthat the server accepts.
Minimum-Length-IMSI andMaximum-Length-IMSI
The server performs sanity checks on a permanentidentity that is offered as an IMSI to ensure that theidentity is neither too short nor too long to be anIMSI. EAP-AKA RFC 4187 explicitly states that 15is the maximum length. The minimum length is six,based on a three digit MCC, a two digit MNC, anda one digit MSIN. This is a theoretical absoluteminimum length of an IMSI. Therefore, the checkmade is as follows:6 <= Minimum-Length-IMSI <= Maximum-Length-IMSI <= 15
The default values are 6 and 15.
Protected success indications are an optionalEAP-AKA feature. The
Protected-Success-Indications
Protected-Success-Indications parameterindicates whether the server offers protected successindications to the peer. The valid values areEnabled and Disabled.The default value is Enabled.
Determines if the server must use theAT_CHECKCODE attribute. The use of the
Protected-Identity-Exchanges
AT_CHECKCODE attribute is an optional feature inEAP-AKA. The attribute allows protection of theEAP-AKA identity messages and any futureextensions to them. The implementation ofAT_CHECKCODE is recommended.The valid values are Yes and No.
AKA mode is the user authentication managementfield, which is often referred to as AMF. It is an
AKA-Mode
input to the functions f1 and f1*. For moreinformation, see 3GPP documents.The value of the AKA mode parameter is a 16-bitbinary string entered as 0x, followed by two 2–digithex values. The dots are optional, and are used to
EAP-AKA 243
Table 17-5 EAP.authfile Configuration Parameters (continued)
DescriptionParameter
improve readability. The encoding must be in thenetwork byte order (big-endian). For moreinformation, see the example following Table 17–9.
The EAP-AKA protocol requires support for twofeatures related to the management of sequence
Resync-Update
numbers (SQN). The Resync-Update parameterspecifies an AATV, which provides one of thefeatures and an Xstring parameter for this AATV.This AATV is invoked to notify the AuC aboutsynchronization failures. The reception of anEAP-Response, AKA, or Synchronization-Failuremessage from the client triggers the call to thisAATV.This feature is optional. The need to configure thisparameter depends on whether you require thisfeature.There is no default value.
The EAP-AKA protocol requires support for twofeatures related to the management of sequence
Auth-Result-Update
numbers (SQN). The Auth-Result-Updateparameter specifies an AATV, which provides oneof the features and an Xstring parameter for thisAATV. This AATV is invoked to notify the AuCabout the results of an authentication attempt. Thecompletion of an EAP-AKA authenticationsequence, triggers the call to this AATV.This feature is optional. The need to configure thisparameter depends on whether you require thisfeature.There is no default value.
The following is an example of the EAP.authfile file that configures the EAP-AKAprotocol for an AKA realm:########################################################################## Append the following to /etc/opt/aaa/EAP.authfile ##################################################################
eapakarealm.com -EAP EAP "comment"{ EAP-Type AKA {
# Following parameter specifies the name of the AKA algorithm to generate # vector. You need not configure these values if the vector is retrieved from # an external AuC.
AKA-Algorithm "3GPP-Milenage" Resync-Update SQLAccess ActionId=ResyncSQN
244 Configuring EAP-SIM and EAP-AKA Authentication Methods
Auth-Result-Update SQLAccess ActionId=UpdateSQN
############################################################ # Following are optional parameters ############################################################# Prefixed-IMSI-Permanent-IDs "Enabled" Generic-Permanent-IDs "Enabled" Minimum-Length-IMSI 6 Maximum-Length-IMSI 15 AKA-Mode 0x12ab Protected-Identity-Exchanges No Protected-Success-Indications "Enabled" }}
NOTE: The comment field in realm configuration must not have spaces.
Auth-Result-Update and Resync-Update
The management of SQN required for EAP-AKA can be done using SQL Accessfeature provided by HP-UX AAA Server. In this case user credentials must be storedin an Oracle or SQL-compliant database. The above example has EAP.authfileconfiguration for these parameters.UpdateSQN and ResyncSQN are the SQL action names that must be configured in thesqlaccess.config file. Following are the sample entries for the same.UpdateSQN: This SQL action increments the SQN in the database for each successfulauthentication. Two mappings are used. The first one retrieves the sequence numberfor the corresponding real identity and adds the incremented SQN into the REPLYqueue The second mapping retrieves it from the REPLY queue and inserts it back tothe database. A predefined sample mapping function IncAkaSeqNum is used toincrement the SQN if the authentication succeeds. Subsequently, the mapping functionconverts it back to hex string format, and inserts the AKA-Sequence-Number AVP toREPLY queue.You can use the vendor-specific attribute, AKA-Authentication-Result to checkthe result of authentication. The result can include the following values based on theauthentication result:NO-AUTH 0SUCCESS 1REAUTH 2CLIENT_REJECT 3BAD_MAC 4BAD_XRES 5BAD_CHECKCODE 6BAD_PROTOCOL 7BAD_INTERNAL 8
SQLAction UpdateSQN {
{ input RAD(Real-Username, REPLY) DBP(ruame, 253, CHAR)
EAP-AKA 245
output DBR(100:*) RET(NAK) DBR(-1:*) RET(ERROR) DBC(aka_sequence_number, 64, CHAR) FUNC(IncAkaSeqNum) AAAHexToBinaryString DBR(0:0) RET(ACK) DBR(*:*) RET(ERROR)
SQLStatement db_oci { SELECT aka_sequence_number FROM RAD_USERS_TABLE WHERE user_name=:runame } } { input RAD(AKA-Sequence-Number, REPLY) DBP(seqnum, 253, CHAR) RAD(Real-Username, REPLY) DBP(runame, 253, CHAR) output DBR(-1:*) RET(ERROR) DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)
SQLStatement db_oci { UPDATE RAD_USERS_TABLE set aka_sequence_number=:seqnum where user_name=:runame } }}
ResyncSQN SQL action derives the SQN from Vendor-specific attribute(AKA-Synchronization-Token) (AUTS) in the REPLY queue that is sent by the clientwhen a synchronization failure occurs. The first mapping retrieves the subscriber keyfor the corresponding real identity and the second mapping inserts the derived SQNback to the database. A predefined sample GetResyncAkaSeqNummapping functionis used to extract the SQN from AUTS. The mapping function inserts the extracted SQNinto REPLY queue after converting it into the hex string format.SQLAction ResyncSQN {
{ input RAD(Real-Username, REPLY) DBP(runame, 253, CHAR)
output DBR(100:*) RET(NAK) DBR(-1:*) RET(ERROR) DBC(subscriber_key, 64, CHAR) FUNC(GetReSyncAkaSeqNum) AAAHexToBinaryString DBR(0:0) RET(ACK) DBR(*:*) RET(ERROR)
SQLStatement db_oci { SELECT subscriber_key FROM RAD_USERS_TABLE WHERE user_name=:runame } } { input RAD(AKA-Sequence-Number, REPLY) DBP(seqnum, 253, CHAR) RAD(Real-Username, REPLY) DBP(ruser, 253, CHAR) output DBR(-1:*) RET(ERROR) DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)
246 Configuring EAP-SIM and EAP-AKA Authentication Methods
SQLStatement db_oci { UPDATE RAD_USERS_TABLE set aka_sequence_number=:seqnum where user_name=:runame } }}
NOTE: The above SQL actions require the subscriber_key and theaka_sequence_number columns to be added in the RAD_USERS_TABLE as stringtype. The mapping functions mentioned in the above example are for demonstrationpurposes only. You must customize the mapping functions based on the requirements.For more information on SQL Access Mapping functions, see Chapter 22 “SQL Access”.For information on how to write AATVs, see Chapter 28 “Customizing the HP-UXAAA Server Using the SDK”.
Global EAP-AKA Configuration in aaa.configThe aatv.EAP-AKA{} configuration block, located within the aaa.config filecontains global EAP-AKA configuration information. These parameters represent globaldefault values, which do not correspond to any realm-based parameter.The following rules apply to the aatv.EAP-AKA{} configuration block parameters:• The parameter names are case-insensitive.• For parameters with on and off binary values, the values, enabled, yes, on,
and true are synonymous, and the values, disabled, no, off, and falseare synonymous.
• String parameter values must be enclosed in single or double quotes.The aatv.EAP-AKA{} configuration block, in aaa.config file, can contain anysubset, including empty subsets. These parameters are global. Table 17-6 lists theconfiguration block parameters.
Table 17-6 The aaa.config Configuration Block Parameters
DescriptionParameter
Directs the output of EAP-AKA statistics to thelogfile when the server shuts down.
Statistics
The valid values are Enabled and Disabled.If not explicitly configured, the default value isEnabled.
The following is an example of a aaa.config configuration file:aatv.EAP-AKA{# =====================================# The following parameters are global.# =====================================
Statistics "Enabled"
EAP-AKA 247
# Enabled or Disabled
}
Fast Re-AuthenticationFast re-authentication is a an optional EAP-SIM and EAP-AKA feature. This feature isused to refresh the previous authentication periodically. A fast re-authentication, ifapplicable, occurs shortly after a full authentication or an earlier fast re-authentication.The Fast-Reauth-Id-Lifetime parameter specifies a lifetime for a fastre-authentication identity, in seconds. If a fast re-authentication identity is assigned,but is not used within this period of time, the fast re-authentication identity and theassociated full authentication context expire.The HP-UX AAA Server generates a fast re-authentication identity, which is 10characters long, consisting of the fast re-authentication identity prefix 3, followed bynine random characters from the 31 character set consisting of the upper-case characters,without vowels, and ending with 10 digits: 0-9, that is{BCDFGHJKLMNPQRSTVWXYZ0123456789}.As there are 31 choices for each of the nine random characters, there are then 319
different identities, or, more than 26 trillion fast re-authentication identities of allpermanent identities.Selecting only uppercase characters for the server-generated re-authentication identitiesallows case-insensitive database lookups.The server sends a fast re-authentication identity to the client, which includes a realm.Before generating a fast re-authentication identity, the server checks whether the totallength of thename@realm string exceeds 253 characters, which is the maximum lengthof a User-Name attribute value. If it exceeds the maximum length, the server does notgenerate a reauth identity. As the name portion of the fast re-authentication identityis 10 characters, this problem occurs only if the realm is greater than 242 characters.The realm is either the configured fast reauth realm or the realm from the permanentidentity. A fast reauth realm can be configured for targeting a fast reauth authenticationrequest to the specific server that generated the fast re-authentication identity.
Configuring for Fast Re-AuthenticationThis section addresses the following topics:• “Configuring for Fast Re-Authentication in EAP.authfile” (page 248)• “Configuring for Fast Re-Authentication in aaa.config File” (page 251)
Configuring for Fast Re-Authentication in EAP.authfileTo use fast re-authentications, the realm configuration in the EAP-Type SIM{} orEAP-Type AKA{} block in EAP.authfile must specify the parameters described inTable 17-7.
248 Configuring EAP-SIM and EAP-AKA Authentication Methods
Table 17-7 EAP.authfile Configuration Parameters
DescriptionParameter
The Fast-Reauth-Lookup parameterspecifies an AATV and anXstringparameter
Fast-Reauth-Lookup
for this AATV. This AATV is invoked to mapa fast re-authentication identity to the user'sreal identity and full authentication context.If this parameter is not configured, fastre-authentication support is disabled for therealm.HP-UX AAA Server provides an AATV,SIMAKA-ReauthCacheLookup, for thisfunction.There is no default value.
The Fast-Reauth-Update parameterspecifies an AATV and anXstringparameter
Fast-Reauth-Update
for this AATV. This AATV is invoked toupdate the mapping of a fast re-authenticationidentity to a user's real identity. If thisparameter is not configured, fastre-authentication support is disabled for therealm.HP-UX AAA Server provides theSIMAKA-ReauthCacheUpdate AATV forthis function.There is no default value.
This parameter specifies an upper limit for thenumber of subsequent fast re-authentications
Max-Number-Of-Reauths-Before-Full-Auth-Is-Required
allowed before a full authentication needs tobe performed.The valid range is 1 to 65,535.
Specifies a realm that ensures where a fastre-authentication is targeted. While providing
Fast-Reauth-Realm
a fast re-authentication identity, the server alsoincludes a realm to help ensure that thesubsequent fast re-authentication be targetedto the server, which holds the fullauthentication context if internal caching,rather than an external database, is used tosave the fast re-authentication context.As the maximum length of a fast re-auth NAIcannot exceed 253 characters, and because thelength of the fast re-auth user name is 10characters, the Fast-Reauth-Realm valuemust not exceed 242 characters. If the fast
Fast Re-Authentication 249
Table 17-7 EAP.authfile Configuration Parameters (continued)
DescriptionParameter
re-authentication identity must be generatedwith no realm name, it is configured as NULL.The empty string entry, using just two quotes,indicates that the server must generate a fastre-authentication identity with the same realmname as the permanent identity.
TheFast-Reauth-Id-Lifetimeparameterspecifies a lifetime for a fast re-authentication
Fast-Reauth-Id-Lifetime
identity, in seconds. If a fast re-authenticationidentity is assigned, but is not used within thisperiod of time, the fast re-authenticationidentity and the associated full authenticationcontext are purged.The valid range is 1 to 14400 (1 second to 4hours).The default value is 3600 seconds.
Sample EAP.authfile Configuration for Fast Re-authentication#################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-SIM#################################################################eapsim.com -EAP EAP "comment"{ EAP-Type SIM { #Configure other realm-specific parameters, if required . .
# Following are the mandatory parameters: Fast-Reauth-Lookup SIMAKA-ReauthCacheLookup “” Fast-Reauth-Update SIMAKA-ReauthCacheUpdate “”
# Following are the optional parameters: Fast-Reauth-Realm “” Max-Number-Of-Reauths-Before-Full-Auth-Is-Required 5 Fast-Reauth-Id-Lifetime 1800 }
} #################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-AKA#################################################################eapaka.com -EAP EAP "comment"{
250 Configuring EAP-SIM and EAP-AKA Authentication Methods
EAP-Type AKA { #Configure other realm-specific parameters, if required . .
# Following are the mandatory parameters: Fast-Reauth-Lookup SIMAKA-ReauthCacheLookup “” Fast-Reauth-Update SIMAKA-ReauthCacheUpdate “”
# Following are the optional parameters: Fast-Reauth-Realm “” Max-Number-Of-Reauths-Before-Full-Auth-Is-Required 5 Fast-Reauth-Id-Lifetime 1800 }
}
Configuring for Fast Re-Authentication in aaa.config FileIf you use the built in AATVs (SIMAKA-ReauthCacheLookup andSIMAKA-ReauthCacheUpdate) for caching the fast reauth identity to the user's realidentity mapping, you can configure the parameters described in Table 17-8, in theaatv.SIMAKA{} block of the aaa.config file.
Table 17-8 The aaa.config Configuration Block Parameters for Fast Re-authentication
DescriptionParameter
Specifies the maximum size of the in-memory FastRe-authentication table, in terms of the number of
Maximum-Fast-Reauth-Cache-Size
entries. For a given user, the server needs to savethe full authentication context for subsequent fastre-authentications. A boundary must be assignedto the number of entries in this table to protect theserver's memory.The valid range is 0 to 1,000,000.If the value is zero, no new fast reauth identities areadded to the cache, but the existing non-expiredentries are used. This value is intended to phase outfast reauth support following a HUP.If not explicitly configured, the default value is500,000.
Sample aaa.config Configuration for Fast Re-authentication#################################################################### Add the following in /etc/opt/aaa/aaa.config#################################################################aatv.SIMAKA{
Fast Re-Authentication 251
#Configure other global parameters, if required . .
Maximum-Fast-Reauth-Cache-Size 4096
}
Guidelines to Write EAP-SIM and EAP-AKA Fast Re-Authentication Database AATVsThis section describes the EAP-SIM and EAP-AKA requirements that the FastRe-authentication Database AATVs must meet in addition to the basic AATVrequirements. For information on AATV writing, compiling, installing, and debugging,see Chapter 28 (page 446).You can configure EAP-SIM and EAP-AKA to support the fast re-authenticationprocedure by saving the last full authentication, including attributes, such as MasterKey and Counter. The saved full authentication is used for the subsequent fastre-authentication. You can save the full authentication attributes in internal tablesincluded in the HP-UX AAA Server, or in an external database using SQL Access,and retrieve the same, when required. If you save the attributes in an external database,the database record must include the following attributes:• Real-Username
• Real-Realm
• Fast-Reauth-Username
• FullAuth-Master-Key
• Fast-Reauth-Counter
• Fast-Reauth-Expiration-Time
These attributes are described as follows:The AATV, which retrieves the mapping information can check whether the retrievedinformation has expired. If the mapping retrieval AATV checks for expiration, theretrieved Fast-Reauth-Expiration-Time attribute need not be placed on theauthreq. If the mapping retrieval AATV does not check for expiration, theFast-Reauth-Expiration-Time attribute must be placed on the authreq, inwhich case the EAP-SIM or the EAP-AKA AATV, which handles the result of thelookup, checks for expiration.There are two AATVs involved in fast re-authentication handling. One AATV performsthe update and the other performs the lookup. This section describes the followingAATVs:• “Fast Re-Authentication Database Update AATV” (page 253)• “Fast Re-Authentication Database Lookup AATV” (page 254)
252 Configuring EAP-SIM and EAP-AKA Authentication Methods
Fast Re-Authentication Database Update AATVAs a result of a full authentication, the database may require a new record for the fastre-authentication information. If the database includes an existing set of fastre-authentication information, the information needs to be updated or made invalidwith each full authentication or a fast re-authentication.If the realm is configured for fast re-authentication support, the update AATV is invokedwith every authentication, either full or re-authentication, successful or unsuccessful,and whether a new fast re-authentication username is assigned or not.
Update AATV Inputs
The input to the Update AATV is the set of Vendor-Specific Attributes (VSAs) on theAUTHREQ_REPLY_QUEUE list of the authreq. Table 17-9 describes the FastRe-Authentication Database Update AATV attributes.
Table 17-9 Vendor-Specific Attributes for Fast Re-Authentication Database Update AATV
DescriptionAttribute
A string attribute that contains the user's real identity. This identitycontains neither a prefix nor a realm. The identity can be an
Real-Username
International Mobile Subscriber Identity (IMSI) constituting up to15 decimal digits. If the realm is configured to support non-IMSIreal identities, the identity can be a non-IMSI real usernameconstituting up to 253 characters.
A string attribute that contains the user's real realm, which is thevalue of the AT_IDENTITY attribute, of the last full
Real-Realm
re-authentication. This realm can differ from the realm portion ofthe User-Name attribute value. If the AT_IDENTITY attribute ofthe last full re-authentication does not specify a realm, theReal-Realm attribute contains an empty string value.
A string attribute that contains the value sent by the HP-UX AAAServer during the authentication. This value is the user's next
Fast-Reauth-Username
Fast-Reauth-Username. This identity is prefixed with the FastReauth ID, 3. However, no realm is associated with it. The lengthof the identity, including the prefix, is 10 characters. If the attributecontains no value, it implies that the database's existingFast-Reauth-Username and the associated full authenticationdetails must be made invalid.
A fixed length binary string (octets) attribute that contains theMaster Key (MK) value of the last full authentication. The value
FullAuth-Master-Key
consists of a 160-bit binary string (20 bytes), in the network byteorder. If the Fast-Reauth-Username is an empty string, thisattribute is not present.
An attribute that contains the updated value of the fastre-authentication counter. During an update following a full
Fast-Reauth-Counter
authentication, this value is zero. Otherwise, the value is the numberof fast re-authentications performed after the last full authentication.
Fast Re-Authentication 253
Table 17-9 Vendor-Specific Attributes for Fast Re-Authentication Database Update AATV(continued)
DescriptionAttribute
If the value of the Fast-Reauth-Username value is an emptystring, this attribute is not present.
A Unix epoch date attribute that contains the UTC time at whichthis fast re-authentication information expires. If the fast
Fast-Reauth-Expiration-Time
re-authentication information in the database is made invalid insteadof being updated, this attribute has no significance. If theFast-Reauth-Username is an empty string, this attribute is notpresent.
Update AATV Outputs
No attributes must be returned by the Update AATV.
AATV Functionality and Return Events
The fast re-authentication update AATV updates its database with the fastre-authentication information available in the AUTHREQ_REPLY_QUEUE list of theauthreq. The Update AATV must not modify the AUTHREQ_REPLY_QUEUE list ofthe authreq. The result of the update can be either ACK or NAK. If the result of theupdate is NAK, the update has failed, which may affect a subsequent fastre-authentication. However, it does not affect the success or failure of the currentauthentication.
Fast Re-Authentication Database Lookup AATVThe fast re-authentication lookup AATV retrieves the information associated with theFast-Reauth-Username attribute in the database. This AATV is invoked during afast re-authentication only.
Lookup AATV Inputs
The input to the lookup AATV is a set of VSA in the AUTHREQ_REPLY_QUEUE list oftheauthreq. Table 17-10 describes the Fast Re-Authentication Database Lookup AATVattributes.
Table 17-10 Vendor-Specific Attributes for Fast Re-Authentication Database Lookup AATV
DescriptionAttribute
A string attribute that contains the value of the user's Fast Reauthidentity. This identity contains a Fast Reauth ID prefix, 3. However,
Fast-Reauth-Username
no realm is associated with it. The length of the identity, including theprefix, is 10 characters.
A string attribute that contains the realm portion of the received FastReauth identity. This realm can be the Real-Realm or the configured
Fast-Reauth-Realm
254 Configuring EAP-SIM and EAP-AKA Authentication Methods
Table 17-10 Vendor-Specific Attributes for Fast Re-Authentication Database Lookup AATV(continued)
DescriptionAttribute
Fast-Reauth-Realm. The realm can also be a realm that the NAScreated to facilitate routing of theFast Reauth Request to the HP-UXAAA Server, which performed the last full authentication. The realm isused for the database lookup, and is used by the HP-UX AAA Server toinvoke EAP-SIM or EAP-AKA only.
Lookup AATV Outputs
The AUTHREQ_REPLY_QUEUE list of the authreq is updated to additionally containthe full authentication details. Table 17-11 describes the Lookup AATV attributes.
Table 17-11 Lookup AATV Output Attributes
DescriptionAttribute
A string attribute that contains the user's real identity. This identitycontains no prefix or realm. The IMSI can be up to 15 decimal digits.
Real-Username
If the HP-UX AAA Server is configured to support non-IMSI realidentities, the identity can be a non-IMSI real username, which is upto 253 characters.
A string attribute that contains the user's real realm. This realm candiffer from the realm portion of the User-Name attribute value. If the
Real-Realm
AT_IDENTITY attribute of the user’s last full authentication specifiesonly a username with no realm, the Real-Realm attribute containsan empty string value.
A fixed-length binary string (octets) attribute that contains the valueof the Master Key (MK) from the last full authentication. The value isa 160-bit binary string (20 bytes), in the network byte order.
FullAuth-Master-Key
An integer attribute that contains the value of the last fastre-authentication counter. The value is the number of fastre-authentications performed after the last full authentication.
Fast-Reauth-Counter
A Unix epoch date attribute that contains the UTC time at which thisfast re-authentication information expires. If the lookup AATV has
Fast-Reauth-Expiration-Time
already checked for an expiredFast-Reauth-Username, the attributeis not returned. If the attribute is returned, the HP-UX AAA Serverchecks whether the Fast-Reauth-Username has expired.
Fast Re-Authentication 255
Lookup AATV Functionality and Return Events
The fast re-authentication lookup AATV attempts to retrieve the full authenticationdetails of the Fast-Reauth-Username attribute from its database.• If the information is available, the lookup AATV updates the
AUTHREQ_REPLY_QUEUE list of the authreq with the specified output and aRETRIEVE_SUCCESS message is returned
• If the information is not available, a RETRIEVE_ERROR message is returned.• The lookup AATV can check if the fast re-authentication information has expired
based on theFast-Reauth-Expiration-Timevalue. If the fast re-authenticationinformation has expired, a RETRIEVE_ERROR message is returned, and thecur_request list of the authreq is not updated. If the AATV does not check foran expired entry, the Fast-Reauth-Expiration-Time value is returned.Subsequently, the HP-UX AAA Server checks for the expiration.
Pseudonym IdentitiesPseudonym Identity support is an optional EAP-SIM and EAP-AKA feature, whichprovides identity protection by hiding the permanent identity on the second and allfuture authentications.The HP-UX AAA Server can generate pseudonyms as an encrypted form of thepermanent identity, which can be subsequently decrypted to reproduce the permanentidentity. Alternatively, the server can generate pseudonyms as a string of randomcharacters, similar to the fast re-authentication identity. In the latter case, an externaldatabase is required to store the pseudonym to permanent identity mappings. Formany users, the algorithm-based pseudonyms are the easiest and most efficient option.Random pseudonyms are required if the algorithm does not provide adequate securityto the permanent identity.
Random PseudonymsThe server, while operating in an environment where a central database is used forsaving the pseudonym to permanent identity mappings, can be configured to generatea pseudonym as a string of random characters. The server can also store the last usedand last assigned pseudonyms in this central database. EAP-SIM RFC 4186 recommendssaving at least two pseudonyms, the last used and the last assigned. To ensure randompseudonyms work, the realm configuration in EAP-Type SIM{} block within theEAP.authfile file must specify thePseudonym-Lookup andPseudonym-Updateparameters with an AATV, which maps the pseudonym to the permanent identity,and which stores the random pseudonym in the database. In this case, the pseudonymalgorithm is employed and the pseudonym resembles a fast re-authentication identitywith a different prefix. The random pseudonym identity is 10 characters long, consistingof the pseudonym prefix 2, followed by nine random characters from the character set,{BCDFGHJKLMNPQRSTVWXYZ0123456789}. The random pseudonym is advantageous,
256 Configuring EAP-SIM and EAP-AKA Authentication Methods
because it is impossible to reverse engineer the permanent identity. However, a databaseto store and retrieve the mapping of pseudonym to permanent identity is required.
Algorithm-Based PseudonymsThe HP-UX AAA Server generates a pseudonym by encrypting the real user nameusing an algorithm and the SIMAKA-PseudonymDecrypt AATV that decrypts apseudonym to reproduce the real user name. Following are the features and benefitsof the algorithmic approach as specified by Ericsson1, and submitted to the 3GPP TSGSA WG3 working group:• No external database is required to store all the assigned pseudonyms.• A pseudonym generated on one RADIUS server can be processed by a second
RADIUS server.• No user state is kept in the RADIUS server between WLAN sessions.• Pseudonyms are not stored in the Home Subscriber Server (HSS) or Home Location
Register (HLR).• Any secret keys used in the RADIUS server for the generation of pseudonyms
cannot be recovered even if a number of matching permanent identities andpseudonyms are available.
• For any given pseudonym or a number of correlated pseudonyms, it is impossibleto recover the corresponding permanent identity.
• It is impossible to determine whether two pseudonyms correspond to the samepermanent identity.
• It is impossible to generate a valid pseudonym irrespective of the underlyingpermanent identity, thereby avoiding random forgery.
• It is impossible to generate a valid pseudonym corresponding to a given permanentidentity, thereby avoiding targeted forgery.
To use algorithm-based pseudonyms, the global configuration in the aatv.SIMAKA{}block must specify one or morePseudonym-Algorithm-Key-nparameters. The keynumber specified in the Pseudonym-Algorithm-Current-Key field is used toencrypt new pseudonyms. The other keys are used for decryption of pseudonymsgenerated earlier by them, but are not used for generation of new pseudonyms. Withthe algorithm-based pseudonyms, there is no lifetime applied to the pseudonym. Alifetime can be approximated by defining a new key and making the new key current.After the desired lifetime, the old key can be removed and the pseudonyms generatedwith it are disabled.While generating a pseudonym based on a permanent identity, an IMSI, the serveruses a minor modification of an algorithm developed by Ericsson2 and submitted tothe 3GPP TSG SA WG3 working group. In this case, the pseudonym user name is 24characters long.While generating a pseudonym based on a permanent identity, which is a generic username, for example, fred, the server uses an algorithm derived from the same Ericsson
Pseudonym Identities 257
algorithm. In this case, the length of the pseudonym varies, depending on the lengthof the permanent identity, as follows:• 24 characters, if the permanent user name is 1-8 characters.• 45 characters, if the permanent user name is 9-24 characters.• 66 characters, if the permanent user name is 25-40 characters.• 88 characters, if the permanent user name is 41-56 characters.• 109 characters, if the permanent user name is 57-72 characters.• 130 characters, if the permanent user name is 73-88 characters.• 152 characters, if the permanent user name is 89-104 characters.• 173 characters, if the permanent user name is 104-120 characters.• 194 characters, if the permanent user name is 121-136 characters.• 216 characters, if the permanent user name is 137-152 characters.• 237 characters, if the permanent user name is 153-168 characters.
NOTE: The pseudonym is not generated if the permanent user name is greater than168 characters, as the pseudonym identity exceeds 253 characters.
The server generates a pseudonym identity only if the length of thepseudonym@realrealm string does not exceed 253 characters.For a given IMSI permanent identity, there are 56 random user bits involved in thepseudonym generation, resulting in over seven million trillion (7*1018) differentpseudonyms for a given IMSI. The probability of a random forgery involving a randomIMSI is less than one in four million.For a given non-IMSI permanent identity, there are 32 random user bits involved inthe pseudonym generation, resulting in over 4 billion different pseudonyms for a givenuser. The probability of a random forgery involving a generic user name is less thanone in 50 million.
Configuring for Pseudonym Identity SupportTo use pseudonym identity support, the realm configuration in the EAP-Type SIM{}or EAP-Type AKA{} block inEAP.authfilemust specify the parameters describedin Table 17-12.
Table 17-12 EAP.authfile Configuration Parameters
DescriptionParameter
The Pseudonym-Lookup parameter specifies anAATV and an Xstring parameter for this AATV.
Pseudonym-Lookup
This AATV is invoked to map a pseudonym to theuser's real identity. If this parameter is notconfigured, pseudonym support is disabled for therealm.
258 Configuring EAP-SIM and EAP-AKA Authentication Methods
Table 17-12 EAP.authfile Configuration Parameters (continued)
DescriptionParameter
The HP-UX AAA Server provides theSIMAKA-PseudonymDecrypt AATV foralgorithm-based pseudonym identity support. Thefollowing conditions apply if this AATV isconfigured:• The server forces non-random pseudonym
generation for this realm.• If no Pseudonym-Algorithm-Key-*
parameters are defined in the aatv.SIMAKA{}block of the aaa.config file, pseudonymsupport is disabled.
• If at least one of the above mentioned keys isdefined, and thePseudonym-Algorithm-Current-Key is notdefined in the aatv.SIMAKA{} block of theaaa.config file, or does not refer to a definedkey, generation of new pseudonyms is disabled,but existing pseudonyms can be looked up.
There is no default value.
This parameter specifies an AATV and an Xstringparameter for this AATV. This AATV is invoked to
Pseudonym-Update
update the mapping of a pseudonym to a user's realidentity. Pseudonym support using an algorithmdoes not require a Pseudonym-Update AATV.There is no default value.
The Pseudonym-Lifetime parameter specifiesthe lifetime of such a generated random characterpseudonym.
Pseudonym-Lifetime
After the specified duration has elapsed from thetime the pseudonym was first assigned, thepseudonym becomes invalid, independent of thenumber of times the pseudonym was used.The valid range is 1 to 31,622,400 (1 second to 366days).The default value is 1,209,600 seconds (14 days).
TheGenerate-Random-Character-Pseudonyms
Generate-Random-Character-Pseudonyms
parameter indicates whether the server generatespseudonyms by algorithm (value = no) or if theserver generates random character pseudonyms(value = yes).The valid values are Yes and No.The default value is No
Pseudonym Identities 259
To use algorithm-based pseudonym identity support, the aatv.SIMAKA {} block inthe aaa.config file must specify the parameters described in Table 17-13.
Table 17-13 The aaa.config Parameters for Algorithm-based Pseudonym Identity
DescriptionParameter
The HP-UX AAA Server can generate pseudonymsas an encrypted form of the permanent identity,
Pseudonym-Algorithm-Key-n
which can be subsequently decrypted to reproducethe permanent identity.This set of parameters (n = 1 to 16) can be used tospecify up to 16 encryption keys for encryption ordecryption.The key value is a 128-bit binary string (16 bytes)entered as 0x, followed by two 16 two digit hexvalues. The dots are optional, and are used toimprove readability.Pseudonym generation for a realm is disabled if nokeys are defined, and the generation of randomcharacter pseudonyms is disabled, that is, the valueof theGenerate-Random-Character-Pseudonymsparameter is No.If not explicitly configured, there are no defaultvalues.
Specifies the Pseudonym-Algorithm-Key toencrypt the permanent identity during thegeneration of a new pseudonym.
Pseudonym-Algorithm-Current-Key
The other keys are used for decryption ofpseudonyms previously generated with the otherkeys, but are not used for generation of newpseudonyms.The valid range is 1 to 16.If not explicitly configured, there is no default value.
Sample EAP.authfile Configuration for Random Pseudonym Identity Support#################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-SIM#################################################################eapsim.com -EAP EAP "comment"{ EAP-Type SIM { #Configure other realm-specific parameters, if required . .
# Following are the mandatory parameters: Pseudonym-Lookup <pseudonym lookup aatv name> "<xsting if any>"
260 Configuring EAP-SIM and EAP-AKA Authentication Methods
Pseudonym-Update <pseudonym update aatv name> "<xsting if any>” Generate-Random-Character-Pseudonyms Yes Pseudonym-Lifetime 604800
# Following are the optional parameters: Pseudonym-Lifetime 604800
}
} #################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-AKA#################################################################eapaka.com -EAP EAP "comment"{ EAP-Type AKA { #Configure other realm-specific parameters, if required . .
# Following are the mandatory parameters: Pseudonym-Lookup <pseudonym lookup aatv name> "<xsting if any>" Pseudonym-Update <pseudonym update aatv name> "<xsting if any>” Generate-Random-Character-Pseudonyms Yes Pseudonym-Lifetime 604800
# Following are the optional parameters: Pseudonym-Lifetime 604800
}
}
NOTE: No global configuration is required for random pseudonym identity support.
Sample EAP.authfile Configuration for Algorithm-based Pseudonym Identity Support#################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-SIM#################################################################eapsim.com -EAP EAP "comment"{ EAP-Type SIM { #Configure other realm-specific parameters, if required . .
# Following are the mandatory parameters: Pseudonym-Lookup SIMAKA-PseudonymDecrypt "" Pseudonym-Update NULL "" Generate-Random-Character-Pseudonyms No Pseudonym-Lifetime 604800
Pseudonym Identities 261
# Following are the optional parameters: Pseudonym-Lifetime 604800
}
} #################################################################### Add the following in /etc/opt/aaa/EAP.authfile for EAP-AKA#################################################################eapaka.com -EAP EAP "comment"{ EAP-Type AKA { #Configure other realm-specific parameters, if required . .
# Following are the mandatory parameters: Pseudonym-Lookup SIMAKA-PseudonymDecrypt "" Pseudonym-Update NULL "" Generate-Random-Character-Pseudonyms No Pseudonym-Lifetime 604800
# Following are the optional parameters: Pseudonym-Lifetime 604800
}
}
Sample aaa.config Configuration for Algorithm-based Pseudonym Identity Support#################################################################### Add the following in /etc/opt/aaa/aaa.config#################################################################aatv.SIMAKA{ #Configure other global parameters, if required . . #Atleast one Pseudonym-Algorithm-Key is mandatory Pseudonym-Algorithm-Key-1 0x00010203.04050607.08090a0b.0c0d0e0f Pseudonym-Algorithm-Key-11 0xa0a1a2a3.a4a5a6a7.a8a9aaab.acadaeaf Pseudonym-Algorithm-Key-16 0xf0f1f2f3.f4f5f6f7.f8f9fafb.fcfdfeff Pseudonym-Algorithm-Current-Key 11
}
Guidelines to Write EAP-SIM and EAP-AKA Pseudonym Database AATVsThis section describes the EAP-SIM and EAP-AKA requirements that the PseudonymDatabase AATVs must meet in addition to the basic AATV requirements. For
262 Configuring EAP-SIM and EAP-AKA Authentication Methods
information on AATV writing, compiling, installing, and debugging, see Chapter 28(page 446).You can configure EAP-SIM and EAP-AKA to support pseudonyms. To perform a fullauthentication using pseudonym, you must map an assigned pseudonym to the realidentity. EAP-SIM and EAP-AKA can manage the pseudonym mapping internally.Alternatively, using customer-supplied plug-ins, they can store the mapping in anexternal database using SQL Access and retrieve, when required. In accordance withthe RFCs, the HP-UX AAA Server must save at least two pseudonyms: the last oneused by the peer and the last one assigned by the HP-UX AAA Server. If you save theattributes in an external database, the database record must include the followingattributes:• Real-Username
• Real-Realm
• Last-Used-Pseudonym-Username
• Last-Used-Pseudonym-Expiration-Time
• Last-Assigned-Pseudonym-Username
• Last-Assigned-Pseudonym-Expiration-Time
These attributes are described as follows:The database can also include the authentication information and the reply items. TheAATV, which retrieves the mapping information, must look for a match for theLast-Used-Pseudonym-Username attribute or theLast-Assigned-Pseudonym-Username attribute.The AATV, which retrieves the mapping information, can check whether the matchingfield has expired. If the mapping retrieval AATV checks for expiration, thecorresponding expiration time attribute need not be placed on theAUTHREQ_REPLY_QUEUE list of the authreq. If the mapping retrieval AATV is notconfigured to check for expiration, the expiration time attributes must be placed in theauthreq. Consequently, the EAP-SIM or the EAP-AKA AATV, which handles theresult of the lookup, checks for expiration.If you write your own AATVs, which are necessary if an external database is employed,a set of input attributes in the AUTHREQ_REPLY_QUEUE list of the authreq can beused by the AATVs. Also, a set of returned attributes, that the lookup AATV adds tothe AUTHREQ_REPLY_QUEUE list of the authreq to interface with the HP-UX AAAServer, can be used by the AATVs.There are two AATVs involved in pseudonym handling. One AATV performs thelookup and the other performs the update. This section describes the following AATVs:• “Pseudonym Database Update AATV” (page 264)• “Pseudonym Database Lookup AATV” (page 265)
Pseudonym Identities 263
Pseudonym Database Update AATVAs a result of a full authentication, the database may require a new record for thepseudonym information. If the database includes an existing set of pseudonyminformation, the information needs to be updated or made invalid each time the HP-UXAAA Server assigns a new pseudonym.
Update AATV Inputs
The input to the Update AATV is the set of VSA on the AUTHREQ_REPLY_QUEUE listof the authreq. Table 17-14 describes the Pseudonym Database Update AATVattributes.
Table 17-14 Vendor-Specific Attributes for Pseudonym Database Update AATV
DescriptionAttribute
A string attribute that contains the user's real identity. Thisidentity contains neither a prefix nor a realm. The identity can
Real-Username
be an IMSI constituting up to 15 decimal digits. If the HP-UXAAA Server is configured to support non-IMSI real identities,the identity can be a non-IMSI real username constituting upto 253 characters.
A string attribute that contains the user's real realm. This realmcan differ from the realm portion of the User-Name attribute
Real-Realm
value. If theAT_IDENTITY attribute contains only a username,but no realm, the Real-Realm attribute contains an emptystring value.
A string attribute that contains the value sent by the HP-UXAAA Server during the current authentication. This value is
Last-Assigned-Pseudonym-Username
also the value of the next pseudonym. This username containsa pseudonym prefix, 2. However, no realm is associated withit. The length of the identity, including the prefix, can be upto 253 characters. If no new pseudonym is assigned, the updateAATV is not called.
A Unix epoch date attribute that contains the UTC time atwhich Last-Assigned-Pseudonym-Username expires.
Last-Assigned-Pseudonym-Expiration-Time
This attribute is present only if the value of theLast-Assigned-Pseudonym-Usernameattribute is present.
If the peer authenticated using a pseudonym, theLast-Used-Pseudonym-Username attribute contains the
Last-Used-Pseudonym- Username
pseudonym value of the current authentication. This identitycontains a pseudonym prefix, 2. However, no realm isassociated with it. The length of the identity can be up to 253characters. Otherwise, this attribute is not present.
A Unix epoch date attribute that contains the UTC time atwhich Last-Used-Pseudonym-Username expires. This
Last-Used-Pseudonym-Expiration-Time
attribute is present only if theLast-Used-Pseudonym-Username attribute is present and
264 Configuring EAP-SIM and EAP-AKA Authentication Methods
Table 17-14 Vendor-Specific Attributes for Pseudonym Database Update AATV (continued)
DescriptionAttribute
the database which maps the pseudonym to theReal-Username attribute returns aPseudonym-Expiration-Time VSA.
Update AATV Outputs
None of the attributes are returned by Update AATV.
AATV Functionality and Return Events
The pseudonym update AATV updates its database with the pseudonym informationavailable in theAUTHREQ_REPLY_QUEUE list of theauthreq. The Update AATV mustnot modify the AUTHREQ_REPLY_QUEUE list of the authreq. The result of the updatecan be either ACK or NAK. The AATV returns ACK if the database is updated successfully.If the result of the update is NAK, the update has failed. However, it does not affect theoutcome of the current authentication.
NOTE: If thePseudonym-Expiration-Time is not present as a result of the LookupAATV handling the expiration check, theLast-Used-Pseudonym-Expiration-Timeof the database may need to be updated with theLast-Assigned-Pseudonym-Expiration-Time value by the Lookup AATV. Formore information on Pseudonym-Expiration-Time, see Table 17-16 (page 266).
Pseudonym Database Lookup AATVThe Pseudonym Database Lookup AATV retrieves the information associated with thePseudonym-Username attribute from the database.
Lookup AATV Inputs
The input to the Lookup AATV is a set of Vendor-Specific Attributes (VSA) in theAUTHREQ_REPLY_QUEUE list of the authreq. Table 17-15 describes the attributes.
Table 17-15 Vendor-Specific Attributes for Pseudonym Database Lookup AATV
DescriptionAttribute
A string attribute that contains the pseudonym value to be found in thedatabase. The identity contains a pseudonym prefix, 2. However, no realmis associated with it. The length of the identity can be up to 253 characters.
Pseudonym-Username
A string attribute that contains the user's real realm. This realm can differfrom the realm portion of the User-Name attribute value. If the
Real-Realm
AT_IDENTITY attribute contains only a username, but no realm, theReal-Realm attribute contains an empty string value.
Pseudonym Identities 265
Table 17-15 Vendor-Specific Attributes for Pseudonym Database Lookup AATV (continued)
DescriptionAttribute
An integer attribute that contains the number of requested triplets, suchas, RAND, Kc, and SRES. In accordance with RFC4186, the number of
Number-of-Triplets-Requested
triplets required for authentication is two or three. The number of tripletsrequired for authentication is present to enable the lookup AATV togenerate GSM Triplets, if required.
A string attribute that contains the name of the A3 algorithm to be usedin the GSM Triplet generation. The value is case-sensitive. This attribute
A3-Algorithm
is present only if the realm is configured with a default A3 algorithm. Theattribute is present to enable the lookup AATV to generate GSM Triplets,if required.
A string attribute that contains the name of the A8 algorithm to be usedin the GSM Triplet generation. The value is case-sensitive. This attribute
A8-Algorithm
is present only if the realm is configured with a default A8 algorithm. Theattribute is present to enable the lookup AATV to generate GSM Triplets,if required.
Lookup AATV Outputs
The AUTHREQ_REPLY_QUEUE list of the authreq is updated to additionally containthe following attributes, as described in Table 17-16.
Table 17-16 Lookup AATV Output Attributes
DescriptionAttribute
A string attribute that contains the user's real identity. The identity containsneither a prefix nor a realm. The identity can be an IMSI constituting up
Real-Username
to 15 decimal digits. If the realm is configured to support non-IMSI realidentities, the identity can be a non-IMSI real username constituting upto 253 characters.
A Unix epoch date attribute that contains the UTC time at which thelooked up pseudonym expires. This attribute is optional if the lookup
Pseudonym-Expiration-Time
AATV has already checked for an expired Pseudonym-Username. If itis returned, the HP-UX AAA Server checks whether thePseudonym-Username has expired. The lookup AATV may return thisattribute even if the expiration check is performed. If this attribute ispresent, the Pseudonym Update AATV is called with theLast-Used-Pseudonym-Expiration-Time present, along with thePseudonym-Expiration-Time value. If this attribute is not returned,the Last-Used-Pseudonym-Expiration-Time in the database mustbe updated by the Lookup AATV.
The Lookup AATV for EAP-SIM can also return credentials and other reply items whileretrieving the user's Real-Username. Consequently, the AUTHREQ_REPLY_QUEUElist of the authreq is updated to contain additional attributes. Table 17-17 describesthe Lookup AATV Attributes for EAP-SIM.
266 Configuring EAP-SIM and EAP-AKA Authentication Methods
Table 17-17 Lookup AATV Attributes for EAP-SIM
DescriptionAttribute
A fixed-length binary string (octets) attribute that can occur twice or thrice,and can contain an EAP-SIM authentication vector. The parameter value is a224-bit binary string (28 bytes). The value constitutes the following:
GSM-Triplet(s)
• RAND = The first 128-bits (16 bytes) of the value.• Kc = The next 64-bits (8 bytes) of the value.• SRES = The last 32-bits (4 bytes) of the value.
OR
A fixed-length binary string (octets) attribute that contains the 128-bit valueof the Subscriber Key (Ki) used to authenticate the user.
Subscriber-Key
An optional string attribute that contains the name of the A3 algorithm usedto authenticate the user. This attribute is optional if a default value isconfigured for the realm. The value is case-sensitive.
A3-Algorithm
An optional string attribute that contains the name of the A8 algorithm usedto authenticate the user. This attribute is optional if a default value isconfigured for the realm. The value is case-sensitive.
A8-Algorithm
AND
Optional Reply item, such as, Session-Timeout and Idle-Timeout.Other reply attributes
The Lookup AATV for EAP-AKA can also return credentials and other reply itemswhile retrieving the user's Real-Username. Consequently, theAUTHREQ_REPLY_QUEUE list of theauthreq is updated to contain additional attributes.Table 17-18 describes the Lookup AATV Attributes for EAP-AKA.
Table 17-18 Lookup AATV Attributes for EAP-AKA
DescriptionAttribute
A fixed-length binary string (octets) attribute that can occur only once, andcontains an EAP-AKA authentication vector. The value is a 576-bit binarystring (72 bytes). The value constitutes the following:
AKA-Vector
• RAND = The first 128-bits (16 bytes) of the value.• XRES = The next 64-bits (8 bytes) of the value.• CK = The next 128-bits (8 bytes) of the value.• IK = The next 128-bits (8 bytes) of the value.• AUTN = The last 128-bits (8 bytes) of the value.
OR
A fixed-length binary string (octets) attribute that contains the 128-bit valueof the Subscriber Key (Ki) used to authenticate the user.
Subscriber-Key
Pseudonym Identities 267
Table 17-18 Lookup AATV Attributes for EAP-AKA (continued)
DescriptionAttribute
An optional string attribute that contains the name of the AKA algorithmused to authenticate the user. This attribute is optional if a default value isconfigured for the realm. The value is case-sensitive.
AKA-Algorithm
A fixed-length binary string (octets) attribute that contains the 48-bit sequencenumber, which is used to authenticate the user.
AKA-Sequence-Number
An optional fixed-length binary string (octets) attribute that contains a 16-bitvalue. The value indicates whether the AKA-Sequence-Number is used for
AKA-Mode
a Circuit Switched or Packet Switched authentication. This attribute is optionalif a default value is configured for the realm.
AND
Optional Reply item, such as, Session-Timeout and Idle-Timeout.Other reply attributes
Lookup AATV Functionality and Return Events
The Pseudonym Lookup AATV attempts to retrieve the Real-Username from itsdatabase.• If the information is found, the Lookup AATV updates the cur_request list of
the authreq with the specified output, and a RETRIEVE_SUCCESS message isreturned.
• If the information is not available, a RETRIEVE_ERROR message is returned.• The Lookup AATV can check if the Pseudonym-Username has expired based on
thePseudonym-Expiration-Time. If thePseudonym-Usernamehas expired,a RETRIEVE_ERROR message is returned, and the cur_request list of theauthreq is not updated. If the AATV does not check for an expired entry, thePseudonym-Expiration-Time is returned. Subsequently, the HP-UX AAAServer checks for the expiration.The Pseudonym-Expiration-Time values represent the following:— Last-Used-Pseudonym-Expiration-Time -- If thePseudonym-Username
matches the Last-Used-Pseudonym-Username— Last-Assigned-Pseudonym-Expiration-Time -- If the
Pseudonym-Usernamematches theLast-Assigned-Pseudonym-Username• A successful mapping can also return user credentials and general reply-items. If
the user credentials are returned, these credentials are appended to thecur_request list of the authreq, as specified.
Generating Authentication Vectors Using A3, A8, and AKA AlgorithmsIf authentication vectors are not retrieved from a datastore or supplied by an externalAuC, they must be generated using A3 and A8 algorithms for EAP-SIM or the AKAalgorithm for EAP-AKA.
268 Configuring EAP-SIM and EAP-AKA Authentication Methods
GSM A3 and A8 algorithms are used in EAP-SIM. GSM-03.20 specifies the general GSMauthentication procedure and the external interface of the A3 and A8 algorithms. Theoperation of these functions are specific to each network operator. Therefore, thefunctions are not generalized, but are specified by each operator. The GSM-MILENAGEalgorithm, specified publicly in 3GPP-TS-55.205, is an example algorithm set for A3and A8 algorithms.The AKA algorithm can also use the GSM functions that are used to implement A3and A8 algorithms.The A3, A8, and AKA algorithm plug-ins are located in the/opt/aaa/aatvdirectory,by default. The server can use multiple A3/A8/AKA algorithms. You can specify thesealgorithms in the aaa.config global configuration file, realm-based configurations,or in an users’ profile. For information on how to modify the examples or create yourown A3, A8, AKA algorithm plug-ins, see “Creating Plug-ins for AATVs” (page 454).
3GPP Milenage A3, A8, and AKA AlgorithmAn implementation of the 3GPP Milenage A3 and A8 algorithm functions for EAP-SIMauthentication and the AKA algorithm for EAP-AKA are included in the server. The3GPP Milenage A3, A8, and AKA algorithm plug-in module includes configurationparameters that allow it to be customized for a specific operator. The A3, A8, and AKAalgorithm names in this plug-in are 3GPP-Milenage.For more information on 3GPP Milenage f1, f1*, f2, f3, f4, f5, f5* algorithms, see thefollowing 3GPP documents:• 3GPP TS 35.205 v6.0.0 - General Information• 3GPP TS 35.206 v6.0.0 - Algorithm Specification• 3GPP TS 35.207 v6.0.0 - Implementors' Test Data• 3GPP TS.35.208 v6.0.0 - Design Conformance Test Data• 3GPP TS.35.909 v6.0.0 - Summary and results of design and evaluation• 3GPP TS.55.205 v6.2.0 - Authentication and Key Generation functions for A3 and
A8The 3GPP Milenage A3/A8/AKA algorithms are based on the following 3GPP Milenagefunctions:f1(), f1*(), f2(), f3(), f4(), f5(), f5*()A total of 12 parameters are required to fully specify the function set. Table 17–5 liststhe 3GPP Milenage parameters.
Table 17-19 3GPP Milenage Parameters
DescriptionParameter
128-bit kernel functionEk
128-bit operator specific valueOP
Generating Authentication Vectors Using A3, A8, and AKA Algorithms 269
Table 17-19 3GPP Milenage Parameters (continued)
DescriptionParameter
128-bit values used to compute f1, f1*, f2,f3, f4, f5, f5*
C1-C5
Integer rotation constants used to compute f1,f1*, f2, f3, f4, f5, f5*
R1-R5
The Ek kernel function specified by 3GPP Milenage is 128-bit AES (Rijndeal).The 3GPP Milenage A3 algorithm has two variants corresponding to recommendedSRES derivation function #1 and recommended SRES derivation function #2. The A3function is affected by the choice, while the A8 function is unaffected. The selection ofA3 variant #1 or #2 constitutes another parameter, A3-Variant. The AKA algorithmis unaffected by this parameter.The selection of parameter values must match the characteristics of the client devicesto be authenticated.Table 17–6 lists the configuration parameters available in aatv.3GPP-Milenage{}block in aaa.config file.
Table 17-20 Configuration Parameters of aatv.3GPP-Milenage{} Block
DescriptionParameter
128-bit operator-specific constant. The OP valuemust be specified by each operator. Milenagespecifies no default value.
OP
If not explicitly configured, the default value is0x00000000.00000000.00000000.00000000. Use of thisvalue generates a warning message in thelogfile.
128-bit computation constant. C1 must have evenparity. Use of a value with odd parity generates a
C1
warning message in the logfile. Milenagespecifies the default value.If not explicitly configured, the default value is0x00000000.00000000.00000000.00000000.
128-bit computation constant. C2 must have oddparity. Use of a value with even parity generates a
C2
warning message in the logfile. Milenagespecifies the default value.If not explicitly configured, the default value is0x00000000.00000000.00000000.00000001.
128-bit computation constant. C3 must have oddparity. Use of a value with even parity generates a
C3
270 Configuring EAP-SIM and EAP-AKA Authentication Methods
Table 17-20 Configuration Parameters of aatv.3GPP-Milenage{} Block (continued)
DescriptionParameter
warning message in the logfile. Milenagespecifies the default value.If not explicitly configured, the default value is0x00000000.00000000.00000000.00000002.
128-bit computation constant. C4 must have oddparity. Use of a value with even parity generates a
C4
warning message in the logfile. Milenagespecifies the default value.If not explicitly configured, the default value is0x00000000.00000000.00000000.00000004.
128-bit computation constant. C5 must have oddparity. Use of a value with even parity generates a
C5
warning message in the logfile. Milenagespecifies the default value.If not explicitly configured, the default value is0x00000000.00000000.00000000.00000008.
Rotation constant. The valid range is 0 to 127.Milenage specifies the default value.
R1
If not explicitly configured, the default value is 64.
Rotation constant. The valid range is 0 to 127.Milenage specifies the default value.
R2
If not explicitly configured, the default value is 0.
Rotation constant. The valid range is 0 to 127.Milenage specifies the default value.
R3
If not explicitly configured, the default value is 32.
Rotation constant. The valid range is 0 to 127.Milenage specifies the default value.
R4
If not explicitly configured, the default value is 64.
Rotation constant. The valid range is 0 to 127.Milenage specifies the default value.
R5
If not explicitly configured, the default value is 96.
Plug-in module that supports the selection ofMilenage variant #1 or #2. A3-Variant must be 1
A3-Variant
or 2. For information on whether an alternativeSRES derivation function is required, see “CreatingPlug-ins for AATVs” (page 454). The AKA algorithmis unaffected by this parameter.If not explicitly configured, the default value is 1.
Generating Authentication Vectors Using A3, A8, and AKA Algorithms 271
NOTE: The Ci,Ri pairs must be unique. The condition, Ci=Cj and Ri =Rj is notallowed, because i≠j. For instance, C2=C4 and R2=R4 is not allowed.
The following is an example of aatv.3GPP-Milenage block in aaa.config file:aatv.3GPP-Milenage{# OP 128-bit operator-specific constant ==> CONFIGURATION RECOMMENDED. OP 0x00000000.00000000.00000000.00000000
# C1 128-bit computation constant ==> CONFIGURATION OPTIONAL. C1 0x00000000.00000000.00000000.00000000
# C2 128-bit computation constant ==> CONFIGURATION OPTIONAL. C2 0x00000000.00000000.00000000.00000001
# C3 128-bit computation constant ==> CONFIGURATION OPTIONAL. C3 0x00000000.00000000.00000000.00000002
# C4 128-bit computation constant ==> CONFIGURATION OPTIONAL. C4 0x00000000.00000000.00000000.00000004
# C5 128-bit computation constant ==> CONFIGURATION OPTIONAL. C5 0x00000000.00000000.00000000.00000008
# R1 rotation constant ==> CONFIGURATION OPTIONAL. R1 64
# R2 rotation constant ==> CONFIGURATION OPTIONAL. R2 0
# R3 rotation constant ==> CONFIGURATION OPTIONAL. R3 32
# R4 rotation constant ==> CONFIGURATION OPTIONAL. R4 64
# R5 rotation constant ==> CONFIGURATION OPTIONAL. R5 96
# A3-Variant algorithm variant ==> CONFIGURATION OPTIONAL. A3-Variant 1}
272 Configuring EAP-SIM and EAP-AKA Authentication Methods
18 Configuring HP-UX AAA Server for Scalability andHigh-Availability
This chapter describes how to configure the HP-UX AAA Server for scalability andhigh-availability. Starting with the HP-UX AAA Server A.08.01 release, HP-UX AAAServer supports configuring for scalability and high-availability. This chapter discussesthe following topics:• “Overview” (page 273)• “Scalability and High-Availability Concepts” (page 274)• “HP-UX AAA Server Deployment for Scalability and High-Availability” (page 274)• “Managing Multiple HP-UX AAA Servers For Scalability and High-Availability”
(page 276)• “Disaster Recovery of the HP-UX AAA Server Manager” (page 289)
OverviewThe HP-UX AAA Server is scalable and highly-available to meet the current and futurerequirements of the organizations. Scalability is achieved by supporting multiple HP-UXAAA Servers on the same host and high-availability is achieved by supporting clonedHP-UX AAA Servers on the same or different hosts.In case of a single HP-UX AAA Server, scaling up system resources may not be sufficientto accommodate the scalability requirements of the organization. HP-UX AAA Serversupports running multiple HP-UX AAA Servers on a single host ensuring optimumutilization of system resources and addressing the organizational scalabilityrequirements. Organizations can deploy load balancers to distribute load across theHP-UX AAA Servers. This ensures scalability and enhances performance of the solution.In the event of downtime due to HP-UX AAA Server failure or HP-UX AAA Servermaintenance, client requests can be processed by other HP-UX AAA Servers that arerunning on the host. This ensures high availability of the solution on a single host.Although multiple HP-UX AAA Servers on a single host provide scalability, highavailability, and enhance performance, if the host crashes, all the HP-UX AAA Serverson the host fail and the AAA services are not available for the clients. Therefore, it isadvantageous to clone the HP-UX AAA Servers on one or more hosts. If the primaryHP-UX AAA Server fails, the cloned HP-UX AAA Servers serve as backup, thusproviding a highly available solution. Organizations can deploy load balancers todistribute load across the HP-UX AAA Servers on a single or multiple hosts. Thisensures high available AAA solution.The HP-UX AAA Server supports disaster recovery of HP-UX AAA Server Manager,used for configuration and administration. In case the host running HP-UX AAA ServerManager crashes, a set of configuration files need to be restored and the HP-UX AAAServer Manager can be started on the same or different host.
Overview 273
Scalability and High-Availability ConceptsThis section describes the Scalability and High-Availability concepts. It discusses thefollowing topics:• “Grouping HP-UX AAA Servers” (page 274)• “HP-UX AAA Server Attributes” (page 274)
Grouping HP-UX AAA ServersTo manage multiple HP-UX AAA Servers on a single or multiple hosts with ease, theHP-UX AAA Server Manager supports configuring and administering groups of HP-UXAAA servers. Using this functionality, you can logically group related HP-UX AAAServers that are used for similar purposes, present on a single or multiple hosts. Eachgroup is associated with a group name, and each HP-UX AAA Server within a groupis associated with a server name.Typically, groups contain cloned HP-UX AAA Servers or administration-related HP-UXAAA Servers, although this is not a restriction. In a group with cloned HP-UX AAAServers, each HP-UX AAA Server is a clone of the primary HP-UX AAA Server in thegroup. Groups with cloned HP-UX AAA Servers are created while deploying a scalableand highly available solution. In a group with administration-related servers, eachHP-UX AAA Server performs functionalities, such as, authentication, accounting, anddynamic authorization. Therefore, the administration tasks such as, starting, stoppingand reloading HP-UX AAA Servers in a group can be done with ease.
NOTE: At a given time, you can administer servers belonging to a single group onlyusing HP-UX AAA Server Manager.
HP-UX AAA Server AttributesThe HP-UX AAA Servers running on a host are independent of each other. Each serveris identified by a server name, and the IP address or the name of the host on which theserver is running. Each server must be assigned a set of server attributes, such as, ListenIP Address, Authentication Port Number, Accounting Port Number, DynamicAuthorization Port Number, Configuration Directory Path, and Log File DirectoryPath. Every combination of the Listen IP Address and any of the port numbers suchas Authentication, Accounting, and Dynamic Authorization port numbers must beunique across all the servers managed by the HP-UX AAA Server Manager.
HP-UX AAA Server Deployment for Scalability and High-AvailabilityFigure 18-1 illustrates multiple HP-UX AAA Servers on a host (Host 1) for greaterscalability and clones of servers on the same and different hosts (Host 2 and Host 3)for high-availability.
274 Configuring HP-UX AAA Server for Scalability and High-Availability
Figure 18-1 HP-UX AAA Server Deployment for Scalability and High-Availability
In Figure 18-1, the HP-UX AAA Server Manager manages multiple HP-UX AAA Serverson three remote hosts (Host 1, Host 2, and Host 3). Each remote host is running morethan one HP-UX AAA Server. Running multiple HP-UX AAA Servers on the samehost ensures better utilization of system resources, thus ensuring greater scalability.And running cloned HP-UX AAA Servers belonging to a single group on multiplehosts provides high-availability of the AAA services.For easier management of the HP-UX AAA Servers, each server is associated with agroup. In the given example, HP-UX AAA Server Manager manages three groups,called Group A, Group B, and Group C, denoted by red, blue, and green respectively.The servers in Group A and Group C are named S1, S2, and S3 and the servers in GroupB are named S1, S2, S3 and S4.Group A is a group with a set of three HP-UX AAA Servers S1, S2 and S3, running onthe same host, Host 1. These servers running on Host 1, utilize the system resourceseffectively, thus providing a scalable solution. By employing the load balancers, if oneof the HP-UX AAA Servers (for example, S2) on Host 1 is relatively free than the otherHP-UX AAA Servers on Host 1, new client requests can be directed to HP-UX AAA
HP-UX AAA Server Deployment for Scalability and High-Availability 275
Server S2 to ensure load is evenly balanced. Therefore, client requests are processedfaster to provide desired optimum performance.Group B is a group with a set of four HP-UX AAA Servers, S1 and S2 running on Host2, and S3 and S4 running on Host 3. HP-UX AAA Servers S1 and S3 are cloned serversproviding authentication services and S2 and S4 are cloned servers providing accountingservices. If an HP-UX AAA Server (S1/S2) crashes, the cloned server (S3/S4) can servicethe clients' requests, thereby ensuring high-availability of the solution. If Host 2 crashes,the HP-UX AAA Servers (S1 and S2) are not available to service the client requests, butthe cloned servers (S3 and S4) can service the client requests, thereby ensuringhigh-availability of the solution.Group C is a group with a set of three HP-UX AAA Servers, S1, S2 and S3 running onHost 2 and Host 3. HP-UX AAA Server S1 provides authentication services and S2provides accounting services on Host 3, while S3 provides both the authentication andaccounting services on Host 2. S1 and S2 are the primary servers running on Host 3addressing scalability and S3 is a hybrid of S1 and S2 providing a backup to addresshigh-availability.
NOTE: In the given example, only one port number is used per HP-UX AAA server.However, multiple port numbers such as authentication, accounting, dynamicauthorization ports, can be used for each HP-UX AAA Server.
Managing Multiple HP-UX AAA Servers For Scalability and High-AvailabilityThis section describes how to manage multiple HP-UX AAA Servers. It discusses thefollowing topics:• “Administering HP-UX AAA Servers Using HP-UX AAA Server Manager”
(page 276)• “Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool
(Command Line)” (page 287)
Administering HP-UX AAA Servers Using HP-UX AAA Server ManagerThis section describes how to configure servers and groups using the HP-UX AAAServer Manager.The Default (Server Connections) group, including a server, called localhost, is presentby default. This group is compatible with the Server Connections present in releasesearlier than HP-UX AAA Server A.08.01. All Server Connections managed by theHP-UX AAA Server Manager in the earlier versions of HP-UX AAA Server are movedto the Default (Server Connections) group during migration. If you do not want tocreate new groups for scalability and high-availability, you can continue to createHP-UX AAA Servers belonging to this group.
276 Configuring HP-UX AAA Server for Scalability and High-Availability
The section also describes how to administer the HP-UX AAA Servers using the HP-UXAAA Server Manager. The section discusses the following topics:• “Logging In” (page 277)• “Adding a Group” (page 278)• “Modifying a Group” (page 279)• “Deleting a Group” (page 279)• “Adding a Server” (page 280)• “Modifying a Server” (page 284)• “Deleting a Server” (page 284)• “Cloning a Server” (page 284)
NOTE: You can also perform other administration tasks, such as, Start, Stop, andReload the HP-UX AAA Server using the HP-UX AAA Server Manager. For moreinformation on how to perform the tasks using HP-UX AAA Server Manager, seeChapter 4 (page 71).
Logging InTo log in to HP-UX AAA Server Manager, complete the following steps:
Managing Multiple HP-UX AAA Servers For Scalability and High-Availability 277
1. Enter the following URL:http://<system name>:<port number>/aaa
Replace system name and port number with appropriate values.
NOTE: For secured remote Server Manager administration, see “Using SecureSocket Layer (SSL) for Secured Remote Server Manager Administration” (page 64).
2. Enter the username and password.The HP-UX AAA Server Manager Administration page is displayed. Click ServerConnections in the left panel. The Groups and Server Connections tables aredisplayed, as shown in Figure 18-2.
Figure 18-2 Server Connections
Adding a GroupTo add a group using the HP-UX AAA Server Manager, complete the following steps:1. Click Server Connections on the top left window.2. Click New Group under Groups in the right window. The Add Group page is
displayed, as shown in Figure 18-3.
Figure 18-3 Adding a Group
278 Configuring HP-UX AAA Server for Scalability and High-Availability
3. Enter the name of the group in the Name field and click Create.A new group is created. Figure 18-4 displays a sample group name, called group1.
Figure 18-4 Sample Group Created
Modifying a GroupTo modify a group name, complete the following steps:1. Click Server Connections on the top left window.2. Select the group you want to modify in the drop-down menu, under Select a group
for administration.
3. Click against the group. The Groups: Modify Group window is displayed, asshown in Figure 18-5.
Figure 18-5 Modify Group
4. Enter the new name and click Modify. The name of the group is modified.
Deleting a GroupTo delete a group, complete the following steps:1. Click Server Connections on the top left window.2. Select the group you want to delete, in the drop-down menu, under Select a group
for administration.
Managing Multiple HP-UX AAA Servers For Scalability and High-Availability 279
3. Click against the group and confirm.The group is deleted.
Adding a ServerTo add a server to a group, complete the following steps:1. Click Server Connections on the top left window.2. Select the group in the drop-down menu to which you want to add the server,
under Select a group for administration.3. Click New Server under Servers. The Servers: Add Server page is displayed, as
shown in Figure 18-6.
Figure 18-6 Adding a Server
4. Enter the values of the server attributes. Table 18-1 describes the server-specificfields.
280 Configuring HP-UX AAA Server for Scalability and High-Availability
Table 18-1 Server Attributes
DescriptionOption
Port number to listen to authentication requests. The defaultAuthentication port number is 1812.
Authentication
Port number to listen to accounting requests. The default Accountingport number is 1813.
Accounting
Specifies the UDP port number to listen for the Dynamic Authorizationrequests. The default port number is 3799.
Dynamic Authorization
Port number to relay authentication requests. This option is useful whenproxying requests to a HP-UX AAA server that is not listening on thedefault port.
Authentication Relay
Port number to relay accounting requests. This option is useful whenproxying requests to a HP-UX AAA server that is not listening on thedefault port.
Accounting Relay
Specifies the local UDP port number to which the Client AATV bindsto listen for the incoming client replies. This field is optional. If no valueis entered, the HP-UX AAA Server uses any available port.
Client
Specifies the debug level. Higher levels write more information to theradius.debug file. Increasing this value can cause performance todecline. The default value is 0.
Debug Level
Specifies the level of information logged based on the RADIUS messagetype.
Log Control
Empties the logfile and debug file when the server is started.Reset Logfile
Empties stored session table at server startup.
IMPORTANT: This option is only intended for experimental use ortesting and not for a live production server. If you reset a productionserver, the server loses track of the sessions that are still active.
Reset Session Table
Specifies the timeout value in seconds. The default value is five seconds.Timeout
Specifies the number of retries to retrieve the status of the server. Thedefault value is three.
Number of Retries
Specifies the directory where the HP-UX AAA Server binaries arelocated. The default directory is /opt/aaa/bin.
Bin Directory
Specifies the directory where the AATV libraries are located. The defaultdirectory is /opt/aaa/aatv.
Aatv Directory
Specifies the directory where the configuration files are located. Thedefault directory is /etc/opt/aaa.
Config Directory
Specifies the directory where the log and debug files are located. Thedefault directory is /var/opt/aaa/logs.
Log Directory
Managing Multiple HP-UX AAA Servers For Scalability and High-Availability 281
Table 18-1 Server Attributes (continued)
DescriptionOption
Specifies the directory where the files generated for shared memoryoperation are located. The default directory is /var/opt/aaa/ipc.
IPC Directory
Specifies the directory where the Livingston style accounting log filesare located. The default directory is /var/opt/aaa/radacct.
Livingston AccountingDirectory
Specifies the directory where Merit style accounting log files (sessionlogs) are located. The default directory is /var/opt/aaa/acct.
Accounting Directory
Specifies the directory where the active session file (session.las) islocated. The default directory is /var/opt/aaa/data.
Data Directory
Specifies the directory where the server's process id file (radiusd.pid)is located. The default directory is /var/opt/aaa/run.
Run Directory
Sets the current working directory. This option can be used to determinethe location of the system generated files, such as core files.
Current Directory
282 Configuring HP-UX AAA Server for Scalability and High-Availability
NOTE: If the Listen IP address is not specified, all addresses configured on thehost are considered.Default Authentication, Accounting, and Dynamic Authorization port values aredisplayed. However, you can modify those values, if required.Following are the conditions that must be considered while configuring the serverattributes:• The combination of the Listen IP address and the Administration port values
must be unique.• The combination of the server name and the group name must be unique.• The Name and Domain Name or IP Address fields are mandatory. Some
server attributes are optional or set to take default values.• If some of the optional server attributes are not configured, the corresponding
global configuration values are considered.• The following values cannot be shared between multiple servers on a single
host:— Run directory path, which includes the radiusd.pid file. The
radiusd.pid file contains the Process ID (PID) of the HP-UX AAA Server.— Logs directory path containing the log file that is used for maintenance
and statistics.— Accounting directory path containing the accounting log files that are used
for maintenance and statistics.— Data directory path containing the currently active sessions that are used
for maintenance and statistics.— IPC directory path containing the shared memory files required for proper
operation of HP-UX AAA server.The HP-UX AAA Server Manager requires the RMI Server on the respectivehost to validate the server attributes. Therefore, the RMI Server on therespective host must be running to validate the configured server attributes.
5. Click Create.The server is created.
Managing Multiple HP-UX AAA Servers For Scalability and High-Availability 283
NOTE: SelectingSave the above ServerAttributes to the configured server (specifiedin the 'DomainName' field) on clicking the 'Create' button saves the server attributesto the server. You must perform this step to enable the HP-UX AAA Server AdminTool for administration tasks. For more information on HP-UX AAA Server AdminTool, see “Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool(Command Line)” (page 287).
Modifying a ServerTo modify the attributes of a server, complete the following steps:1. Click Server Connections on the top left window.2. Select the group in the drop-down menu to which the server belongs, under Select
a group for administration.
3. Click against the server you want to modify.4. Modify the server attributes and click Modify.
The server attributes are modified.
NOTE: Selecting Save Server Attributes to the configured server (specified in the'Domain Name or IP Address' field) on clicking the 'Modify' button saves the serverattributes to the server. You must perform this step to enable the HP-UX AAA ServerAdmin Tool for administration tasks. For more information on HP-UX AAA ServerAdmin Tool, see “Administering HP-UX AAA Servers Using HP-UX AAA ServerAdmin Tool (Command Line)” (page 287).
Deleting a ServerTo delete a server, complete the following steps:1. Click Server Connections on the top left window.2. Select the group in the drop-down menu to which the server belongs, under Select
a group for administration.
3. Click against the server you want to delete.The server is deleted.
Cloning a ServerCloning a server involves copying the configuration files of one server to another. Thecloning operation helps multiple servers having common configuration to maintainbackup servers for high-availability. The following example illustrates how configurationfiles of server2 is cloned to server1 within a group.
284 Configuring HP-UX AAA Server for Scalability and High-Availability
NOTE: To perform a cloning operation, the target server must already exist withconfigured values. After the successful completion of the cloning operation, the sourceand the target servers will have the same configuration files.You can reduce the time required to load a configuration from a HP-UX AAA Serveror to save a configuration to multiple HP-UX AAA Servers by using the Secure CopyProtocol (scp). For more information on scp, see “Enhancing Loading and SavingPerformance Using Secure Copy Protocol”.
To clone server2 on server1, complete the following steps:1. Click Server Connections on the top left window.2. Select the group in the drop-down menu to which the server belongs, under Select
a group for administration.3. Click Load Configuration on the left window. The Load Configuration page is
displayed, as shown in Figure 18-7.
Figure 18-7 Selecting the Server for Loading
4. Select the HP-UX AAA Server whose configuration files you want to clone, andclick Load. When the loading operation is completed, the message is displayed,as shown in Figure 18-8.
Figure 18-8 Loading Configuration Completed
Managing Multiple HP-UX AAA Servers For Scalability and High-Availability 285
5. Modify the configuration files using the options under Edit Configuration in theleft window, if required.
6. Click Save Configuration in the left window. The list of servers in the group isdisplayed, as shown in Figure 18-9.
Figure 18-9 Cloning Server
7. Select the target server, and click Save. The configurations files and the serverattributes are copied to the selected servers.
NOTE: Selecting server2 and server1 ensures that the modified configurationfiles are saved on both servers.If you want to save only the server attributes and not the configuration files, selectSave Server Attributes only.Select Save Server Attributes only to enable administration using HP-UX AAAServer Admin Tool.
When the files are saved, a message is displayed, as shown in Figure 18-10.
Figure 18-10 Saving Configuration
server1 is now a clone of server2.
286 Configuring HP-UX AAA Server for Scalability and High-Availability
NOTE: Although loading and saving configurations are required to clone HP-UXAAA Servers, you can perform those tasks independently, without associating themwith cloning.To perform any administration tasks, such as loading, saving, and maintenance, youmust select the servers within the group that is administered.
Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool (CommandLine)
You can administer the HP-UX AAA Servers running on a host using HP-UX AAAServer Admin Tool (rad_admin). However, you must save the server attributes usingHP-UX AAA Server Manager on the host where you want to manage the servers usingHP-UX AAA Server Admin Tool.
rad_admin Syntax/opt/aaa/bin/rad_admin.sh [-config config_dir] [start|stop|reload|status|list server_list]
Table 18-2 describes all the rad_admin options.
Table 18-2 rad_admin Options
DescriptionOption
Directory path where the file rmiserver.properties is located. Ifomitted, the default is /opt/aaa/remotecontrol/rmiserver.properties
-config config_path
Starts the HP-UX AAA Servers specified in server_liststart server_list
Stops the HP-UX AAA Servers specified in server_list.stop server_list
Reloads the HP-UX AAA Servers specified in server_listreload server_list
Retrieves the status of the HP-UX AAA Servers specified in server_liststatus server_list
Lists the PIDs of the HP-UX AAA Servers specified in server_listlist server_list
Managing Multiple HP-UX AAA Servers For Scalability and High-Availability 287
NOTE: server_list all | groupname:all... | groupname:list... —server_list denotes the list of HP-UX AAA Servers to be administered. To selectall the HP-UX AAA Servers on the local host use keyword "all".To select all the HP-UX AAA Servers within a group, specify the group name followedby the keyword "all", as <groupname>:all. To select a specific set of HP-UX AAAServers within a group, specify the group name followed by the names of the HP-UXAAA Servers separated by a comma, as follows <groupname>:<list>, where list isa list of the HP-UX AAA Server names separated by a comma.To select a specific set of HP-UX AAA Servers from multiple groups, specify the groupname followed by the names of the HP-UX AAA Servers separated by a comma multipletimes separated by space, as follows <groupname1>:<list1><groupname2>:<list2> where list1 and list2 are the HP-UX AAA Server namesseparated by a comma.
Examples of Administering Multiple HP-UX AAA ServersFollowing is an example to start all the HP-UX AAA Servers of all the groups on a host:# /opt/aaa/bin/rad_admin.sh start all
Following is an example to stop server1 and server2 belonging to group1:# /opt/aaa/bin/rad_admin.sh stop group1:server1,server2
Following is an example to restart server1 and server2 belonging to group1 and server3and server4 in group2:# /opt/aaa/bin/rad_admin.sh reload group1:server1,server2group2:server3,server4
Following is an example to retrieve the status of all the servers belonging to group1:# /opt/aaa/bin/rad_admin.sh status group1:all
NOTE: You must save the HP-UX AAA Server attributes on the respective server touse HP-UX AAA Server Admin tool.
Administering HP-UX AAA Servers Using Interactive User InterfaceThis section describes how to administer the HP-UX AAA Servers using the interactiveuser interface. If none of the CLI options are specified, an interactive user interface isinvoked.To administer multiple HP-UX AAA Servers using the interactive interface, completethe following steps:1. Log in to the system running the HP-UX AAA Server.
288 Configuring HP-UX AAA Server for Scalability and High-Availability
2. To start the HP-UX AAA Server using the HP-UX AAA Server Admin Tool, enterthe following command at the HP-UX prompt:# /opt/aaa/bin/rad_admin.sh
The interactive mode starts.3. Enter the group ID.4. Enter the HP-UX AAA Server ID.5. Specify the operation you want to perform.
The operation starts.
NOTE: It is recommended that you use the HP-UX AAA Server Manager to managemultiple HP-UX AAA Servers. For more information on how to perform the tasks usingHP-UX AAA Server Manager, see “Administering HP-UX AAA Servers Using HP-UXAAA Server Manager” (page 276).
Disaster Recovery of the HP-UX AAA Server ManagerThe HP-UX AAA Server supports disaster recovery of HP-UX AAA Server Manager.If the host running the HP-UX AAA Server Manager crashes due to system failure, theHP-UX AAA Server Manager can be restored on the same or different host. You mustback up a set of HP-UX AAA Server Manager configuration files periodically andrestore them on the host where you want to launch the HP-UX AAA Server Manager.To perform the disaster recovery of HP-UX AAA Server Manager, complete thefollowing steps:1. Deploy the AAA solution using HP-UX AAA Server Manager.2. To backup the HP-UX AAA Server Manager configuration files from the host
running the HP-UX AAA Server Manager to a backup host, enter the followingcommand at the HP-UX prompt:1. scp /opt/hpws22/tomcat/webapps/aaa/aaalog/groups.config\
/opt/hpws22/tomcat/webapps/aaa/aaalog/AU.radhosts \/opt/hpws22/tomcat/webapps/aaa/WEB-INF/gui.properties \<user-account>@<backup-host>:/<backup-path>
Disaster Recovery of the HP-UX AAA Server Manager 289
where, the variables are described as follows:• <backup-host> - host on which the configuration files are backed up• <backup-path> - location on the <backup-host> to store the
configuration files• <user-account> - the user account with privileges to store files under
<backup-path> on the <backup-host>2. Enter the password for the <user-account> on the <backup-host>, if
prompted.The configuration files are now available in the desired path <backup-path>,on the <backup-host>.
NOTE: These HP-UX AAA Server Manager configuration files must be backedup periodically whenever there is a change in the Administration Start Options,Administration Status Options, HP-UX AAA Server attributes and Groupsconfiguration.
3. Restore the configuration files from the <backup-host>, where the configurationfiles are backed up to the host identified to launch the HP-UX AAA Server Manager,as follows:1. Log in to the host identified to launch the HP-UX AAA Server Manager.2. Enter the following command at the HP-UX prompt:
scp <user-account>@<backup-host>:/<backup-path>/groups.config\<user-account>@<backup-host>:/<backup-path> \/AU.radhosts /opt/hpws22/tomcat/webapps/aaa/aaalog/
3. Enter the password for the <user-account> on the remote host<backup-host>, if prompted.
4. Enter the following command at the HP-UX prompt:scp <user-account>@<backup-host>:/<backup-path>/gui.properties\/opt/hpws22/tomcat/webapps/aaa/WEB-INF/gui.properties
5. Enter the password for the <user-account> on the <backup-host>, ifprompted.
The HP-UX AAA Server Manager configuration files are recovered from the backuplocation. You can start the HP-UX AAA Server Manager on the host where thefiles are recovered, to manage the HP-UX AAA Servers.
290 Configuring HP-UX AAA Server for Scalability and High-Availability
19 Configuring the HP-UX AAA Server for ClientFunctionality
This chapter describes the client functionality of the HP-UX AAA Server. The chapterdiscusses the following topics:• “Overview” (page 291)• “CLIENT AATV” (page 292)• “Supported APIs” (page 294)
OverviewCurrently, the HP-UX AAA Server works in the server mode. It receives requests fromclients, processes them, and sends out appropriate responses, based on the requesttype. However, under some circumstances, it is desirable for the HP-UX AAA Serverto perform client functions. This functionality involves the ability to send HP-UX AAAServer-initiated messages and assimilate responses. For example, it is advantageousto have the HP-UX AAA Server disconnect sessions or change session characteristicsin real time, by sending Disconnect and Change-Of-Authorization (CoA)requests. Therefore, starting with the HP-UX AAA Server A.08.01 release, the HP-UXAAA Server also performs certain client functionalities.To perform the client functionalities, a generic framework is included. You can use theframework to generate client messages for any different scenarios. The frameworkconsists of the following components:• CLIENT AATV — The CLIENT AATV is a generic AATV, which you can use to
generate requests at configured intervals. These requests are empty requests. Usingother AATVs, you can enter the fields of these empty requests with the requiredvalues. For example, you can use the SQL Access AATV to enter values in therequired fields, based on the information stored in a database table, such as thesession table.
• APIs in the Software Development Kit (SDK) — Some APIs are included in theSDK to set the fields in the client requests. These APIs can be used in customAATVs or in SQL Access mapping and conversion functions to set the fields ofthe empty requests generated by the CLIENT AATV.
• Finite State Machine (FSM) — Using the FSM, you can control how the HP-UXAAA Server processes a client request.
• Advanced Policy — Using the Advanced Policy module, you can make complexpolicy decisions during the processing of a client request.
This chapter discusses the framework that the HP-UX AAA Server uses to performclient functions. For more information on reference implementations of this frameworkto perform dynamic authorization, see Chapter 20 (page 297).
Overview 291
CLIENT AATVThis section describes how to configure the CLIENT AATV and how the CLIENTAATV works.
Configuring CLIENT AATVThe CLIENT AATV is a generic AATV, which you can use to generate empty RADIUSrequests at specified intervals. You can use these RADIUS requests to perform therequired client functions. You must configure the CLIENT AATV in the aatv.CLIENTblock within the aaa.config file. You can configure multiple CLIENT actions in theaatv.CLIENT block. Each CLIENT action generates requests at configured timeintervals, which can be used to perform a particular client function. The syntax of theaatv.CLIENT block parameters is as follows:aatv.CLIENT{ <action name>.client_timer_value <time interval> <action name>.client_max_requests <value>}
The parameters are described as follows:action name – A string used to identify an action.time interval – Specifies how frequently client requests must be generated for an action.value – Specifies the maximum number of requests that must be spawned each timethis client action is invoked.Following is an example of the aatv.CLIENT block within the aaa.config file:aatv.CLIENT{ Disconnect.client_timer_value 1 Disconnect.client_max_requests 10}
In the given example, the client action is called Disconnect. Requests are generatedafter every second for Disconnect. Also, the CLIENT AATV generates a maximumof 10 requests per second for Disconnect.
Working of the CLIENT AATVFor each configured client action, based on the configured time interval, the timerfunction of the CLIENT AATV generates an empty RADIUS request and places it inthe initial state of the FSM. The sequence of steps involved in the processing of thisempty request through the FSM is as follows:1. One or more AATVs are invoked, which enter values in the required fields of the
empty RADIUS request generated by the CLIENT AATV. For example, you can
292 Configuring the HP-UX AAA Server for Client Functionality
invoke the SQL Access AATV to enter values based on the information storedin a database table.
2. The CLIENT AATV is invoked through the FSM, and the action function of theCLIENT AATV is executed. The action function of the CLIENT AATV performstwo major functions. One, it places the current client request in the message queuefor client messages. Two, it generates another empty RADIUS request and placesit in the initial state of the FSM. Similarly, new client requests are generated andplaced in the message queue successively, thereby resulting in a loop. You canconfigure the number of new client requests that must be generated by specifyingthe value in theclient_max_requests field of theaatv.CLIENT block, withinthe aaa.config file.
3. After the client requests are assigned values, they are sent to the target host by theReplySend AATV. Subsequently, the request waits for a response. If the requestis timed out, it is retransmitted based on the configured retransmission intervaland the maximum number of retransmissions.
4. One or more AATVs are invoked to perform the post-processing action. Forexample, the SQL Access AATV can be invoked to modify the database tablebased on the response received.
Figure 19-1 illustrates the working of the client functionality.
CLIENT AATV 293
Figure 19-1 CLIENT AATV Flowchart
Supported APIsThis section lists the Application Programming Interfaces (APIs) included in theSoftware Development Kit (SDK), to support the client functionality.New APIs are included or existing APIs are modified to support the client functionality.Table 29–1 describes the APIs supporting the client functionality.
Table 19-1 APIs Supporting Client Functionality
DescriptionAPI
Generates a new request.sdk_authreq_allocate
Frees the memory allocated for the request.sdk_authreq_free
Sets the various fields in the request.sdk_set_authreq_info
Enqueues a request in a message queue.sdk_enqueue_authreq
For more information on the supported APIs, see “APIs in the HP-UX AAA ServerSDK” (page 579).
294 Configuring the HP-UX AAA Server for Client Functionality
For more information on the Finite State Machine (FSM), see Chapter 26 (page 396).For more information on the Advanced Policy actions, see Chapter 27 (page 411).
Internal Attributes and Mapping FunctionsThis section describes the internal attributes and pre-defined mapping functionsincluded for client functionality.Table 19-2 describes the pre-defined mapping functions for Client Functionality.
Internal Attributes and Mapping Functions 295
Table 19-2 Pre-defined Mapping Functions for Client Functionality
DescriptionMapping FunctionMapping Type
Sets the RADIUS message type for client requests.set_radius_msg_typeTarget
Sets the target host to which a client request must besent.
set_target_hostTarget
Returns the hostname from which a RADIUS requestwas received.
get_from_hostSource
Returns the current timestamp.get_cur_timestampSource
Generates a value that can be used as the value of theState attribute.
gen_stateSource
Returns a unique name for the HP-UX AAA Serverthat invokes this function.
get_server_nameSource
Table 19-3 describes the internal attributes for Client Functionality.
Table 19-3 Internal Attributes for Client Functionality
DescriptionTypeAttribute Name
Contains the name of the CLIENT action, whichgenerated the request.
StringClient-Action-Name
Contains the current count of requests generatedby a CLIENT action.
IntegerClient-Request-Count
Contains the SQL Access action Id that mustbe used for generating a client request.
StringClient-Request-Create-ActionId
Contains the SQL Access action Id that must beused to update the database row, which has justbeen processed.
StringClient-Request-Update-ActionId
Contains the SQL Access action Id that mustbe used to update the database when a reply to aclient request is received.
StringClient-Request-Cleanup-ActionId
Contains the SQL Access action Id that mustbe used to update the database when a clientrequest times out.
StringClient-Request-Timeout-ActionId
NOTE: The attributes listed in Table 19-3 are available in the dictionary file.
296 Configuring the HP-UX AAA Server for Client Functionality
20Configuring the HP-UX AAA Server for DynamicAuthorization
This chapter discusses the Dynamic Authorization capability of the HP-UX AAA Server.The Dynamic Authorization capability is based on the client functionality of the HP-UXAAA Server.This chapter discusses the following topics:• “Dynamic Authorization Overview” (page 297)• “HP-UX AAA Server and Dynamic Authorization” (page 297)• “Processing of Dynamic Authorization Requests” (page 298)• “Configuring for Dynamic Authorization” (page 300)
— “Basic Configuration” (page 301)— “Advanced Configuration” (page 302)
◦ “Migrating Existing SQL Access Deployments for Dynamic Authorization”(page 302)
◦ “Configuring Multiple HP-UX AAA Servers as a Group” (page 304)◦ “Dynamic Authorization in Authorize Only Mode” (page 316)◦ “Configuring for Proxy Functionality” (page 319)◦ “Configuring for Failover” (page 321)◦ “Security Consideration in Dynamic Authorization” (page 321)
• “Sample Configuration Files” (page 326)
Dynamic Authorization OverviewThe RADIUS protocol, specified in RFC 2865, does not support RADIUS server-initiatedrequests. Typically, RADIUS server processes RADIUS client-generated requests.However, under some circumstances, it is desirable for the RADIUS server to initiaterequests. For example, sometimes it is desirable to be able to disconnect or changeauthorization attributes of user sessions in real time, using RADIUS server-initiatedrequests. RFC 5176 defines new RADIUS standards to implement these features. Thesestandards provide support for Disconnect and Change-Of-Authorization(CoA) packets. Disconnect packets are used to disconnect user sessions. CoA packetsare used to change the authorization attributes of user sessions.For more information on Dynamic Authorization, see http://www.ietf.org/rfc/rfc5176.txt.
HP-UX AAA Server and Dynamic AuthorizationThe Dynamic Authorization capability is implemented using HP-UX AAA Server clientfunctionality. For more information on how the client functionality of the HP-UX AAAServer works, see Chapter 19 (page 291).
Dynamic Authorization Overview 297
Figure 20-1 illustrates how the HP-UX AAA Server performs Dynamic Authorization.
Figure 20-1 HP-UX AAA Server Performing Dynamic Authorization Operation
In the following process flow, step 1 to step 5 (highlighted in blue in the figure) arerelated to creating RADIUS sessions and step 6 to step 10 (highlighted in green in thefigure) are related to the Dynamic Authorization operation:1. A client requests for access to a protected resource by sending user credentials to
the authenticator.2. The authenticator forwards the request to the HP-UX AAA Server.3. The HP-UX AAA Server verifies the credentials. Based on the success, the HP-UX
AAA Server adds a new session entry in the session table of the database.4. After a successful authentication, the HP-UX AAA Server provides access.5. The authenticator grants access to the user and a session is created.6. The HP-UX AAA Server periodically checks the session table in the database.7. Based on the configured conditions, the HP-UX AAA Server sends either a
Disconnect or a CoA request to the Authenticator.8. The authenticator processes the Disconnect or the CoA request and makes the
corresponding changes to the user sessions.9. Based on the result of the processing, the authenticator sends an ACK or NAK
response.10. Based on the response received, the HP-UX AAA Server makes the corresponding
changes in the session table of the database.
Processing of Dynamic Authorization RequestsThe dynamic authorization functionality is implemented using the HP-UX AAA Serverclient functionality. For more information on the HP-UX AAA Server client functionality,see Chapter 19 (page 291).A client action is configured for each dynamic authorization request type. For eachconfigured client action, based on the configured time interval, the timer function ofthe CLIENT AATV generates an empty request and places it in the initial state of theFSM. The sequence of steps involved in the processing of this empty request throughthe FSM is as follows:
298 Configuring the HP-UX AAA Server for Dynamic Authorization
1. Theclient-request-initpolicy is invoked. In this step, the policies configuredin /etc/opt/aaa/client-request-init.grp are executed. The followingthings must be set through this policy.a. The SQL action to be executed for creating the dynamic authorization request
should be set in the attribute Client-Request-Create-ActionId.b. The SQL action to be executed for updating the database to indicate that the
row has just been processed should be set in the attributeClient-Request-Update-ActionId.
c. The SQL action to be executed for updating the database if the dynamicauthorization request times out should be set in the attributeClient-Request-Timeout-ActionId.
d. The RADIUS message type of the dynamic authorization request should be setin the attribute Interlink-Packet-Code.
2. The SQL Access AATV is invoked. The SQL Access AATV executes the SQLaction set in the attributeClient-Request-Create-ActionId. This SQL actionwill enter values in the required fields of the empty request generated by theCLIENT AATV, based on the information stored in a database table, to create thedynamic authorization request.
3. The SQL Access AATV is invoked. The SQL Access AATV executes the SQLaction set in the attributeClient-Request-Update-ActionId. This SQL actionwill update the database table to indicate that this database row has already beenprocessed.
4. The CLIENT AATV is invoked. The action function of the CLIENT AATV isexecuted. The action function of the CLIENTAATV performs two major functions.One, it places the current dynamic authorization request in the message queue forclient messages. Two, it generates another empty request and places it in the initialstate of the FSM. Similarly, new dynamic authorization requests are generatedand placed in the message queue successively, thereby resulting in a loop.
5. The client request egress policy is invoked. In this step the policies configured in/etc/opt/aaa/client-request-egress.grp are executed. This policy filecan be used to insert, modify and delete attributes from the dynamic authorizationrequest.
6. ReplySend AATV is invoked. The dynamic authorization request is sent to thetarget host by the ReplySend AATV. Subsequently, the request waits for aresponse. If the request is timed out, it is retransmitted based on the configuredretransmission interval and the maximum number of retransmissions.
7. If there is no response after the configured maximum number of retransmissionsare done, the SQL Access AATV is invoked. The SQL Access AATV executesthe SQL action set in the attribute Client-Request-Timeout-ActionId. ThisSQL action will update the database row to indicate that the dynamic authorizationrequest timed out.
Processing of Dynamic Authorization Requests 299
8. If a response is received for the dynamic authorization request, the client replyingress policy is invoked. In this step the policies configured in /etc/opt/aaa/client-reply-ingress.grp are executed. Through this policy the SQL actionto be used to update the database table based on the response type, must be set inthe attribute Client-Request-Cleanup-ActionId.
9. SQL AccessAATV is invoked. The SQL AccessAATV executes the SQL actionconfigured in the attribute Client-Request-Cleanup-ActionId. This SQLaction updates the database based on the response type.
Figure 20-2 illustrates the sequence of steps involved in the processing of dynamicauthorization requests.
Figure 20-2 Dynamic Authorization Request Processing
Configuring for Dynamic AuthorizationThis section describes how to configure the HP-UX AAA Server for DynamicAuthorization. Figure 20-3 illustrates the different configurations for DynamicAuthorization.
300 Configuring the HP-UX AAA Server for Dynamic Authorization
Figure 20-3 Flowchart for Basic and Advanced Configuration
Basic ConfigurationA basic implementation of the Dynamic Authorization capability for initiating andprocessing the Disconnect and CoA requests is available with the SQL Accessreference implementation. Two sets of reference implementation files included are asfollows:• Files to set up a sample implementation for Oracle 10g and OCI client to configure
HP-UX AAA Server-initiated Disconnect and CoA requests are available at:/opt/aaa/examples/sqlaccess/oracle-1
For details on how to implement sample SQL Access for Oracle, see the READMEin the directory.
• Files to set up a sample implementation for MySQL and Unix ODBC driver toconfigure HP-UX AAA Server-initiatedDisconnect andCoA requests are availableat: /opt/aaa/examples/sqlaccess/mysql-1For details on how to implement sample SQL Access for MySQL, see the READMEin the directory.
For more information on the SQL Access reference implementation, see Chapter 22(page 338).
Configuring for Dynamic Authorization 301
For more information on the advanced configurations, see “Advanced Configuration”(page 302).
Advanced ConfigurationAdvanced configuration typically requires some extra customization of a feature tosuit your needs.This section addresses the following topics:• “Migrating Existing SQL Access Deployments for Dynamic Authorization”
(page 302)• “Configuring Multiple HP-UX AAA Servers as a Group” (page 304)• “Dynamic Authorization in Authorize Only Mode” (page 316)• “Configuring for Proxy Functionality” (page 319)• “Configuring for Failover” (page 321)• “Security Consideration in Dynamic Authorization” (page 321)
Migrating Existing SQL Access Deployments for Dynamic AuthorizationIf session management using SQL Access is already configured based on the referenceimplementation files delivered with HP-UX AAA Server version A.07.01 or earlier,you must complete the following additional steps for the Disconnect and CoAfunctionalities:1. To add the additional columns required for dynamic authorization, modify the
session table as follows:If you are using Oracle, enter the following at the SQL prompt:SQL> alter table RAD_SESS_TABLE add ( session_timeout number(11), from_host varchar2(253), session_status varchar2(253), sess_mod_time TIMESTAMP, filter_id varchar2(253) );
If you are using MySQL, enter the following at the mysql prompt:mysql> alter table RAD_SESS_TABLE add ( session_timeout INT, from_host varchar(253), session_status varchar(253), sess_mod_time TIMESTAMP, filter_id varchar(253) );
302 Configuring the HP-UX AAA Server for Dynamic Authorization
2. To insert values in the new columns while creating a session, modify theStartSession SQL action. Following is the list of new columns in the sessiontable, and their corresponding values:1. session_timeout — Specifies the value configured in the
Session-Timeout attribute. You can configure the Session-Timeoutattribute using either the user profile or through policy. The following mappingis used to insert this value:• For Oracle,
RAD(Session-Timeout, REPLY) DBP(sess_timeout, 11, INT)
• For MySQL,RAD(Session-Timeout, REPLY) DBP(9, 11, INT)
2. from_host — Specifies the host from which the authentication request wasreceived. The get_from_host mapping function retrieves this value. Thefollowing mapping is used to insert this value:• For Oracle,
FUNC(get_from_host) DBP(from_host, 253, CHAR)
• For MySQL,FUNC(get_from_host) DBP(10, 253, CHAR)
3. session_status— Specifies the status of the session. The initial state is setto <server_name>_ACTIVE. The get_server_name mapping functionretrieves a unique value for <server_name>. The following mapping is usedto insert this value:• For Oracle,
FUNC(get_server_name) DBP(server_name, 259, CHAR)
• For MySQL,FUNC(get_server_name) DBP(11, 259, CHAR)
4. sess_mod_time — Specifies the time when the session entry was modified.The initial value is Current timestamp. This column does not requiremapping. The current_timestamp function is directly used in the SQLstatement.
5. filter_id — Specifies the data filter used for this session. The value isretrieved from theFilter-Id attribute. You can configureFilter-Idusingeither the user profile or through policy. The following mapping is used toinsert this value:• For Oracle,
RAD(Filter-Id, REPLY) DBP(filterid, 253, CHAR)
• For MySQL,RAD(Filter-Id, REPLY) DBP(12, 253, CHAR)
Configuring for Dynamic Authorization 303
If the StartSession SQL action was not modified earlier, you can directlysubstitute with the StartSession SQL action in the latest referenceimplementationsqlaccess.config file. The file is available in the followingpaths:For Oracle,/opt/aaa/examples/sqlaccess/oracle-1/sqlaccess.config
For MySQL,/opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config
If StartSession was modified to suit your environment, the changes mustbe merged with the changes in the latest sqlaccess.config file.
3. You must modify the FSM file. If the default FSM file delivered with the referenceimplementation is not modified, you can copy the FSM file from the latest referenceimplementation. If you have modified the default FSM file, you must manuallymodify the latest file. The latest FSM file is available at: /opt/aaa/examples/config/sqlaccess-acct-sess.fsm
The migration is complete. To configure for Disconnect and CoA, complete theprocedure available at:• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/README
• For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/README
Configuring Multiple HP-UX AAA Servers as a GroupTo improve performance and the ability to process multiple dynamic authorizationrequests, it is possible to run multiple HP-UX AAA Servers on a single HP-UX hostand use the load balancer to distribute the client requests thereby, achieving scalabilityand reliability. In addition to running multiple HP-UX AAA Servers, you can clonethe HP-UX AAA Server on the same or different hosts to support high-availability.For easier management of the servers, each server is associated with a group. Fordynamic authorization, all the HP-UX AAA Servers in a group must facilitate loadbalancing and high-availability. The Disconnect and CoA messages to be sent tosessions must be distributed among the live HP-UX AAA Servers in that group.Figure 20-4 illustrates multiple HP-UX AAA Servers configured as a group for dynamicauthorization.
304 Configuring the HP-UX AAA Server for Dynamic Authorization
Figure 20-4 Multiple HP-UX AAA Servers in a Group for Dynamic Authorization
In Figure 20-4, sessions in the database that must either be disconnected or changedare distributed among the live HP-UX AAA Servers within the group. Each HP-UXAAA Server within the group subsequently, initiates Disconnect or CoA messageexchanges with the authenticator for the sessions assigned to it.The requirement to distribute Disconnect and CoA messages is met as follows:• In the default reference implementation, the session status is always prefixed with
the server name to ensure that the sessions created by a particular HP-UX AAAServer is processed only by that HP-UX AAA Server. However, when an HP-UXAAA Server belongs to a group, sessions created by the HP-UX AAA Server canbe processed by any other HP-UX AAA Server in the same group. Therefore, thegroup name must be prefixed to the session status, and the initial status must be<groupname>_ACTIVE.
• The live HP-UX AAA Servers must be easy to identify at any point of time. Forthis purpose, a new database table, called RAD_SERVER_TABLE is included. Thistable includes two columns: server_name and update_time. The value of theserver_name column is <groupname>_<server_name>. All the HP-UX AAAServers include a TimedEvent SQLAction, which periodically updates theupdate_time in this table. Using this table we can determine the list of HP-UXAAA Servers that are live by verifying the update_time. A stored procedure,called update_server_table is used to update the RAD_SERVER_TABLE.
• The stored procedures, distribute_disconnect_sessions anddistribute_coa_sessions, are used to distribute the sessions. These stored
Configuring for Dynamic Authorization 305
procedures determine the list of sessions to which Disconnect and CoA requestsmust be sent, and ensure that the requests are distributed among the live HP-UXAAA Servers. The RAD_SERVER_TABLE is used to determine the list of live HP-UXAAA Servers.
For more information on these stored procedures and tables, see the following:• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/
dbsetup.sql.dynauth_server_group
• For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/dbsetup.sql.dynauth_server_group
Configuring for Disconnect and CoA Request Processing
This section describes the procedure to configure all the HP-UX AAA Servers in a groupto perform authentication, accounting, and dynamic authorization. To dedicate someHP-UX AAA Servers in a group for dynamic authorization, see “Dedicated HP-UXAAA Servers for Dynamic Authorization” (page 311).To configure for Disconnect and CoA request processing when multiple HP-UXAAA Servers belong to a group, complete the following steps:1. Configure the HP-UX AAA Server to enable session management using SQL.
For information on how to enable session management using SQL, see Chapter 22(page 338)
2. Retrieve a copy of the dbsetup.sql.dynauth_server_group script from thefollowing directories and store it in the /tmp directory on the database system:• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/
dbsetup.sql.dynauth_server_group
• For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/dbsetup.sql.dynauth_server_group
3. To create the necessary tables and stored procedures, you must execute the script.For Oracle, enter the following command at the SQL prompt:SQL> @ /tmp/dbsetup.sql.dynauth_server_group
For MySQL, enter the following command at the mysql prompt:mysql> source /tmp/dbsetup.sql.dynauth_server_group
4. Replace <groupname> with the name of the group and append the requiredSQLActions.For Oracle, enter the following command at the prompt:$ sed "s/<groupname>/test_group/g"/opt/aaa/examples/sqlaccess/oracle-1/sqlaccess.config.dynauth_server_group>> /etc/opt/aaa/sqlaccess.config
For MySQL, enter the following command at the prompt:
306 Configuring the HP-UX AAA Server for Dynamic Authorization
$ sed "s/<groupname>/test_group/g"/opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config.dynauth_server_group>> /etc/opt/aaa/sqlaccess.config
5. To create sessions using the new SQL action, modify the FSM as follows:Replace the following line in /etc/opt/aaa/radius.fsm:*.*.ACK SQLAccess Tunneling xstring="ActionID=StartSession"
with*.*.ACK SQLAccess Tunneling xstring="ActionID=StartSessionServerGroup"
NOTE: If you have modified the StartSession SQLAction to suit yourenvironment, the changes must be merged with StartSessionServerGroupSQLAction.
6. To copy the following policy files, enter the following commands at the HP-UXprompt:• $ cp
/opt/aaa/examples/config/client-request-init.grp.dynauth/etc/opt/aaa/client-request-init.grp
• $ cp/opt/aaa/examples/config/client-reply-ingress.grp.dynauth/etc/opt/aaa/client-reply-ingress.grp
NOTE: If some policies have already been configured in the /etc/opt/aaa/client-request-init.grp and /etc/opt/aaa/client-reply-ingress.grp files, you must append the policies insteadof copying.
7. To use the new SQLActions, modify the policy files as follows:In /etc/opt/aaa/client-request-init.grp
• Replace the following line:insert Client-Request-Create-ActionId = "CreateDisconnectReq"
withinsert Client-Request-Create-ActionId = "CreateDisconnectReqServerGroup"
• Replace the following line:insert Client-Request-Update-ActionId = "UpdateDisconnectReq"
withinsert Client-Request-Update-ActionId = "UpdateDisconnectReqServerGroup"
• Replace the following line:insert Client-Request-Timeout-ActionId = "TimeoutDisconnectReq"
with
Configuring for Dynamic Authorization 307
insert Client-Request-Timeout-ActionId = "TimeoutDisconnectReqServerGroup"
• Replace the following line:insert Client-Request-Create-ActionId = "CreateCOAReq"
withinsert Client-Request-Create-ActionId = "CreateCOAReqServerGroup"
• Replace the following line:insert Client-Request-Update-ActionId = "UpdateCOAReq"
withinsert Client-Request-Update-ActionId = "UpdateCOAReqServerGroup"
• Replace the following line:insert Client-Request-Timeout-ActionId = "TimeoutCOAReq"
withinsert Client-Request-Timeout-ActionId = "TimeoutCOAReqServerGroup"
In /etc/opt/aaa/client-reply-ingress.grp
• Replace the following line:insert Client-Request-Cleanup-ActionId = "SuspendDisconnectedSession"
withinsert Client-Request-Cleanup-ActionId = "SuspendDisconnectedSessionServerGroup"
• Replace the following line:insert Client-Request-Cleanup-ActionId = "UpdateCOASession"
withinsert Client-Request-Cleanup-ActionId = "UpdateCOASessionServerGroup"
• Replace the following line:insert Client-Request-Cleanup-ActionId = "SuspendCOASession"
withinsert Client-Request-Cleanup-ActionId = "SuspendCOASessionServerGroup"
NOTE: The following requirement is applicable for Oracle only. If DHCP isenabled, replace the following line in the /etc/opt/aaa/client-reply-ingress.grp file:insert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession"
withinsert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession-DHCP"
8. To enable the Disconnect functionality, complete the following steps:
308 Configuring the HP-UX AAA Server for Dynamic Authorization
NOTE: You must perform this step only if you want the Disconnect functionality.Otherwise, you can ignore this step.
1. Log in to HP-UX AAA Server Manager.2. ClickServer Properties. The Server Properties window is displayed as follows:
Figure 20-5 Server Properties
3. Click AAA Server as a Client Properties. The Server Properties (CLIENT)window is displayed as follows:
Figure 20-6 Server Properties (CLIENT)
4. Click Client Action Properties. The Server Properties: Modify Propertywindow is displayed as follows:
Configuring for Dynamic Authorization 309
Figure 20-7 Server Properties: Modify Property
5. Select New Action. The Client Action Properties window is displayed asfollows:
Figure 20-8 Client Action Properties
6. Enter the following values in the respective fields, within the Client ActionProperties window:Action Name: DisconnectTimer Value: 1Max Requests: 0
9. To enable the CoA functionality, complete the following steps:
NOTE: You must complete this procedure only if you want the CoA functionality.Otherwise, you can ignore this procedure.
1. Log in to HP-UX AAA Server Manager.2. Click Server Properties.3. Click AAA Server as a Client Properties.4. Click Client Action Properties.5. Select New Action.6. Enter the following values in the respective fields, within the Client Action
Properties window:Name: COATimer Value: 60Max Requests: 0
10. To activate the changes, restart the HP-UX AAA Server.
310 Configuring the HP-UX AAA Server for Dynamic Authorization
Dedicated HP-UX AAA Servers for Dynamic Authorization
Within a group, you can dedicate a set of HP-UX AAA Servers for the dynamicauthorization operation. If you want to dedicate a set of HP-UX AAA Servers withina group for dynamic authorization, you need not perform all the mentioned steps onall the HP-UX AAA Servers. This section describes the procedures to dedicate HP-UXAAA Servers within a group for authentication and for dynamic authorization.On the HP-UX AAA Servers that perform authentication only (HP-UX AAA Serversthat create the sessions), complete the following steps:1. Configure the HP-UX AAA Server to enable session management using SQL.
For information on how to enable session management using SQL, see Chapter 22(page 338)
2. Copy the SQLAction definition for StartSessionServerGroup from• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/
sqlaccess.config.dynauth_server_group
• For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config.dynauth_server_group
to/etc/opt/aaa/sqlaccess.config, and replace<groupname>with the nameof the group.
3. To create sessions using the new SQLAction, modify the FSM as follows:Replace the following line in /etc/opt/aaa/radius.fsm:*.*.ACK SQLAccess Tunneling xstring="ActionID=StartSession"
with*.*.ACK SQLAccess Tunneling xstring="ActionID=StartSessionServerGroup"
NOTE: If you have modified the StartSession SQLAction to suit yourenvironment, the changes must be merged with StartSessionServerGroupSQLAction.
On HP-UX AAA Servers dedicated to dynamic authorization, complete the followingsteps:1. Retrieve a copy of the dbsetup.sql.dynauth_server_group script from the
following locations and store it in the /tmp directory on the database system:• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/
dbsetup.sql.dynauth_server_group
• For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/dbsetup.sql.dynauth_server_group
2. To create the necessary tables and stored procedures, you must execute the script.For Oracle, enter the following command at the SQL prompt:
Configuring for Dynamic Authorization 311
SQL> @ /tmp/dbsetup.sql.dynauth_server_group
For MySQL, enter the following command at the mysql prompt:mysql> source /tmp/dbsetup.sql.dynauth_server_group
3. Copy sqlaccess.config.For Oracle, enter the following command at the prompt:$ cp /opt/aaa/examples/sqlaccess/oracle-1/sqlaccess.config/etc/opt/aaa/sqlaccess.config
For MySQL, enter the following command at the prompt:$ cp /opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config/etc/opt/aaa/sqlaccess.config
4. Configure the Database Connection (DBID) section in /etc/opt/aaa/sqlaccess.config.• For Oracle — In the Database Connection (DBID) section of
sqlaccess.config file, replace <aaaoracleuser>,<aaaoracleuserpassword>, <hostname>, <port>, and <SID> ,with the Oracle username, password, hostname on which database is installed,database server port number, and OracleSID.
• For MySQL — In the Database Connection (DBID) section of thesqlaccess.config file, replace the variables <mysqlaaauser> and<mysqlaaauserpassword>with the MySQL username and password, andset ODBCDatastore to the ODBC Data Source.
5. Append the required SQLActions after replacing <groupname> with the name ofthe group.For Oracle, enter the following command at the prompt:$ sed "s/<groupname>/test_group/g"/opt/aaa/examples/sqlaccess/oracle-1/sqlaccess.config.dynauth_server_group>> /etc/opt/aaa/sqlaccess.config
For MySQL, enter the following command at the prompt:$ sed "s/<groupname>/test_group/g"/opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config.dynauth_server_group>> /etc/opt/aaa/sqlaccess.config
6. Copy the required policy files. Enter the following commands at the HP-UX prompt:• $ cp
/opt/aaa/examples/config/client-request-init.grp.dynauth/etc/opt/aaa/client-request-init.grp
• $ cp/opt/aaa/examples/config/client-reply-ingress.grp.dynauth/etc/opt/aaa/client-reply-ingress.grp
312 Configuring the HP-UX AAA Server for Dynamic Authorization
NOTE: If some policies have already been configured in the /etc/opt/aaa/client-request-init.grp and /etc/opt/aaa/client-reply-ingress.grp files, you must append the policies insteadof copying.
7. To use the new SQLActions, modify the policy files as follows:In /etc/opt/aaa/client-request-init.grp
• Replace the following line:insert Client-Request-Create-ActionId = "CreateDisconnectReq"
withinsert Client-Request-Create-ActionId = "CreateDisconnectReqServerGroup"
• Replace the following line:insert Client-Request-Update-ActionId = "UpdateDisconnectReq"
withinsert Client-Request-Update-ActionId = "UpdateDisconnectReqServerGroup"
• Replace the following line:insert Client-Request-Timeout-ActionId = "TimeoutDisconnectReq"
withinsert Client-Request-Timeout-ActionId = "TimeoutDisconnectReqServerGroup"
• Replace the following line:insert Client-Request-Create-ActionId = "CreateCOAReq"
withinsert Client-Request-Create-ActionId = "CreateCOAReqServerGroup"
• Replace the following line:insert Client-Request-Update-ActionId = "UpdateCOAReq"
withinsert Client-Request-Update-ActionId = "UpdateCOAReqServerGroup"
• Replace the following line:insert Client-Request-Timeout-ActionId = "TimeoutCOAReq"
withinsert Client-Request-Timeout-ActionId = "TimeoutCOAReqServerGroup"
In /etc/opt/aaa/client-reply-ingress.grp
• Replace the following line:insert Client-Request-Cleanup-ActionId = "SuspendDisconnectedSession"
with
Configuring for Dynamic Authorization 313
insert Client-Request-Cleanup-ActionId = "SuspendDisconnectedSessionServerGroup"
• Replace the following line:insert Client-Request-Cleanup-ActionId = "UpdateCOASession"
withinsert Client-Request-Cleanup-ActionId = "UpdateCOASessionServerGroup"
• Replace the following line:insert Client-Request-Cleanup-ActionId = "SuspendCOASession"
withinsert Client-Request-Cleanup-ActionId = "SuspendCOASessionServerGroup"
NOTE: The following requirement is applicable for Oracle only. If DHCP isenabled, replace the following line in the /etc/opt/aaa/client-reply-ingress.grp file:insert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession"
withinsert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession-DHCP"
8. To enable the Disconnect functionality, complete the following steps:
NOTE: You must perform this step only if you want the Disconnect functionality.Otherwise, you can ignore this step.
1. Log in to HP-UX AAA Server Manager.2. ClickServer Properties. The Server Properties window is displayed as follows:
Figure 20-9 Server Properties
3. Click AAA Server as a Client Properties. The Server Properties (CLIENT)window is displayed as follows:
314 Configuring the HP-UX AAA Server for Dynamic Authorization
Figure 20-10 Server Properties (CLIENT)
4. Click Client Action Properties. The Server Properties: Modify Propertywindow is displayed as follows:
Figure 20-11 Server Properties: Modify Property
5. Select New Action. The Client Action Properties window is displayed asfollows:
Figure 20-12 Client Action Properties
Configuring for Dynamic Authorization 315
6. Enter the following values in the respective fields, within the Client ActionProperties window:Action Name: DisconnectTimer Value: 1Max Requests: 0
9. To enable the CoA functionality, complete the following steps:
NOTE: You must complete this procedure only if you want the CoA functionality.Otherwise, you can ignore this procedure.
1. Log in to HP-UX AAA Server Manager.2. Click Server Properties.3. Click AAA Server as a Client Properties.4. Click Client Action Properties.5. Select New Action.6. Enter the following values in the respective fields, within the Client Action
Properties window:Name: COATimer Value: 60Max Requests: 0
10. To activate the changes, restart the HP-UX AAA Server.
Dynamic Authorization in Authorize Only ModeTo ensure simplicity of translation between RADIUS and DIAMETER, RFC 5176describes a different sequence of message exchanges between the HP-UX AAA Serverand the NAS for Disconnect and CoA. Figure 20-13 illustrates dynamic authorizationin authorize only mode.
Figure 20-13 Dynamic Authorization in Authorize Only Mode
The sequence of steps involved in the message exchange is as follows:1. The HP-UX AAA Server sends a CoA-Request that includes the Service-Type
attribute. The value of attribute is Authorize Only. Therefore, the mode is called
316 Configuring the HP-UX AAA Server for Dynamic Authorization
Authorize Only. In addition to theService-Type attribute, theCoA-Requestincludes session identification attributes, a State attribute, and NASidentification attributes. The CoA-Request does not contain any otherattribute.
2. If the NAS supports the Authorize Only mode, it responds with a CoA-NAKcontaining the Service-Type and Error-Cause attributes. The value of theService-Type attribute isAuthorize Only and the value of theError-Causeattribute is Request Initiated.
3. Subsequently, the NAS sends an Access-Request to the HP-UX AAA Server,including a Service-Type attribute and the State attribute that was sent bythe HP-UX AAA Server in the initial CoA-Request. The value of theService-Type attribute is Authorize Only.
4. The HP-UX AAA Server responds to the Access-Request with anAccess-Accept to reauthorize the session or an Access-Reject to disconnectit.
Configuring for Dynamic Authorization in Authorize Only Mode
To configure the HP-UX AAA Server for dynamic authorization in the Authorize Onlymode, complete the following steps:1. To configure the HP-UX AAA Server to send Disconnect and CoA requests in
the default mode, complete the procedure described in the following files:• For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/README
• For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/README
2. Modify the /etc/opt/aaa/client-request-init.grp file as follows:• For Authorize Only mode, the RADIUS message type for both Disconnect
and CoA requests must be CoA-Request. Therefore, replace the followinglines:## Set the RADIUS message type of the request to Disconnect-Request. insert Interlink-Packet-Code = "Disconnect-Request"
with## Set the RADIUS message type of the request to COA-Request. insert Interlink-Packet-Code = "COA-Request"
• Insert a Service-Type attribute. Assign Authorize-Only as the value ofthe attribute. Append the following lines at the end of the /etc/opt/aaa/client-request-init.grp file:## Add Service-Type attribute with value "Authorize Only" insert Service-Type = "Authorize-Only"
3. A CoA-Request, whose Service-Type attribute value is Authorize Only,must include session and NAS identification attributes only. Therefore, theFilter-Id attribute must be removed from the Change-Of-Authorization request.
Configuring for Dynamic Authorization 317
Add the following lines in the/etc/opt/aaa/client-request-egress.grpfile:if( count(Service-Type) != 0 && Service-Type = "Authorize-Only" && Client-Action-Name = "COA")
{ ## Delete the Filter-Id attribute.
delete Filter-Id }
4. To handle a response to CoA-Request, whose Service-Type attribute value isAuthorize-Only, modify the client-reply-ingress.grp file. Add thefollowing lines at the beginning of the /etc/opt/aaa/client-reply-ingress.grp file: if( count(Service-Type) != 0 && Service-Type = "Authorize-Only" ) { if( Interlink-Packet-Code = "COA-NAK" && count(Error-Cause) != 0 && Error-Cause = "Request_Initiated" ) { ## Authorize Only request succeeded.
if( Client-Action-Name = "Disconnect" ) { ## Set the SQLAccess ActionID to be used for Disconnect success.
insert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession" } else { if( Client-Action-Name = "COA" ) { ## Set the SQLAccess ActionID to be used for COA success.
insert Client-Request-Cleanup-ActionId = "UpdateCOASession"
## Set the Filter-Id based on the current time of day.
if( Time-Of-Day >= "08:00" && Time-Of-Day <= "20:00" ) { insert Filter-Id = "daytime_filter" } else { insert Filter-Id = "nighttime_filter" } } } } else { ## Authorize Only request failed.
if( Client-Action-Name = "Disconnect" ) { ## Set the SQLAccess ActionID to be used for Disconnect failure.
insert Client-Request-Cleanup-ActionId = "SuspendDisconnectedSession" } else { if( Client-Action-Name = "COA" ) { ## Set the SQLAccess ActionID to be used for COA failure.
insert Client-Request-Cleanup-ActionId = "SuspendCOASession" } }
318 Configuring the HP-UX AAA Server for Dynamic Authorization
} }
NOTE: The following requirement is applicable for Oracle only. If DHCP isenabled, replace the following line in the /etc/opt/aaa/client-reply-ingress.grp file:insert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession"
withinsert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession-DHCP"
If multiple HP-UX AAA Servers are configured as a group, enterUpdateCoASessionServerGroup,SuspendDisconnectedSessionServerGroup andSuspendCoASessionServerGroup instead of UpdateCoASession,SuspendDisconnectedSession, and SuspendCoASession respectively.
5. Set the Authorize-Only-ActionId attribute to the SQL Access action IDthat must be used for Access-Request, whose Service-Type attribute valueis Authorize Only. Add the following lines in the /etc/opt/aaa/request-ingress.grp file: ## Set the SQLAccess Action ID to be used for Authorize Only type requests.
if( count(Service-Type) != 0 && Service-Type = "Authorize-Only" ) { insert Authorize-Only-ActionId = "AuthorizeSession" }
NOTE: If multiple HP-UX AAA Servers are configured as a group, enterAuthorizeSessionServerGroup instead of AuthorizeSession.
6. Add the State attribute in the generated CoA-Request. In the /etc/opt/aaa/sqlaccess.config file, add the following mapping in theCreateDisconnectReq and CreateCoAReq SQLActions:FUNC(gen_state) RAD(State, REPLY)
NOTE: If multiple HP-UX AAA Servers are configured as a group, the mappingmust be added in the CreateDisconnectReqServerGroup andCreateCoAReqServerGroup SQLActions in the /etc/opt/aaa/sqlaccess.config file.
Configuring for Proxy FunctionalityIn addition to disconnecting and changing the authorization of user sessions, the HP-UXAAA Server can act as a proxy for Dynamic Authorization requests to a target NetworkAccess Server (NAS). AAA proxy is an entity that acts as a client as well as a server.When a request is received from a Dynamic Authorization Client (DAC), the proxy
Configuring for Dynamic Authorization 319
acts as a Dynamic Authorization Server (DAS). If the same request must be forwardedto another AAA entity, the proxy acts as a DAC.Requests are sent based on the configuration. For example, using advanced policy, youcan configure on the basis of user-realm or target NAS. The proxy HP-UX AAA Serverlistens to Disconnect and CoA requests on a port that can be configured. Theconfiguration settings of this port are the same as that of authentication and accountingproxy ports. The default port is 3799.Figure 20-14 illustrates the Dynamic Authorization proxy functionality.
Figure 20-14 Proxy Functionality
Configuring for Dynamic Authorization Proxy Functionality
To configure the HP-UX AAA Server for Dynamic Authorization proxy functionality,you must configure the routing tables for the requests in the /etc/opt/aaa/proxy-egress.grp proxy egress policy file.You can configure the routing tables on the basis of attributes, such as user's realm andtarget NAS (authenticator), in the incoming request.
Configuring on the Basis of User's Realm
To configure routing tables based on the user's realm, add the following lines in the/etc/opt/aaa/proxy-egress.grp file:if( Interlink-Packet-Code = "Disconnect-Request" || Interlink-Packet-Code = "COA-Request" )
320 Configuring the HP-UX AAA Server for Dynamic Authorization
{ if( (count(User-Name) > 0) && substr(User-Name after "@") = "<realm>" ) { modify Interlink-Proxy-Target = "<Hostname or IP Address of Proxy Target Server>" }}
Configuring on the Basis of NAS
To configure routing tables based on NAS (authenticator), add the following lines inthe /etc/opt/aaa/proxy-egress.grp file:if( Interlink-Packet-Code = "Disconnect-Request" || Interlink-Packet-Code = "COA-Request" ){ if( count(NAS-Identifier) > 0 && NAS-Identifier = "<DNS name of NAS>" ) { modify Interlink-Proxy-Target = "<Hostname or IP Address of Proxy Target Server>" }}
NOTE: The HP-UX AAA Server configuration must include all the remote proxyservers that forward messages to or receive forwarded messages from this HP-UX AAAServer. If a remote proxy server is not included in the configuration, the server doesnot handle or forward requests to it. The Proxies screen in the HP-UX AAA ServerManager allows you to add, modify, or delete a remote proxy server in the serverconfiguration. For information on how to configure Proxies, see Chapter 9 (page 117).
Configuring for FailoverThe HP-UX AAA Server supports failover functionality for dynamic authorizationrequests. You can configure a secondary server to which the requests must be sent incase the primary server fails to respond.To configure a secondary server, add the following lines in the /etc/opt/aaa/client-request-egress.grp file:insert Client-Request-Secondary-Server = <hostname or IP address of secondary server>
Security Consideration in Dynamic AuthorizationThis section describes the security features in Dynamic Authorization. The followingfeatures are supported:• “Replay Protection” (page 321)• “Message-Authenticator” (page 324)• “Reverse Path Forwarding Check for Proxies” (page 324)
Replay Protection
The Replay Protection feature protects the network from fraudulent transmissionsusing valid data. The Event-Timestamp attribute is used for enforcing replayprotection. The HP-UX AAA Server discards all incoming messages if theEvent-Timestamp value is not within acceptable time limits. You can configure thetime window using the event_timestamp_window attribute in the aaa.config
Configuring for Dynamic Authorization 321
file. For more information on the attribute, see “Dynamic Authorization-RelatedConfiguration Items” (page 525).By default, the Event-Timestamp attribute checking is not enforced. The verificationof theEvent-Timestamp attribute occurs only if the attribute is present in the incomingmessage. If an Event-Timestamp attribute is not present, the attribute is ignored. Toenforce Event-Timestamp attribute checking, add the following lines in the /etc/opt/aaa/client-reply-ingress.grp file:if( count(Event-Timestamp) = 0 ){ exit "NAK"}
To configure the HP-UX AAA Server to send the Event-Timestamp attribute in theoutgoing messages, add the following SQL mapping in SQLAction, which creates theclient request.FUNC(get_cur_timestamp) RAD(Event-Timestamp, REPLY)
To add the Event-Timestamp attribute in the outgoing Disconnect requests, addthe mentioned mapping in the CreateDisconnectReq orCreateDisconnectReqServerGroup SQLAction within the /etc/opt/aaa/sqlaccess.config file.To add theEvent-Timestamp value in the outgoingCoA requests, add the mentionedmapping in the CreateCoAReq or CreateCoAReqServerGroup SQLAction withinthe /etc/opt/aaa/sqlaccess.config file.
Configuring the Event Timestamp Window for Replay Protection Using HP-UX AAA Server Manager
To configure the Event Timestamp window for replay protection, complete thefollowing steps:1. Log in to HP-UX AAA Server Manager.2. Click Server Properties. The Server Properties window is displayed as follows:
322 Configuring the HP-UX AAA Server for Dynamic Authorization
Figure 20-15 Server Properties
3. ClickAAAServer as aClient Properties. TheServer Properties (CLIENT)windowis displayed as follows:
Figure 20-16 Server Properties (CLIENT)
4. ClickGlobal Event TimestampWindow . The Server Properties: Modify Propertywindow is displayed as follows:
Configuring for Dynamic Authorization 323
Figure 20-17 Server Properties: Modify Property (Event Timestamp)
5. Enter the time window (in seconds) for which the incoming Event-Timestampattribute is valid.
Message-Authenticator
The Message-Authenticator attribute provides additional protection to RADIUSmessages from fraudulent messages and message tampering. You can use theMessage-Authenticator attribute to authenticate and integrity-protect the DynamicAuthorization messages. The HP-UX AAA Server discards all incoming messages thatinclude an invalid Message-Authenticator attribute.The verification of the Message-Authenticator attribute occurs only if the attributeis present in the incoming message. If the attribute is absent, the attribute is ignored.To ensure that the Message-Authenticator checking occurs, add the followinglines in the/etc/opt/aaa/client-reply-ingress.grp client reply ingress policyfile. For more information on Message-Authenticator, see RFC 2869.if( count(Message-Authenticator) = 0 ) { exit "NAK"}
To add the Message-Authenticator attribute in the outgoing messages, add thefollowing line in the /etc/opt/aaa/client-request-egress.grp client requestegress policy file.insert Message-Authenticator = "0000000000000000"
The mentioned line adds an empty Message-Authenticator value to the request.The HP-UX AAA Server calculates the correct Message-Authenticator value andreplaces the existing value before sending the message.
NOTE: The length of the Message-Authenticator string must be 16.
Reverse Path Forwarding Check for Proxies
The Dynamic Authorization proxy functionality can perform Reverse Path Forwarding(RPF) check to verify that a Dynamic Authorization request originated from anauthorized Dynamic Authorization Client (DAC). The HP-UX AAA Server extracts therealm from the user name and determines the corresponding HP-UX AAA Servers inthe realm routing tables configured in the /etc/opt/aaa/authfile or the Proxies
324 Configuring the HP-UX AAA Server for Dynamic Authorization
screen in the HP-UX AAA Server Manager. If the request is not from an authorizedsource, the request is discarded.This feature is disabled by default. You can enable the feature using theenable_rpf_check attribute in the aaa.config file. For more information on theattribute, see “Dynamic Authorization-Related Configuration Items” (page 525).
Configuring Reverse Path Forwarding Check for Proxies Using HP-UX AAA Server Manager
To enable RPF check using HP-UX AAA Server Manager, complete the following steps:1. Log in to HP-UX AAA Server Manager.2. Click Server Properties. The Server Properties window is displayed as follows:
Figure 20-18 Server Properties
3. ClickAAAServer as aClient Properties. TheServer Properties (CLIENT)windowis displayed as follows:
Configuring for Dynamic Authorization 325
Figure 20-19 Server Properties (CLIENT)
4. Click Enable Reverse Path Forwarding Check. The Server Properties: ModifyProperty window is displayed as follows:
Figure 20-20 Reverse Path Forwarding Check
5. Click Yes to enable RPF.
Sample Configuration FilesThis section describes the sample configuration files that are used to configure theHP-UX AAA Server for Dynamic Authorization. This section addresses the followingtopics:• “The client-request-init.grp.dynauth Sample File” (page 327)• “The client-reply-ingress.grp.dynauth Sample File” (page 327)• “The sqlaccess.config.dynauth Sample File” (page 327)• “The sqlaccess.config.dynauth_server_group Sample File” (page 329)• “The dbsetup.sql.dynauth_server_group Sample File” (page 331)
326 Configuring the HP-UX AAA Server for Dynamic Authorization
The client-request-init.grp.dynauth Sample FileTheclient-request-init.grp.dynauth is the sampleclient request initpolicy file. The following actions are performed in this sample policy file:1. The SQL actions, to be used to generate Disconnect and CoA requests, are set in
the attribute Client-Request-Create-ActionId.2. The SQL actions, to be used to generate the session entry to indicate that it has just
been processed for Disconnect and CoA, are set in the attributeClient-Request-Update-ActionId.
3. The SQL actions, to be used to update the session entry for which a Disconnector CoA request timed out, are set in the attributeClient-Request-Timeout-ActionId.
4. The RADIUS message type of the request is set in the attributeInterlink-Packet-Code.
5. For CoA, the Filter-Id attribute is set based on the time of the day.The attribute Client-Action-Name is used to differentiate between Disconnectand CoA requests.
The client-reply-ingress.grp.dynauth Sample FileThe client-reply-ingress.grp.dynauth file is the sample client replyingress policy file. In this policy file, the SQL actions to be used to update the databasetable forDisconnect-ACK response,Disconnect-NAK response,CoA-ACK responseandCoA-NAK response are set in theClient-Request-Cleanup-ActionId attribute.The Interlink-Packet-Code attribute is used to determine the response type.
The sqlaccess.config.dynauth Sample FileTable 20-1 lists the SQL actions listed in the sqlaccess.config.dynauth file tosupport Dynamic Authorization.
Table 20-1 SQL Actions that Support Dynamic Authorization
DescriptionSQL action
Queries the session table for sessions that haveexceeded their session-timeout limit, and uses
CreateDisconnectReq
the information in the expired session to create aDisconnect-Request. Based on multi-rowfunctionality, this SQL action retrieves all expiredsessions using a single query.
Updates the status of the session entry to indicatethat the session is processed forDisconnect-Request.
UpdateDisconnectReq
Updates the status of the session entry to indicatethat the Disconnect-Request timed out.
TimeoutDisconnectReq
Sample Configuration Files 327
Table 20-1 SQL Actions that Support Dynamic Authorization (continued)
DescriptionSQL action
Removes the session entry after receivingDisconnect-ACK.
CleanupDisconnectedSession
Removes the session entry after receivingDisconnect-ACK. Also, releases the IP address ofthe first session entry that was removed.
CleanupDisconnectedSession-DHCP
Updates the status of the session entry afterreceiving a Disconnect-NAK.
SuspendDisconnectedSession
SendsCoA requests for all sessions at 08:00 and 20:00hours to change the Filter-Id to daytime_filter
CreateCoAReq
and nighttime_filter respectively. Based onmulti-row functionality, this SQL action retrievesall expired sessions using a single query.
Updates the status of the session entry to indicatethat the session is already processed forCoA-Request.
UpdateCoAReq
Updates the status of the session entry to indicatethat the CoA-Request timed out.
TimeoutCoAReq
Updates the session entry after receivingCoA-ACK.UpdateCoASession
Updates the status of the session entry afterreceiving CoA-NAK.
SuspendCoASession
Restores timed out sessions to ACTIVE state after60 seconds. Subsequently, Disconnect or CoA
UpdateTimedOutSessions
requests can be resent. Each time a Disconnector a CoA request for a session times out, the sessionis disabled for 60 seconds.
Checks the database for sessions for which theDisconnect or CoA requests cannot be sent after
RestoreDroppedSessions
updating the session_status attribute. Forexample, if a HUP signal is received, all the requestsare purged from the queue. Under suchcircumstances, sessions that are updated withDISCONNECT_INIT will not be processed again.Checks in the database for such sessions ensure thatthe sessions are restored to ACTIVE state.
Sends an Access-Reject and disconnects asession if the session is not found in the session
AuthorizeSession
table. If the session is found, this SQL action sendsanAccess-Accept to reauthorize the session witha new Filter-Id value.
328 Configuring the HP-UX AAA Server for Dynamic Authorization
The sqlaccess.config.dynauth_server_group Sample FileThe sqlaccess.config.dynauth_server_group file contains the SQL actionsrequired to implement the dynamic authorization functionality for Disconnect andCoA requests when multiple HP-UX AAA Servers are configured as a group. You canmodify these SQL actions based on requirements.Table 20-2 lists the SQL actions listed in thesqlaccess.config.dynauth_server_group file to support DynamicAuthorization.
Table 20-2 SQL Actions that Support Dynamic Authorization in Groups
DescriptionSQL Action
Creates a user session entry in the session table. This SQLaction is used only when multiple HP-UX AAA Serversare configured as a group.
StartSessionServerGroup
Creates a row for the HP-UX AAA Server in theRAD_SERVER_TABLE, if a row does not exist. If a row
UpdateServerTable
exists for the HP-UX AAA Server, the SQL action executesa stored procedure that updates the row. A mappingfunction is used to retrieve a unique server name.
Executes a stored procedure every second. The storedprocedure distributes the expired sessions among the liveHP-UX AAA Servers in the group.
DistributeDisconnectSessions
Queries the session table for sessions assigned to the HP-UXAAA Server, to process Disconnect requests. The SQL action
CreateDisconnectReqServerGroup
also uses the information in the expired session to create aDisconnect-Request. The SQL action implements themulti-row functionality to retrieve all expired sessionsusing a single query.
Updates the status of the session entry to indicate that it isalready processed for Disconnect-Request. This SQL
UpdateDisconnectReqServerGroup
action is used only when multiple HP-UX AAA Serversare configured as a group.
Updates the status of the session entry to indicate that theDisconnect-Request has timed out. This SQL action is
TimeoutDisconnectReqServerGroup
used only when multiple HP-UX AAA Servers areconfigured as a group.
Removes the session entry for which a Disconnect-ACKwas received.
CleanupDisconnectedSession
Removes the session entry after receivingDisconnect-ACK. Also, releases the IP address of the firstsession entry that was removed.
CleanupDisconnectedSession-DHCP
Updates the status of a session entry for whichDisconnect-NAK was received. This SQL action is used
SuspendDisconnectedSessionServerGroup
Sample Configuration Files 329
Table 20-2 SQL Actions that Support Dynamic Authorization in Groups (continued)
DescriptionSQL Action
only when multiple HP-UX AAA Servers are configuredas a group.
Distributes the list of sessions for which CoA requests mustbe sent, among the live HP-UX AAA Servers in the group.
DistributeCoASessions
This SQL action is used only when multiple HP-UX AAAServers are configured as a group.
Creates CoA requests to change data filters. This SQL actionis used only when multiple HP-UX AAA Servers areconfigured as a group.
CreateCoAReqServerGroup
Updates the status of the session entry to indicate that it isalready processed for CoA-Request. This SQL action is
UpdateCoAReqServerGroup
used only when multiple HP-UX AAA Servers areconfigured as a group.
Updates the status of the session entry to indicate that theCoA-Request has timed out. This SQL action is used only
TimeoutCoAReqServerGroup
when multiple HP-UX AAA Servers are configured as agroup.
Updates the session entry for whichCoA-ACKwas received.This SQL action is used only when multiple HP-UX AAAServers are configured as a group.
UpdateCoASessionServerGroup
Updates the status of a session entry for which CoA-NAKwas received. This SQL action is used only when multipleHP-UX AAA Servers are configured as a group.
SuspendCoASessionServerGroup
Restores timed out sessions to ACTIVE state after 60seconds. Subsequently, Disconnect or CoA requests can
UpdateTimedOutSessionsServerGroup
be resent. Each time a Disconnect or a CoA request for asession times out, the session is disabled for 60 seconds.This SQL action is used only when multiple HP-UX AAAServers are configured as a group.
Checks the database for sessions for which theDisconnect orCoA requests cannot be sent after updating
RestoreDroppedSessionsServerGroup
the session_status attribute. For example, if a HUPsignal is received, all the requests are purged from thequeue. Under such circumstances, sessions that are updatedwith DISCONNECT_INIT will not be processed again.Checks in the database for such sessions ensure that thesessions are restored to ACTIVE state. This SQL action isused only when multiple HP-UX AAA Servers areconfigured as a group.
Sends anAccess-Reject and disconnects a session if thesession is not found in the session table. If the session is
AuthorizeSession
found, this SQL action sends an Access-Accept toreauthorize the session with a new Filter-Id value.
330 Configuring the HP-UX AAA Server for Dynamic Authorization
The dbsetup.sql.dynauth_server_group Sample FileThedbsetup.sql.dynauth_server_group sample file contains the SQL commandsrequired to create tables and stored procedures in the database server.Table 20-3 lists the stored procedures and tables.
Table 20-3 Tables and Stored Procedures in thedbsetup.sql.dynauth_server_group File
DescriptionTables and Stored Procedures
Contains information related to the HP-UX AAA Serversthat are sharing the same database tables. This table is usedto keep track of the live HP-UX AAA Servers.
RAD_SERVER_TABLE
Updates theUPDATE_TIMEvalue of the entry correspondingto the HP-UX AAA Server passed in as argument, in the
update_server_table
RAD_SERVER_TABLE. If an entry for the server is notavailable in the table, an entry is added in the table.
Distributes those expired sessions that need to bedisconnected among the live HP-UX AAA Servers of a
distribute_disconnect_sessions
group, for Disconnect request processing. The number ofexpired sessions is retrieved from the RAD_SESS_TABLEbased on the session_timeout value configured for thesessions. The number of live HP-UX AAA Servers is obtainedfrom the RAD_SERVER_TABLE based on the UPDATE_TIMEvalue. The sessions are assigned to the servers by setting theSESSION_STATUS to <groupname>_DISCONNECT. Thenumber of expired sessions for Disconnect processingassigned to each server is equal to ((number ofsessions/number of servers) + 1). If an HP-UX AAA Serveris down, because the UPDATE_TIME in theRAD_SERVER_TABLE was not updated for some time, theassigned sessions are reset to the ACTIVE state to ensurethat the sessions are assigned to one of the live HP-UX AAAServers.
Distributes those sessions that need to be changed amongthe liveHP-UX AAA Servers of a group, for CoA request
distribute_coa_sessions
processing. The number of sessions is retrieved from theRAD_SESS_TABLE. The number of live HP-UX AAA Serversis obtained from the RAD_SERVER_TABLE based on theUPDATE_TIME value. The sessions are assigned to theservers by setting the SESSION_STATUS to<groupname>_CoA. The number of expired sessions forCoA processing assigned to each server is equal to ((numberof sessions/number of servers) + 1). If an HP-UX AAA Serveris down, because the UPDATE_TIME in theRAD_SERVER_TABLE was not updated for some time, theassigned sessions are reset to the ACTIVE state to ensurethat the sessions are assigned to one of the live HP-UX AAAServers.
Sample Configuration Files 331
Part IV Integrating the HP-UX AAA Server With ExternalServices
This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 21: “LDAP Authentication” (page 335)• Chapter 22: “SQL Access” (page 338)• Chapter 23: “Simple Network Management Protocol (SNMP) Support” (page 386)• Chapter 24: “VPN Tunneling” (page 388)• Chapter 25: “Using DHCP” (page 390)
332
Table of Contents21 LDAP Authentication..............................................................................................................335
LDAP Server Compatibility .............................................................................................335Related LDAP Documentation ........................................................................................335Authentication with LDAP ..............................................................................................335
Configuring the LDAP Server ....................................................................................335The HP-UX AAA Server LDAP Schema................................................................336To Configure Netscape Directory Server v6..........................................................337To Configure iPlanet Directory Server v5..............................................................337To Configure OpenLDAP 2.0.x..............................................................................337
22 SQL Access..........................................................................................................................338SQL Access Overview.......................................................................................................338
SQL Access Concepts..................................................................................................339RADIUS Attribute to SQL Statement Mapping.....................................................340Mapping Functions................................................................................................341Conversion Functions............................................................................................341SQL Action Processing and Result Handling........................................................342
Implementing SQL Access................................................................................................342Sample Implementation Files......................................................................................342
sqlaccess.config Sample File.........................................................................343dbsetup.sql Sample File....................................................................................345Finite State Machine Sample..................................................................................346
Pre-requisites for SQL Access......................................................................................346Database Server and Schema.................................................................................346
Database Security..............................................................................................347High Availability...............................................................................................347
Database Client......................................................................................................347Shared Library Path Configuration..................................................................348
Database Client Connector Libraries.....................................................................348SQL Access Implementation Details...........................................................................348sqlaccess.config File Configuration.............................................................................349
Database Connection Definition............................................................................350SQL Actions............................................................................................................352Mapping Syntax.....................................................................................................353
RAD Mapping...................................................................................................355DBC Mapping...................................................................................................356DBP Mapping....................................................................................................357RET Mapping....................................................................................................359Mapping Functions...........................................................................................359Conversion Functions.......................................................................................361
SQL Statement........................................................................................................362
Table of Contents 333
SQL Result Mapping..............................................................................................364Result Handling for Retrieval Requests...........................................................366
Global Definitions..................................................................................................369Advanced SQL Mapping Configuration.....................................................................369
Developing Custom Functions...............................................................................369Null SQL Statements..............................................................................................370Null Source and Target Mapping...........................................................................370Time Synchronization............................................................................................371Finite State Table Configuration in the FSM..........................................................372Stored Procedures..................................................................................................373
Administering Users and Tokens Stored in an SQL Database.........................................374Managing Users...........................................................................................................375
Adding Users to an SQL Database.........................................................................375Modifying User Credentials...................................................................................377
Managing Users Using OTP to Authenticate..............................................................378Importing Tokens into the Database......................................................................378Assigning Tokens to Users.....................................................................................379
Assigning a Specific Token to a User................................................................379Allocating Any Available Tokens to a User......................................................380
Enrolling Tokens (Procedure for Users).................................................................380Synchronizing Tokens (Procedure for Users)........................................................382Terminating Tokens................................................................................................383
Viewing User and Token Statistics..............................................................................383Valid Token Status Values...........................................................................................383Invoking the User Database Administration Manager Interface from ServerManager.......................................................................................................................384
Multi-Row Support For SQL Access.................................................................................38523 Simple Network Management Protocol (SNMP) Support...........................................................386
Setting Up SNMP to Monitor the HP-UX AAA Server....................................................38624 VPN Tunneling.....................................................................................................................388
Establishing a Tunnel for a User.......................................................................................38825 Using DHCP........................................................................................................................390
Required DHCP Server Features......................................................................................390Recommended DHCP Server Features.......................................................................390
Defining DHCP Address Pools for Specific Users............................................................390To Associate an Address Pool with a User Profile in AAA Server Flat Files..............390To Associate an Address Pool with a User Profile in an LDAP LDIF File..................391
Associating Address Pools with Realms and Other Conditions......................................391
334 Table of Contents
21 LDAP AuthenticationThe Lightweight Directory Access Protocol (LDAP) authentication type provides amethod for storing user profiles on an LDAP server. LDAP servers are useful whenmanaging a large number of user profiles.
NOTE: You can download Red Hat/Netscape Directory Server for HP-UX fromwww.software.hp.com.
LDAP Server CompatibilityThe HP-UX AAA Server is designed to interoperate with LDAP Version 3 compliantdirectories. Refer to the HP-UX AAA Server Release Notes at http://docs.hp.com onthe Internet and Security Solutions page to see the directory suppliers and versionsthat are currently certified with the HP-UX AAA Server.
Related LDAP DocumentationThis LDAP documentation assumes that you are familiar with LDAP serversmanagement and configuration.For more information on the Red Hat/Netscape Directory Server for HP-UX, go to theInternet and Security Solutions page at http://docs.hp.com.For more information on the OpenLDAP Server, including information on downloadingthe software go to the Internet Express for HP-UX page at www.hp.com/go/internetexpress.
Authentication with LDAPThe HP-UX AAA Server can utilize one or more LDAP servers to retrieve user profileinformation and/or to authenticate the user directly with LDAP by attempting an LDAPdirectory bind operation using the user's credentials.You can specify LDAP authentication on a per realm basis. Each realm can be configuredwith up to four redundant LDAP directories, which are used by the server when itperforms load balancing and failover.
Configuring the LDAP ServerOn the machine hosting the LDAP server, LDAP configuration files must be modifiedor created in order to implement authorization. For security reasons, install the LDAPServer on the same machine as the HP-UX AAA Server. Alternatively, have both serverson the same secure network, or have them secured via LDAP/SSL.
LDAP Server Compatibility 335
NOTE: The following procedures are required if your user entries are using attributesdefined in the aaaPerson object class. If you are only storing user profiles based on thecore LDAP inetOrgPerson object class (to retrieve the user ID and password), thefollowing procedures are not necessary.
The HP-UX AAA Server LDAP SchemaThe HP-UX AAA Server LDAP schema consists of the aaaPerson object class and aset of LDAP attributes utilized by aaaPerson. Note that while the AAA LDAP schemais not mandatory, it is useful for providing commonly used RADIUS functionality.The following LDAP attributes are included in the AAA Server LDAP Schema:
Table 21-1 The HP-UX AAA Server LDAP Schema
DescriptionLDAP Attribute
RADIUS Check items in A-V pair string format.aaacheck
RADIUS Deny items in A-V pair string format.aaadeny
RADIUS Reply attributes in A-V pair string format.aaareply
User name*.user-id
User password. If not present, userpassword from inetOrgPersonis used.
user-password
* Can be specified by entering User-ID as the search filter in the LDAP clientconfiguration in the AAA Server manager. If no search filter is specified, theuid attributeof the ineOrgPerson object class is used.LDIF files are a text based representation of LDAP data, and are used to import andexport data into an LDAP directory.The following is an example of an LDIF entry for an AAA Server user profile:dn: uid=deshen,ou=Groups,dc=chicago,dc=example,dc=comobjectclass: topobjectclass: aaapersoncn: depakshensn: shenuid: deshenuserpassword: mypassaaareply: Reply-Message=”Hello, deshen”aaareply: Session-Timeout=60aaacheck: NAS-Idenfier=”localnet”
336 LDAP Authentication
To Configure Netscape Directory Server v61. Copy /opt/aaa/examples/proldap/55iaaa-radius.ldif to the LDAP
server schema directory:(/var/opt/netscape/servers/slapd-<hostname>/config/schema).
2. Restart the directory server.3. Create an LDIF file for your user profiles and import to the directory.
To Configure iPlanet Directory Server v51. Copy /opt/aaa/examples/proldap/55iaaa-radius.ldif to the LDAP
server schema directory (/var/opt/iplanet/servers/slapd-<hostname>/config/schema).
2. Restart the directory server.3. Create an LDIF file for your user profiles and import to the directory.
To Configure OpenLDAP 2.0.x1. Copyiaaa-radius.schema from /opt/aaa/examples/proldap/ to the
OpenLDAP server (usually, /usr/local/etc/openldap/schema).2. Modify the slapd.conf by adding the following lines:
/usr/local/etc/openldap/schema/cosine.schema /usr/local/etc/openldap/schema/inetorgperson.schema
/usr/local/etc/openldap/schema/iaaa-radius.schema
3. Restart the directory server.4. Create an LDIF file for your user profiles and import to the directory.
NOTE: Refer to “Configuring Realms for LDAP ” (page 112) for information onconfiguring the AAA Server for LDAP Access.
Authentication with LDAP 337
22 SQL Access
IMPORTANT: The Oracle authentication module is obsolete in this release of theHP-UX AAA Server. The Oracle authentication module is supported using SQL Access.HP recommends that you set up your HP-UX AAA Server to interact with the Oracledatabase using the SQL Access feature.
This chapter introduces the SQL Access feature, describes how it works and how toconfigure the HP-UX AAA Server for SQL Access. The term SQL Access is usedthroughout this guide to refer to the functionality that allows flexible and customizableaccess to an SQL database.This chapter also discusses how to manage user and token information that is storedin an SQL database. This chapter addresses the following topics:• “SQL Access Overview” (page 338)• “Implementing SQL Access” (page 342)• “Administering Users and Tokens Stored in an SQL Database” (page 374)• “Multi-Row Support For SQL Access” (page 385)
SQL Access OverviewSQL Access offers a highly flexible interface to customize the functionality of the HP-UXAAA Server to meet your business requirements. In its basic implementation, SQLAccess executes user specified SQL statements against database columns that aremapped to RADIUS attributes. More advanced customizations such as using customizedfunctions are also possible.The ability to integrate the HP-UX AAA Server with an SQL compliant database offersthe following benefits:• Provides scalability across multiple AAA servers by using a database as a central
repository for user, account, and session information.• Enables you to integrate AAA servers with existing databases for authentication,
authorization, and session management.• Allows session state tracking and session limit enforcement to be shared across
multiple AAA servers for greater scalability, and availability.• Enables the extension of AAA server functionality by introducing customized
behaviors using the combination of SQL Access and Finite State Machine (FSM)modifications.
Figure 22-1 shows the interaction between the various components to implement theSQL Access feature.
338 SQL Access
Figure 22-1 SQL Access Components
When the AAA Server receives a RADIUS request to perform an action (for example,authentication), it calls the SQL Access AATV if SQL Access is configured. The SQLAccess AATV maps RADIUS attributes to database columns and prepares user definedSQL statements for execution. The connector libraries pass the SQL statements to vendorsupplied database client libraries, which in turn communicate with the database.After the database returns the query results, the SQL Access AATV maps the resultingdatabase columns to RADIUS attributes for further processing by the AAA Server.The definition of the input into the SQL statements (input map), the SQL statementitself, and the output definition (output map) is called an SQL action.
SQL Access ConceptsSQL actions are defined in the /etc/opt/aaa/sqlaccess.config file as a set ofone or more combinations of SQL mappings and user defined SQL statements that areexecuted against the database.SQL mappings consist of input and output maps. An input map consists of one or moreinput mapping entries, which identify the input into an SQL statement. An output mapconsists of one or more output mapping entries which identify what to do with theoutput from the SQL statement. Each mapping entry, input or output, consists of asource and target component.Mappings without SQL statements are possible, and SQL statements can be executedwithout mapping entries. See “Advanced SQL Mapping Configuration” (page 369) formore information.
SQL Access Overview 339
RADIUS Attribute to SQL Statement MappingYou can use SQL mappings to define how to associate or "map" RADIUS attributes toand from the input and output of your SQL statement . The execution of the SQLstatement and associated mappings occur in three steps:1. Input Mappings2. SQL statement execution3. Output mappingsIn the typical case, you map RADIUS attributes (input source) to SQL statementplaceholders (input target). The AAA Server binds the RADIUS data to the SQLstatement in preparation for execution.After execution of the SQL statement, the AAA Server processes the output mappings,which typically consist of a mapping to check the result of the SQL statement executionand one or more mappings of database columns (output source) to RADIUS replyattributes (output target). A new RADIUS attribute will be allocated for each outputmapping.For maximum flexibility and customization, there are no pre-determined or hard codedrelationships between database columns and RADIUS attributes; that relationship iscreated entirely through the sqlaccess.config file. See “sqlaccess.config FileConfiguration” (page 349) for complete configuration definitions of thesqlaccess.config file.Figure 22-2 (page 341) illustrates the SQL mapping concept for RADIUS attribute todatabase column mapping for a specific access request using OCI, in this example byuser John.
340 SQL Access
Figure 22-2 RADIUS Attribute to SQL Statement Mapping
During input mapping, the value for the RADIUS attribute User-name is passed tothe SQL statement SELECT as a search value into the database table USERTABLE usingthe SQL placeholder to bind to the data value John. The output mapping entry tells theSQL Access AATV that the database columndb_passwdmaps to the RADIUS attributepassword, with a returned value of Johnpass in the attribute-value pair.
Mapping FunctionsYou can also use a pre-defined or user-defined mapping function as the source or targetof a mapping. For example, the pre-defined mapping function get_sid retrieves thesession ID from the RADIUS request's CLASS attribute-value pair or generates a uniquesession ID if the CLASS attribute-value pair does not exist. You can then insert thesession ID value into a database table using the SQL INSERT command to allow forsession management via SQL Access.
Conversion FunctionsPre-defined or user-defined conversion functions execute on the data in transit betweenthe source and the target of a mapping. For example, the pre-defined conversion functionAAAIPv6toString converts a binary format IPv6 address to an ANSI string suitablefor generating human readable output. This can be used to translate an IPv6 addressfrom a RADIUS attribute to a string formatted column in the database.
SQL Access Overview 341
SQL Action Processing and Result HandlingThe SQL Access AATV processes all mapping entries of an SQL action in the order inwhich they are defined in the sqlaccess.config file. It first processes all input mappingentries in order, then executes the SQL statement, and finally processes the outputmapping entries in order.SQL actions start with an event of ACK and mapping entries usually return an eventof ACK. If any mapping entry returns an event other than ACK, the SQL processing isstopped and control is immediately returned to the FSM . You can control this behaviorwith customized mapping functions to set pre-defined or custom event codes otherthan ACK and ACK.If all mapping entries are processed successfully, the SQL Access AATV returns controlto the FSM at the end of the SQL action with an ACK event or a customized value forthe event code.Note that by default, the AAA Server will not take any action based on the SQLstatement execution result code returned by the database client library. However, youcan configure an SQL result output mapping to define the behavior of the AAA Serverbased on the SQL statement result. For more information on how to control executionbased on SQL statement result codes from SQL statement execution, see “SQL ResultMapping” (page 364).
NOTE: An SQL query can return more than one matching row, however, only thefirst row of a result is used for output mapping.
Implementing SQL AccessSQL Access requires that you configure and modify a number of mandatory andoptional files based on your implementation. HP recommends that you start with thesample implementation files to facilitate the initial set up and configuration for SQLAccess before further customization to meet your particular business need.
Sample Implementation FilesThe sample set of configuration files and scripts set up a working environment thatuses SQL statements to retrieve user and token entries, and optionally performaccounting and session management in a multi-server environment. See “SQL AccessImplementation Details” (page 348) for more information on the functional details ofthe sample implementation.There are two sets of sample configuration files:• /opt/aaa/examples/sqlaccess/oracle-1: files to set up a sample
implementation for Oracle 10g and OCI client. See the README in that directory
342 SQL Access
for detailed information on how to install your sample SQL Access implementationfor Oracle.
• /opt/aaa/examples/sqlaccess/mysql-1: files to set up a sampleimplementation for MySQL and Unix ODBC driver. See the README in thatdirectory for detailed information on how to install your sample SQL Accessimplementation for MySQL.
NOTE: The database server and client are not provided with the HP-UX AAA Server.However, HP supports connectivity to selected database clients and provides acorresponding client connector library for those supported clients.
The following section provides an overview of the sample implementation:
sqlaccess.config Sample FileThe sqlaccess.config sample file is configured for the database tables defined inthe schema files provided with this sample configuration. Its SQL actions operate onthe database tables as follow:
Table 22-1 The sqlaccess.config Sample File
OperationTable Operated OnSQL Action
Retrieves the user profile. Uses SQLresult mapping to test that at least one
RAD_USERS_TABLERetrieveUser
row is returned and sets event toRETRIEVE_SUCCESSupon exiting tothe FSM.
Retrieves token information. UsesSQL result mapping to test that at
RAD_TOKENS_TABLERetrieveToken
least one row is returned and sets theevent to RETRIEVE_SUCCESS onexiting to the FSM.
Retrieves user and token information.Uses SQL result mapping to test that
RAD_TOKENS_TABLE andRAD_USERS_TABLE
RetrieveUserAndToken
at least one row is returned and setsthe event to RETRIEVE_SUCCESS onexiting to the FSM.
A stored procedure that is createdusing dbsetup.sql. This procedure
RAD_TOKENS_TABLEUpdateSequenceCounterAndSuccessAuthCount
updates the sequence counter that ispassed as an argument. This action iscalled after successful OTPauthentication. This stored procedurealso increments the successauthentication count.
Implementing SQL Access 343
Table 22-1 The sqlaccess.config Sample File (continued)
OperationTable Operated OnSQL Action
A stored procedure that is createdusing dbsetup.sql. This procedure
RAD_TOKENS_TABLEUpdateFailedAuthCountAndTokenStatus
increments the failed authenticationcount after a failed authentication.This stored procedure also incrementsthe lock counter for each failedauthentication. If the number ofconsecutive failed authenticationattempts is greater than theconfigured token lock counter value(default 6), where the time intervalbetween two consecutive failedauthentication attempts is less than60 seconds, it updates the token statusto LOCKED.
Inserts a row to the accounting tablefor each user to start accounting.
RAD_ACCT_TABLEInsertAcct
Updates the column update_timein the accounting table with thecurrent time for an active account.
RAD_ACCT_TABLEUpdateAcct
Sets the stop time in the accountingtable for a given session ID.
RAD_ACCT_TABLEStopAcct
Inserts a user session entry.RAD_SESS_TABLEStartSession
Removes a user session entry.RAD_SESS_TABLEStopSession
Removes all expired sessions that areolder than 24 hours.
RAD_SESS_TABLECleanupExpiredSessions
Sets the stop time for all accounts thatmatch the client’s NAS identifier.
RAD_ACCT_TABLEStopAllAccts
Removes all sessions from the sessiontable that match the client’s NASidentifier.
RAD_SESS_TABLECleanupAllSessions
Uses a stored procedure to return theIP address of the session entry and
RAD_SESS_TABLEStopSession-DHCP(OCI only)
removes the entry with a matchingsession id from the session table. Thereturned IP address is passed to theAAAFreeIP mapping function toinitiate the releasing of the IP addressvia DHCP.
344 SQL Access
dbsetup.sql Sample FileThe dbsetup.sql sample file creates the database tables RAD_USERS_TABLE,RAD_TOKENS_TABLE, RAD_ACCT_TABLE, and RAD_SESS_TABLE with thefollowing columns and inserts a test user into RAD_USERS_TABLE:RAD_USERS_TABLE user_name user_password framed_protocol framed_ip_addr framed_ip_netmask framed_routing address_pool security_question security_answer mailing_address mailing_city mailing_state mailing_pin mailing_country email_id work_phone mobile_phone
RAD_TOKENS_TABLE serial_number user_name manufacturer token_status seq_counter shared_secret otp_length lookup_window checksum activation_code success_auth_count failed_auth_count failed_lock_count locktime
RAD_ACCT_TABLE start_time stop_time update_time code user_name session_id nasid nasport service_type framed_service
Implementing SQL Access 345
login_service
RAD_SESS_TABLE sess_start_time session_id user_name nasid nasport assigned_framed_ip client_hw_address client_identifier varchar2(100), session_timeout number(11), from_host varchar2(253), session_status varchar2(253), sess_mod_time TIMESTAMP, filter_id varchar2(253)
In addition, the dbsetup.sql script for OCI creates a stored procedure to first retrievethe IP address for a session ID and then to delete it from the session tableRAD_SESS_TABLE.
Finite State Machine Sample
NOTE: If you are using SQL Access for the retrieval of user entries only, you can useyour existing FSM file.
The sample implementation contains two FSM files, one modified for accountingwithout session management via SQL Access (sqlaccess-acct.fsm), and one that allowsboth, accounting and session management via SQL Access(sqlaccess-acct-sess.fsm). Note that session management with DHCP is onlypossible for OCI in the sample implementation, and that you need to specifically modifysqlaccess-acct-sess.fsm to choose session management with or without DHCP.By default session management is disabled in this FSM file.
Pre-requisites for SQL AccessSQL Access requires the following:• Database Server and Schema• Database Client and Client Connector Libraries
Database Server and SchemaIf you are not using an existing database, see your database vendor's documentationto install the database server software and create an instance of the database where thetables are to be located. See the README files for the supported environments in therespective directory at/opt/aaa/examples/sqlaccess/ for specific implementationinformation.
346 SQL Access
You must consider the following while selecting and setting up your databaseenvironment:
Database Security
Secure communication between the database client and the database server is controlledby the database server and client software. Therefore, choose your database environmentbased on your organization's security requirements. You may have to considercontrolling access to the database tables based on views and privileges, data encryptionrequirements between the database client and server, or data encryption requirementsof the data stored in the database.
High Availability
SQL Access provides multiple options to configure a highly available AAA Serverenvironment:• Utilizing the high-availability features of the database client and server for fail-over
and load balancing;• Configuring SQL Access such that alternate or secondary SQL actions are executed
depending on database availability events, or to build in redundancy for criticaldatabase transactions;
• Using the SQL Access database reconnection feature that automatically attemptsreconnection to the database in the event of an unresponsive database.
These tools can be used separately or can be combined to achieve the degree of highavailability required for your business.
Database ClientThe AAA Server communicates to the database through the database client and clientconnector library. See the HP-UX AAA Server Release Notes at http://docs.hp.com/ inthe Internet and Security Solutions collection for the latest list of certified databaseclients.Refer to your database client vendor's documentation to install the database clientsoftware on the same system where your HP-UX AAA server resides. See the READMEfiles in the respective directory for the supported environments at /opt/aaa/examples/sqlaccess/ for specific implementation information.These tools can be used separately or can be combined to achieve the degree of highavailability required for your business.
Implementing SQL Access 347
Shared Library Path Configuration
The shared library path to the database client libraries must be set depending on thevendor's library path requirements and how the AAA Server is started:• For startup using the Server Manager, modify the /opt/aaa/remotecontrol/
rmistart.sh startup script• For startup at system boot, modify the /sbin/init.d/radiusd.rc file• For interactive startup of radiusd, set the shared library path at the command
prompt or include it in your shell initialization scriptSee the README files for the supported environments in the respective directories at/opt/aaa/examples/sqlaccess/ for specific shared library path configurationinformation for the supported database clients.
Database Client Connector LibrariesFor each supported database client, HP provides a corresponding client connectorlibrary. Copy the corresponding client connector library from/opt/aaa/lib/dbcon/alternate/ to the execution directory /opt/aaa/lib/dbcon. See the READMEfiles in the respective directory for the supported environments at /opt/aaa/examples/sqlaccess/ for specific client configuration.
NOTE: HP recommends that you only install one connector library to avoidco-existence problems with multiple database client vendors.
SQL Access Implementation DetailsFollow the steps below to set up and configure SQL Access:1. Install the sample implementation. See the README files in the respective directory
for the supported environments at /opt/aaa/examples/sqlaccess/ forspecific implementation information.Review the sample implementation, and note any modifications and customizationsrequired for your specific implementation. See “SQL Access ImplementationDetails” (page 348) for information on the functionality provided by the sampleimplementation. If you need to customize the sample implementation, continuewith steps 2 to 5.
2. Create or modify the database tables based on your implementation of SQL Access.You can use the sample schema provided in the sample configuration files locatedat /opt/aaa/examples/sqlaccess/oracle-1/ or /opt/aaa/examples/sqlaccess/mysql-1 as a starting point.
3. Create or modify the /etc/opt/aaa/sqlaccess.config file. This file containsdatabase connection definitions, SQL action definitions, and an optional globaldefinition. See “sqlaccess.config File Configuration” (page 349) for detailedinformation on the sqlaccess.config file structure.
348 SQL Access
4. Configure SQL Access execution based on your implementation:• If SQL Access is used to retrieve user profiles, configure the SQL action for
the desired realm on the Local Realm screen in the Server Manager. See“Adding a Realm” (page 105) for more information.
• If SQL Access is used for more advanced implementations, such as accountingand session management, modify the Finite State Machine (FSM)radius.fsmfile to specify the execution of specific SQL actions for particular events. See“Finite State Table Configuration in the FSM” (page 372) for more information.The sample implementation includes two modified FSMs configured foraccounting without session management and accounting with sessionmanagement using the SQL Access feature.
5. Restart the server. You can also send the kill -HUP signal to activate the SQLaccess implementation while the AAA server is running if you have not modifiedthe FSM. Refer to “HUP Processing” (page 519) for details on the kill -HUPsignal.
sqlaccess.config File ConfigurationThe sqlaccess.config file consists of the following definition types:• An optional Global Definition;• One or more database connection definitions (DBID) used to set up the database
connection;• One or more SQL action definitions that identify the input and output parameters
and the SQL statement for execution.The sqlaccess.config file definitions are as follows:
Implementing SQL Access 349
/* Global Definition*/[SQLMapConvLibs “path_to_lib:path_to_lib:…:path_to_lib”]
/*Database Connection Definition*/
DBID instance {
DBClient db_client_library_interface [DBUser db_user] [DBPassword db_user_password] [ReconnectWaitTime reconnect_wait_time] [ReconnectErrorCodes reconnect_err_code] [OracleSID Oracle_db_instance] [ODBCDatastore ODBC_db_instance]
}
/*SQL Action Definition*/SQLAction action_ID
{
[TimedEvent timed_event] [QueryType multi_row]
/* repeat as needed */
{ [input [source target [conversion_function]] . . [source target [conversion_function]]]
[output [source target [conversion_function]] . . [source target [conversion_function]]]
[SQLStatement instance {sql_statement}] } /* end repeat */
}
Database Connection DefinitionDefine the database connection parameters in the data structure identified with thekeyword DBID. The syntax of DBID is as follows:
350 SQL Access
DBID instance { DBClient db_client_library_interface [DBUser db_user] [DBPassword db_user_password] [ReconnectWaitTime reconnect_wait_time] [ReconnectErrorCodes reconnect_err_code] [OracleSID Oracle_db_instance] [ODBCDatastore ODBC_db_instance] }
Where:instance Identifies a unique instance of the AAA Server as a database client. Note
that the database connection parameters for a particular instance mustbe defined before the SQL actions for that particular database instancein the sqlaccess.config file.
Table 22-2 (page 351) lists the database access parameters and their usage:
Table 22-2 Database Access Parameters
DescriptionDatabase Access Variable
Mandatory. Identifies the database client library.db_client_library_interface
Values: OracleOCI or ODBC
Optional for database clients that maintain user and passwordinformation in their configuration file.User identity for database connection.
db_user
Optional for database clients that maintain user and passwordinformation in their configuration file. Password for database
db_user_password
connection. Some client libraries require the password to bespecified in their configuration file. These libraries ignore theDBPassword keyword.
Optional. Timer in seconds after which reconnection to the databaseis attempted, when connection fails.Default:
reconnect_wait_time
60
Optional: Comma separated native database error codes got ifdatabase is unreachable or shutdown. Whenever the server gets
reconnect_err_code
any of these configured error code, it attempts to reconnectperiodically at an interval of reconnect_wait_time until theconnection to database is successfully established. No error codesare configured by default.
Implementing SQL Access 351
Table 22-2 Database Access Parameters (continued)
DescriptionDatabase Access Variable
Required for OCI only. Identifies the Oracle database instance toconnect to. The supported format for this parameter is determinedby the OCI client software.
Oracle_db_instance
Required for ODBC only. Identifies the database instance to connectto. The supported format for this parameter is determined by theODBC driver software.
ODBC_db_instance
Example 22-1 defines an instance of an Oracle database interface as db_oci with theconnection parameters. In the Oracle instance, the Server will attempt to reconnectafter every 60 second, if it gets ORA-3113 or ORA-3114 due to database access failures.
Example 22-1 Define the Oracle Database Connection Parameters
## Define the Oracle/OCI connection.
DBID db_oci { DBClient OracleOCI DBUser aaaoracleuser DBPassword aaaoraclepassword ReconnectWaitTime 60 ReconnectErrorCodes 3113,3114 OracleSID "example.db.com:1521/testdb"}
Example 22-2 (page 352) defines an instance of an ODBC database interface as db_odbcwith the connection parameters:
Example 22-2 Define the MySQL Database Connection Parameters
## Define the MYSQL ODBC connection.
DBID db_odbc { DBClient ODBC DBUser mysqlaaauser DBPassword mysqlaaapassword ReconnectWaitTime 30 ReconnectErrorCodes 2006 ODBCDatastore RadiusStore}
SQL ActionsSQL actions are defined in the data structure identified by the keyword SQLAction.Following is the syntax of the SQLAction data structure:
352 SQL Access
SQLAction action_ID { [TimedEvent timed_event] [QueryType multi_row] /* repeat as needed */ { [input [source target [conversion_function]] . . [source target [conversion_function]]]
[output [source target [conversion_function]] . . [source target [conversion_function]]]
[SQLStatement instance {sql_statement}] } /* end repeat *
Where:action_ID Required. Specifies a unique instance of an SQL action.
Identifies the SQL action to be executed as configuredin the FSM or in the authfile file through the LocalRealm screen in the Server Manager. Follow a namingconvention for action_ID that allows for easyidentification of the actions they perform to ensure theintegrity of the processing logic.
timed_event Optional. Used for actions not triggered by user requests.Specifies the time interval in seconds for the AAA Serverto execute this action. See “Advanced SQL MappingConfiguration” (page 369) for more information.
QueryType multi_row Optional. Enables multi-row support for SQL Access.Supports multiple rows returned by an SQL query. Formore information, see “Multi-Row Support For SQLAccess” (page 385).
The following sections provide details on the input and output mapping syntax andthe SQL statement.
Mapping SyntaxEach input or output mapping entry consists of a source and target definition, and anoptional conversion function.
Implementing SQL Access 353
Table 22-3 (page 354) and Table 22-4 (page 354) show the source and target data typesthat can be mapped depending on input or output mapping:• RAD: identifies a RADIUS attribute in a mapping,• DBP: identifies SQL placeholder mapping,• DBC: identifies the database column mapping,• DBR: handles return values from the SQL statements. See “SQL Result Mapping”
(page 364) for more information on the use of DBR mapping.
Table 22-3 Input Mapping Data Types and Syntax
SyntaxInput Mapping Type
source • RAD(vendor_id:attribute, attr_type, MAND)
• FUNC(mappingfunction)
• DBR(result) or DBR(ret code:error code)
target • RAD(vendor_id:attribute, attr_type, MAND)
• FUNC(mappingfunction)
• DBP(placeholder, db_width, db_type)
• RET (return event)
Table 22-4 Output Mapping Data Types and Syntax
SyntaxOutput Mapping Type
source • RAD(vendor_id:attribute, attr_type, MAND)
• DBC(db_column, db_width, db_type)
• DBP(placeholder, db_width, db_type)
• FUNC(mappingfunction)
• DBR(result) or DBR(ret code:error code)
target • RAD(vendor_id:attribute, attr_type, MAND)
• FUNC(mappingfunction)
• RET (return event)
354 SQL Access
NOTE: You must store the values of tagged attributes in raw format, in the SQLAccess database. Following are the syntax and sample values of the tagged attributes:• Tagged Integer — The syntax for the Tagged Integer attribute is :<tag
value>:<attribute value>. The value must always comprise four octets, ofwhich the tag value must comprise one octet and the attribute value must comprisethree octets.For example, the value :3:32must be stored as 03000020. 03 is the hexadecimalequivalent of 3 and 0000020 is the hexadecimal equivalent of 32. The additional0s are included to ensure that the value comprises four octets.
• Tagged String — The syntax for the Tagged String attribute is :<tagvalue>:<string>. The value can comprise a maximum of 254 octets, of whichthe tag value must comprise one octet and the string must comprise a maximumof 253 octets.For example, the value :12:Sample must be stored as 0C53616D706C65. In theexample, OC is the hexadecimal equivalent of 12 and 53616D706C65 is thehexadecimal equivalent of Sample.
RAD Mapping
The RAD mapping identifies a RADIUS attribute for input and/or output mapping. Ifa RADIUS attribute is the source in input mapping, the target can either be a DBplaceholder map, a RADIUS attribute, or a mapping function. The most common usefor a RADIUS attribute output mapping is to map to a database column and value fromthe SQL statement execution.If the same attribute is specified in multiple source mappings for a given SQL statement,the order of mappings will match the order of appearance in the RADIUS attributequeue associated with attr_type. When RAD is specified as a target mapping, a newattribute is created to hold the data.Table 22-5 (page 355) lists the RAD mapping parameters and their descriptions:
Table 22-5 RAD Mapping Parameters
DescriptionParameter
Optional. Specifies the RADIUS vendor ID in the string format. The RADIUSvendor ID must exist in the dictionary.Default: 0 (standard RADIUS) attribute.
vendor_id
Mandatory. Specifies the RADIUS attribute ID in the string format as definedin the dictionary.
attribute
Implementing SQL Access 355
Table 22-5 RAD Mapping Parameters (continued)
DescriptionParameter
Optional. Specifies the type of RADIUS attribute, and is used to determinethe queue where the attribute is located. A set of attribute queues is associatedwith each RADIUS request. You can specify one of the following queues:
attr_type
• REQUEST: Attributes from the inbound request.• REPLY: Attributes to be included in the reply. Also typically used for
temporary attributes used for local processing.• CHCK: Attributes that will be compared with the corresponding REQUEST
attributes by a CHK_DENY AATV, ensuring that ACESS_REQUEST packetscontain matching attributes for all check attributes.
• DENY: Attributes that will be compared with the corresponding requestattributes by the CHK_DENY AATV, ensuring that ACCESS_REQUESTpackets do not contain any request attribute with a matching denyattribute.
Default: REQUEST for source mapping. REPLY for target mapping.
Optional. Defines how to handle data that exceeds the RADIUS attributevalue size of 235 bytes. when mapping to a RADIUS output target attribute.You can specify one of the following:
attr_overflow
• TRUNCATE: Truncate the data to 235 bytes.• CONCAT: Append the overflowing data to consecutive RADIUS attributes.• FAIL: Allow the SQL action to fail.Default: FAIL
Optional. Used for source target mapping only. Specifies that the attributemust be present. If the attribute is not found, the NAK event code is returned.
MAND
DBC Mapping
DBC identifies a database column as the source of data in the output mapping statement.The database column and value can either be mapped to a RADIUS attribute (outputtarget is of type RAD), or a mapping function. Table 22-6 (page 357) lists the DBCattributes and descriptions:
356 SQL Access
Table 22-6 DBC Mapping Parameters
DescriptionParameter
Mandatory. Specifies the column name of the database table.db_column
Mandatory. Specifies the column width as defined in the database schema. Usedby the database client library to determine the length of data to reserve forprocessing the column.
db_width
Mandatory. Used by the database column library to specify the type conversionto be performed on the data. You can use one of the following keywords:
db_type
• CHAR
• INT
• RAW
DBP Mapping
DBP is the placeholder mapping using the placeholder syntax in the SQL statementsand parameter bind functions as defined by the OCI and ODBC library APIs. If usedas a target in input mapping, it contains a placeholder to the local data to bind to usingSQL placeholders. If used as a source in output mapping, it contains the value to beretrieved from the placeholder after execution of a stored procedure. For moreinformation on stored procedure, see “Stored Procedures” (page 373).Check the latest HP-UX AAA Server Release Notes to determine if DBP is supportedwith your client library.Table 22-7 (page 358) lists the DBP mapping parameters and their descriptions:
Implementing SQL Access 357
Table 22-7 DBP Mapping Parameters
DescriptionParameter
Mandatory.placeholder
• For OCI: Any string value. Passed to the OCIBindByName function. Bindsthe mapping to a placeholder in the SQL statement as defined by the OCIsyntax based on string matching.
• For ODBC: Integer value. Identifies the order or position of the DBPparameter in the SQL statement. Passed to the SQLBindParameterfunction. Binds the mapping to a placeholder in the SQL statement asspecified by the ODBC syntax. Input mappings and output mappings useseparate ordering, each starting with 1.
Mandatory. Specifies the column width as defined in the database schema.Used by the database client library to determine the length of data to reservefor processing the column.
db_width
Mandatory. Used by the database column library to specify the typeconversion to be performed on the data. You can use one of the followingkeywords:
db_type
• CHAR
• INT
• RAW
Example 22-3 shows a single input and output mapping for OCI and ODBC.
358 SQL Access
Example 22-3 User and Password Input and Output Mappings
For OCI:input RAD(User-ID, REPLY) DBP(userid,64,CHAR)
output DBC(user_password,128,CHAR) RAD(Password, CHECK) DBC(address_pool, 128, CHAR) RAD(Address-Pool, REPLY)
For ODBC:input RAD(User-Id, REPLY) DBP(1, 254,CHAR)
output DBC(user_password, 128, CHAR) RAD(Password,CHECK) DBC(address_pool, 128, CHAR) RAD(Address-Pool,REPLY)
The input mapping locates the RADIUS attribute User-Id in the reply queue andassociates a data pointer to the local value. The output mapping maps the value retrievedfrom the database column user_password to the RADIUS attribute Password as acheck item, and the value retrieved from the database column address_pool to theRADIUS attribute Address-Pool as a reply item.
RET Mapping
RET can be used when DBR is a source mapping. RET is used to return FSM events ifthe return values and error codes configured in DBR match. RET has the followingsyntax:RET(return event)
For more information on RET mapping, see “SQL Result Mapping” (page 364).
Mapping Functions
Mapping functions can be used in input and output mapping entries either as a sourceor target definition.Mapping function definitions have the following syntax:FUNC (mappingfunction)
Where:mappingfunction The function name to execute a mapping. Can either be a
pre-defined function included in the AAA Server, or a customdefined function. See “Advanced SQL Mapping Configuration”(page 369) for more information on custom mapping functions.
HP provides the following pre-defined mapping function, listed in Table 22-8:
Implementing SQL Access 359
Table 22-8 Pre-defined Mapping Functions
DescriptionMapping FunctionMapping Type
Returns the AAA Server hostname. It uses the RADIUSServer host name stored in aaa.config or the result
AAALocalHostSource
of the gethostname() system call when hostnameis not configured.
Returns the local IP address in binary format asreturned by getaddrinfo() for AAALocalHost.
AAALocalIPSource
Returns the local IPv6 address in binary format asreturned by getaddrinfo() for AAALocalHost.
AAALocalIPv6Source
Retrieves the session ID from the RADIUS request’sCLASS attribute-value pair or generates a session ID ifthe CLASS attribute-value pair does not exist.
get_sidSource
Initiates the release of the input IP address via DHCP(IPv4 only). Can be used only if session managementwith DHCP is enabled in the FSM.
AAAFreeIPTarget
Returns ACK irrespective of the input. Typically usedwith theDBR source mapping to force the continuation
ACKonAllTarget
of mapping execution even if a previous SQL statementfailed.
Returns ACK if the function’s input data is zero. Else,it returns NAK. Typically used with the DBR source
ACKonZeroTarget
mapping to return ACK when DBResultCode orDBMatchRow are zero.
Returns RETRIEVE_SUCCESS is the function’s inputdata is zero. Else, it returns NAK. Typically used with
RetrieveOnZeroTarget
the DBR source mapping to returnRETRIEVE_SUCCESS for user retrieval actions.
Returns NAK if the function’s input data is zero.Typically used with the DBR source mapping to returnNAK when DBResultCode or DBMatchRow are zero.
NAKOnZeroTarget
A failure of a mapping function results in the termination of the SQL action.The following input mapping example for OCI uses the pre-defined mapping functionget_sid as a source to set a session ID.input FUNC(get_sid) DBP(sessid, 254, CHAR)
The following output mapping example for OCI uses the pre-defined mapping functionAAAFreeIP as a target to initiate the freeing of the input IP address via DHCP:output DBP(ipaddr, 11, INT) FUNC(AAAFreeIP)
360 SQL Access
Conversion Functions
A conversion function is executed between the source and target mapping and can beused to convert or modify data.You can identify a conversion function in the conversion_function variable foreach mapping entry. conversion_function is the name of the function to execute.It can either be a pre-defined function included in the AAA Server, or a user-definedfunction. See “Advanced SQL Mapping Configuration” (page 369) for more informationon user-defined conversion functions.Table 22-9 lists the pre-defined conversion functions:
Table 22-9 Pre-defined Conversion Functions
DescriptionConversion Function
Converts the binary IP address to an ASCII string.AAAIPtoString
Converts the binary IPv6 address to an ASCII string as specified in DFC2373.
AAAIPv6toString
Converts the ASCII string to a binary IP address.AAAStringtoIP
Converts the ASCII string to a binary IPv6 address as specified in RFC 2373.AAAStringtoIPv6
Converts a RADIUS IPv6 Prefix attribute type to an ASCII string containingthe prefix/length format as specified by RFC 2373.
AAAIPv6PrefixtoString
Converts an ASCII string containing the prefix/length format as specifiedby RFC 2373 to the RADIUS IPv6 Prefix attribute type.
AAAStringtoIPv6Prefix
Converts the RADIUS IPv6 interface identifier attribute type to an ASCIIstring as specified by RFC 2373.
AAAIPv6InterfaceIDtoString
Converts the ASCII value of the Tagged Integer attribute representedas :<tag value>:<integer value> into octets.
AAATagInttoOctets
Converts the ASCII value of the Tagged String attribute represented as:<tag value>:<string> into octets.
AAATagStrtoOctets
Converts an hexadecimal string to a binary string format The hex string canbe of the form 0x< hex string> or can be just < hex string>.
AAAHexToBinaryString
A failure of a conversion function results in the termination of the SQL action.The following example for OCI uses the pre-defined conversion functionAAAIPtoString in an input mapping entry to convert a binary IP address to an ASCIIstring:input RAD(Login-IP-Host) DBP(iphost, 46, CHAR) AAAIPtoString
Implementing SQL Access 361
SQL StatementThe SQLStatement section defines the SQL statement using standard SQL statementsyntax to execute on the input data. Following is the syntax of the SQLStatementdatastructure:SQLStatement instance {sql_statement}
Where:instance Database instance identified by the DBID structure.sql_statement User defined SQL statement. Passed unmodified to the database
client library.Example 22-4 shows a complete SQL action definition where a row is deleted from thesession table for a stop session action:
362 SQL Access
Example 22-4 SQL Statement to Delete a Row
For OCI:SQLAction StopSession { { input RAD(Class) DBP(sessid, 254, CHAR)
output DBR(DBretCode) FUNC(ACKonZero) SQLStatement db_oci { DELETE FROM RAD_SESS_TABLE WHERE session_id=:sessid } }}
For ODBC:SQLAction StopSession { { input RAD(Class) DBP(1, 254, CHAR)
output DBR(DBretCode) FUNC(ACKonZero) SQLStatement db_odbc { DELETE FROM RAD_SESS_TABLE WHERE session_id=sessid } }}
The following example is the equivalent replacement of the above examples for thenew result mapping syntax using RET:For OCI:SQLAction StopSession { { input RAD(Class) DBP(sessid, 254, CHAR)
output DBR(-1:*) RET(ERROR) DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)
SQLStatement db_oci { DELETE FROM RAD_SESS_TABLE WHERE session_id=:sessid } }}
Implementing SQL Access 363
For ODBC:SQLAction StopSession { { input RAD(Class) DBP(1, 254, CHAR)
output DBR(-1:*) RET(ERROR) DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)
SQLStatement db_odbc { DELETE FROM RAD_SESS_TABLE WHERE session_id=sessid } }}
SQL Result MappingThe SQL Access AATV does not check the result of the SQL statement execution.However, if you want to have control over the actions based on the SQL statementresult, use the DBR (result) mapping and a pre-defined or custom mapping function toset an event based on the SQL statement return values or uses the newly added featurewith syntax,DBR (return code:error code)mapping along withRET (returnevent), which offers more customization without writing a mapping function. Youcan use SQL result mapping anywhere in your input or output maps, it will operateon the return code from the last SQL statement executed prior to the SQL result mappingentry.The sample implementation tests for successful SQL statement execution for all SQLactions using the mapping function AckonZero except in the RetrieveUser action,which uses theRetrieveonZeromapping function to set the event code. See “MappingFunctions” (page 359) for more information on pre-defined mapping functions to setevent codes. For more information on event code handling for user retrieval action,see “Result Handling for Retrieval Requests” (page 366) in this section.If your mapping function returns an event other than ACK, control is returned to theFSM immediately with the event code set in the mapping function.The syntax for SQL result mapping can be one of the following:• DBR (result) FUNC (mappingfunction)
Where result can take one of the following values:DBMatchRow Returns the number of matched rows. This is useful if your
database returns a SQL result code of 0 (success) even if thenumber of retrieved rows is zero. With a custom defined mappingfunction you can then overwrite the event code handling andreturn event codes other than ACK to the FSM.
364 SQL Access
DBRetCode Returns the SQL result from the SQL statement as defined by thedatabase client library. HP provides the following pre-definedmapping functions useful with a DBR mapping:— ACKonAll
— ACKonZero
— NAKonZero
— RETRIEVEonZero
See “Mapping Functions” (page 341) for more information on theevent handling functions.
• DBR (return code:error code) RET (return event)
Where values are described as follows:return code Integer return value from ODBC or OCI APIs. For example, 0
or 100. The following table describes the different return valuesfor OCI and ODBC:
Table 22-10 Return Values and Description for OCI and ODBCAPIs
ODBCOCIReturn Values
SQL_SUCCESSOCI_SUCCESS0
SQL_SUCCESS_WITH_INFOOCI_SUCCESS_WITH_INFO1
SQL_NEED_DATAOCI_NEED_DATA99
SQL_NO_DATAOCI_NO_DATA100
SQL_ERROROCI_ERROR–1
SQL_INVALID_HANDLEOCI_INVALID_HANDLE–2
OCI_STILL_EXECUTING–3123
SQL_STILL_EXECUTING2
error code Native error codes from the database. For example, ORA-00000for success. You can configure this error code as 0. Otherexamples are 1, 17, and 18.Following is an example to configure the SQL result mappingwhose return code is 0, error code is 0, and return event is ACK:DBR (0:0) RET (ACK)
Following is an example to configure the SQL result mappingwhose return code is 0, error codes are 0,1, and 2, and returnevent is ERROR:DBR (0:0,1,2) RET (ERROR)
Implementing SQL Access 365
NOTE: You can use wildcard to represent the return code anderror code.For more information on event names, see “Event Names ”(page 399).
NOTE: The DBR (ret code:error code) RET (ret event) is a new syntax.It offers more options to customize your SQL result mapping.
Result Handling for Retrieval Requests
The default FSM expects anACK event to indicate success with the exception of retrievinguser entries, where RETRIEVE_SUCCESS is expected. Use SQL result mapping withthe RetrieveonZero mapping function in your user retrieval actions as the lastmapping entry in the output map to set the event to RETRIEVE_SUCCESS.
366 SQL Access
Example 22-5 SQL Statement with Result Mapping - OCI
SQLAction RetrieveUser {
{ input RAD(User-Id,REPLY) DBP(userid, 254, CHAR)
output DBC(user_password, 128, CHAR) RAD(Password,CHECK) DBC(address_pool, 128, CHAR) RAD(Address-Pool,REPLY) DBR(DBretCode) FUNC(RETRIEVEonZero)
SQLStatement db_oci { SELECT user_password, address_pool FROM RAD_USERS_TABLE WHERE user_name=:userid } }}
Implementing SQL Access 367
Example 22-6 SQL Statement with Result Mapping - OCI Using the New Syntax
SQLAction RetrieveUser {
{ input RAD(User-Id, REPLY) DBP(userid, 253, CHAR)
output DBR(100:*) RET(RETRIEVE_ERROR) DBR(-1:*) RET(ERROR) DBC(user_password, 128, CHAR) RAD(Password, CHECK) DBC(address_pool, 128, CHAR) RAD(Address-Pool, REPLY) FUNC(get_sid) RAD(Class, REPLY) DBR(0:0) RET(RETRIEVE_SUCCESS) DBR(*:*) RET(RETRIEVE_ERROR)
SQLStatement db_oci { SELECT user_password, address_pool FROM RAD_USERS_TABLE WHERE user_name=:userid } }}
The above example shows the Result mapping using the new syntax. This feature givesmore flexibility on controlling the return events based on the return codes from oracleand oci and native error codes from the database. You will not have to write a mappingfunction to return an event.In the above example, on the successful execution of SELECT query configured. Theoutput mappings would get executed. The first output mapping has been configuredasDBR(100:*) RET(RETRIEVE_ERROR)
The return event from OCI/ODBC would be compared with the configured ones 100:*, For a successful sql query the OCI/ODBC would return 0 and error code from thedatabase would be 0 so the first DBR entry would not match and so as the second one.So all the next mappings would get executed until the following entry, which wouldmatch and RETRIEVE_SUCCESS would be returned:DBR(0:0) RET(RETRIEVE_SUCCESS)
368 SQL Access
NOTE: In the above example, few entries have wild card “*” code configured whichwould match any error codes. This can be replaced with the explicit values that databasereturns. In case RET is configured to ACK and DBR entry matches the same, then all themapping entries of the current mapping would be skipped and the next SQL mapping,if configured, would be executed whereas for other return events it would return fromthe SQL action.
Global DefinitionsGlobal definitions are placed anywhere in the sqlaccess.config file, but outsidethe DBID and SQLAction data structures. They allow you to set up the path to custommapping and conversion functions.The syntax is as follows:[SQLMapConvLibs [“path_to_lib:path_to_lib:…:path_to_lib”]]
Where:path_to_lib Define the list of libraries containing mapping and conversion
functions with full path name.
Advanced SQL Mapping ConfigurationThis section covers the following advanced SQL Access topics:• “Developing Custom Functions” (page 369): to extend the functionality of the AAA
Server utilizing the flexible design of the SQL Access feature;• “Null SQL Statements” (page 370): for SQL statements without mapping or SQL
statements;• “Time Synchronization” (page 371): to synchronize across multiple AAA Servers;• “Finite State Table Configuration in the FSM” (page 372): to enable SQL action
execution for complex database interactions or function execution;• “Stored Procedures” (page 373): to use stored procedures in the database.
Developing Custom FunctionsYou can define your own mapping and conversion functions, which must reside inlibraries that are located at the paths configured in the SQLMapConvLibs setting ofthe global definition in the sqlaccess.config file.Ensure that the names of thecustom functions do not conflict with the names of any other pre-defined or customizedfunctions.HP suggests that you use a unique prefix for your custom functions.Mapping functions use the following prototype:int32 mappingfunction (void *radrequest, void *data, uint *len)
Where:
Implementing SQL Access 369
radrequest Pointer to the RADIUS request currently processed.data For source mapping: Address where to store the result.
For target mapping: Address from where to copy data.
len For source mapping: Address of the maximum permissible lengthfor the data buffer. The function returns the actual length of datacopied to target buffer.For target mapping: Address of actual length of data in the databuffer.
Return Values Custom or pre-defined event code. See “Event Names ” (page 399)for more information on pre-defined event codes.
Conversion functions use the following prototype:int32 ConversionFunction (void *source, uint *sourceLen, void*Target, uint *TargetLen)
Where:source Address of the data to convert.sourceLen Address of the length of the source data.Target Address to store the converted data.TargetLen Passes address of maximum length allowed for target buffer into
function. Returns the actual data length copied to the target buffer.Return Values Custom or pre-defined event code. See “Event Names ” (page 399)
for more information on pre-defined event codes.
Null SQL StatementsSQL action mappings can be defined without an SQL statement. This flexibility isprovided so that you can execute pre-defined or customer defined functions on thesource or target data, where database access is not required. This is useful for situationssuch as complex parsing of an attribute that require extracting sub realms from anNetwork Access Identifier (NAI).
Null Source and Target MappingYou can also specify SQL action mappings without the source or target mapping. Inthis case, no data will be input to the SQL statement and/or the SQL statement executionwill not return any data. An example of an SQL action containing only SQL statementsis an expired session cleanup operation as shown in Example 22-7:
370 SQL Access
Example 22-7 SQL Action with Null Source and Target Mappings
SQLAction CleanupExpiredSessions { TimedEvent 120 ## Invoke the action every 120 seconds. { output DBR(-1:*) RET(ERROR) DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)
SQLStatement db_oci { DELETE FROM RAD_SESS_TABLE WHERE (current_timestamp - sess_start_time) > '+000000001 00:00:00' } }}
The SQL action CleanupExpiredSessions executes an SQL statement every 120seconds that deletes all the rows from the session table RAD_SESS_TABLE containinginformation for expired sessions. In this example, a session is considered expired if itsstarting time, sess_start_time indicates that its older than 24 hours.
Time SynchronizationIf multiple AAA Server access a common database using SQL Access, timesynchronization is critical. Features such as accounting and session management relyon time stamps stored in the database tables. This can best be provided by utilizing thedatabase timestamps in the SQL actions in place of the local AAA Server timestamps.
Implementing SQL Access 371
Example 22-8 Timestamp Synchronization
For OCI:SQLAction UpdateAcct { { input RAD(Class) DBP(sessid, 254, CHAR)
output DBR(-1:*) RET(ERROR) DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)
SQLStatement db_oci { UPDATE RAD_ACCT_TABLE SET update_time=current_timestamp WHERE session_id=:sessid } }}
Finite State Table Configuration in the FSMSQL Access for user profile retrieval requires no modification to the FSM. Use the LocalRealm screen in the Server Manager to configure the SQL action for the desired realm.However, the FSM must be modified to perform more complex database interactionssuch as accounting or session management with SQL Access.At server startup, the FSM reads instructions from a state table by loading and parsingthe radius.fsm file. The radius.fsm file consists of definitions for states, events,and actions that determine how a request is processed. See Chapter 26: “Customizingthe HP-UX AAA Server Using the Finite State Machine” (page 396) for more details onstate tables in the FSM.To specify the SQL action to be executed during a particular state, modify theradius.fsm file as follows:1. Set ‘ Action’ to ‘SQLAccess’ for the state event to trigger the execution of an
SQL action.2. Specify the SQL action in the xstring argument.The following is an example of a modified FSM that executes account log requests viaSQL Access:
372 SQL Access
Example 22-9 FSM with Accounting Log via SQL Access
####################################### Start Accounting via SQL Access ##AcctLog:*.*.ACCT_START SQLAccess ReplyHold xstring="ActionID=InsertAcct"*.*.ACCT_STOP SQLAccess ReplyHold xstring="ActionID=StopAcct"*.*.ACCT_ALIVE SQLAccess ReplyHold xstring="ActionID=UpdateAcct"*.*.ACCT_MSTART SQLAccess ReplyHold xstring="ActionID=StopAllAccts"*.*.ACCT_MSTOP SQLAccess ReplyHold xstring="ActionID=StopAllAccts"*.*.ACCT_CANCEL SQLAccess ReplyHold xstring="ActionID=StopAcct"*.*.ACCT_ON SQLAccess ReplyHold xstring="ActionID=StopAllAccts"*.*.ACCT_OFF SQLAccess ReplyHold xstring="ActionID=StopAllAccts"## End Accounting via SQL Access #######################################
Stored ProceduresMost databases support stored procedures. Stored procedures are a set of SQLstatements that are stored on the database server and executed when necessary, insteadof issuing individual SQL statements.Stored procedures are particularly useful, but not restricted to, the following:• Executing multi-statement transactions: Stored procedures simplify the SQL access
configuration when multiple SQL statements forming a transaction need to beexecuted. For example, the sample configuration includes a stored procedure thatdeletes a session row from the session table, while returning the database columncontaining the IP address.
• Utilizing database schemas that contain child tables: Since SQL Access does notsupport output of multiple database rows, stored procedures can be used to providea "normalized" view of the database parent and child tables to the AAA Server.
• Enhancing database security: Stored procedures can be written so that eachexecution is logged in the database server. Furthermore, common operations onthe database table can be performed using stored procedures. This preventsapplications and users from directly accessing the database tables.
Stored procedures are executed in an SQL action as specified in the SQL statementusing standard SQL syntax.
NOTE: Use the IN and OUT parameters for stored procedures. INOUT for storedprocedures is not supported.UseDBP for mapping to stored procedure input (target) and output (source) parameters.
The following example shows the definition of a stored procedure for OCI to removesession entries, and its usage in the SQL action definition:
Implementing SQL Access 373
Example 22-10 Remove Session Stored Procedure Definition
create or replace procedure remove_session(sessid IN varchar2, ipaddr OUT NUMBER)IS
BEGIN
select ASSIGNED_FRAMED_IP into ipaddr from RAD_SESS_TABLE where session_id=sessid; delete from RAD_SESS_TABLE where session_id=sessid;END;Run
Stored Procedure Call to remove_session in SQL Action:SQLAction StopSession-DHCP { { input RAD(Class) DBP(sessid, 254, CHAR)
output DBR(-1:*) RET(ERROR) DBP(ipaddr, 11, INT) FUNC(AAAFreeIP DBR(0:0) RET(ACK) DBR(*:*) RET(NAK)
SQLStatement db_oci { BEGIN remove_session( :sessid, :ipaddr ); END; } }}
Administering Users and Tokens Stored in an SQL DatabaseThe User Database Administration Manager is a web-based interface that enablesadministrators to manage users that are stored in an SQL database. Using the interface,administrators can add users, modify the credentials of existing users, and view userand token information. Administrators can also use this tool to manage users withtokens, required for OATH standards-based One Time Password (OTP) authentication.The User Database Administration Manager has been created using PHP scripts thatenable administrators to easily customize this interface for specific deployment scenarios.The PHP scripts are available in the /opt/aaa/examples/sqlaccess/userdbdirectory.You must set up the User Database Administration Manager and configure it with theHP-UX Apache Web Server before following the procedures described in this section.For configuration and set up procedures, see the /opt/aaa/examples/sqlaccess/userdb/README file.
374 SQL Access
This section discusses the following topics:• “Managing Users” (page 375)• “Managing Users Using OTP to Authenticate” (page 378)
Managing UsersThis section discusses the following topics:• “Adding Users to an SQL Database” (page 375)• “Modifying User Credentials” (page 377)• “Viewing User and Token Statistics” (page 383)
Adding Users to an SQL DatabaseTo add a user into the SQL database, complete the following steps:1. Enter the following URL to launch the User Database Administration Manager on
your browser:https://<hostname>/userdb/admin/
2. Enter your login and password when prompted.The User Database Administration Manager launches, as shown in Figure 22-3.
Figure 22-3 The User Database Administration Manager
3. Click Add User.The Add User screen is displayed, as shown in Figure 22-4 (page 376)
Administering Users and Tokens Stored in an SQL Database 375
Figure 22-4 The Add User Screen
4. Enter the relevant information according to the guidelines stated in Table 22-11
Table 22-11 Fields in the Add Users Form
DescriptionField Name
Assign a user ID for the user. A user ID can comprisealpha-numeric characters, '-', '_', '!' and '@'. A user ID cannotexceed 128 characters.
User Name
Enter the first name and last name of the user. The namescan comprise alpha-numeric characters, '_', '-', '.', and thespace character.
First Name, Last Name
Enter the password in the Password field. Enter the samepassword in the Confirm Password to confirm it.
User Password and Confirm Password
376 SQL Access
Table 22-11 Fields in the Add Users Form (continued)
DescriptionField Name
Enter the token number listed on the token device to assigna specific token to a user. To randomly allocate a free tokenserial number, check the Allocate a Free Token checkbox.
NOTE: This is an optional field. If you are not using OTPauthentication, leave this field blank.
Enter Token Serial Number or Allocatea Free Token
Enter the contact information in the corresponding fields.Contact InfoAddress Enter the mailing address
of the user using anyalpha-numeric characters.
City, State, Country Enter the city, state, andcountry of the user usingany alpha-numericcharacter.
Work / mobile phone Enter the work and mobilephone of the user innnn-nnn-nnnn format.
Email-Id Enter the e-mail addressof the user.
NOTE: The Email-Id field is the only mandatory field inthis section.
An integer value for the framing to be used for framedaccess. The valid values for Framed-Protocol can be checkedin the dictionary file.
Framed-Protocol
IP address or netmask configured for the user in the n.n.n.nformat.
Framed-IP-Address andFramed-IP-Netmask
An integer value for the routing method for the user. Thevalid values can be referred to in dictionary file.
Framed-IP-Routing
An attribute that is sent by the HP-UX AAA Server to theNAS and contains the name of an assigned pool that mustbe used to assign an IPv4 address for the users.
Address-Pool
5. Click Add User.The new user is added in the SQL database.
Modifying User CredentialsTo modify a user’s credentials, complete the following steps:1. Enter the following URL to launch the User Database Administration Manager on
your browser:https://<hostname>/userdb/admin/
Administering Users and Tokens Stored in an SQL Database 377
2. Enter your login and password when prompted.The User Database Administration Manager launches, as shown in Figure 22-3.
3. Search the database by entering data for any one of the following fields:• User Id• Email Id• L. Name or F. Name• Work Phone• Token Serial NumberA list of matching users is displayed.
4. Click Modify User or the matching user listed.The Manage User screen is displayed.
5. Modify the relevant information. For information on modifying token informationsuch as token status, see “Valid Token Status Values” (page 383). For informationon validating tokens, see “Synchronizing Tokens (Procedure for Users)” (page 382).
6. Click Modify User Info.
Managing Users Using OTP to AuthenticateThis section provides a brief overview illustrating how administrators can manageusers who use OTP to authenticate.The following screens are provided to ease administration.• The Administrator's screen that enables administrators to add, view, and modify
user and token information.• The User's screen enabled users to do basic self-management tasks such as enrolling
and synchronizing their tokens.Following is the process that administrators need to follow to manage user and tokeninformation:1. “Importing Tokens into the Database” (page 378)2. “Assigning Tokens to Users” (page 379)3. “Enrolling Tokens (Procedure for Users)” (page 380)4. “Synchronizing Tokens (Procedure for Users)” (page 382)5. “Terminating Tokens” (page 383)
Importing Tokens into the DatabaseTokens are devices or software that generate OTP. Usually, token vendors provide thetoken in bulk along with a file that contains the secret associated with each token. Thistoken information must be imported into the database token table. The HP-UX AAAServer includes a sample /opt/aaa/examples/sqlaccess/userdb/aaatoken2sql.pl file that can be used to convert a CSV file containing token
378 SQL Access
information into SQL insert statements. The generated file can be executed on thedatabase to populate the database with the token table.After the tokens are imported into the database, they are in an AVAILABLE state,indicating that it is free and can be assigned to any user.
Assigning Tokens to UsersOnce tokens are imported into the database, they must be assigned to users. Theprocedure to assign tokens varies slightly depending on whether you want to assigna specific token serial number or whether you want to allocate any free token. Thissection documents both these procedure.
Assigning a Specific Token to a User
To assign a specific token to a user, complete the following procedure:1. In the Add or Manage Users screen, enter the serial number listed on the token in
the Enter Token Serial Number field.2. Click Validate.
The Token Validate screen appears in a new browser window as shown inFigure 22-5.
Figure 22-5 The Token Validate Screen
3. Enter two consecutive OTPs generated by the device.
Administering Users and Tokens Stored in an SQL Database 379
4. If OTP validation is successful, assign the token to the user by clicking Add Useror Modify User Info at the bottom of the screen.The token is assigned to the user and its status changes from AVAILABLE toASSIGNED.Additionally, the User Database Administration Manager generates and e-mailsan activation code to the user.
5. If you are using a token device, mail it to the user.
Allocating Any Available Tokens to a User
To allocate any available token to a user, complete the following steps:1. In the Add or Modify Users screen, select the Allocate a free token checkbox.
The User Database Administration Manager assigns the first unassigned token inthe database to the user. The token status changes from AVAILABLE to ASSIGNED.Additionally, the User Database Administration Manager generates and e-mailsan activation code to the user.
2. If you are using a token device, mail it to the user.
TIP: You can modify the PHP scripts available in /opt/aaa/examples/sqlaccess/userdb to send the activation code by SMS to the user's mobilephone.
Enrolling Tokens (Procedure for Users)On receiving the token and the activation code the user can use the Enroll Tokens screento enroll or activate their tokens. This is a one-time activity.To enroll your token, complete the following steps:1. In your browser window, enter the url of the User Database Administration
Manager as follows:https://<hostname>/userdb/user/
NOTE: The connection between the browser and web server is secured usingHTTPS.
2. Type in the log-in name and the answer to the Security question that you haveprovided while activating the token.
3. From the main screen of the User Database Administration Manager, click EnrollToken.The Enroll Token screen appears as shown in Figure 22-6.
380 SQL Access
Figure 22-6 The Enroll Token Screen
4. Complete the form in the Enroll Token screen according to the information inTable 22-12.
Table 22-12 Fields in the Enroll Token Device Form
DescriptionField Name
Enter the user name assigned to you by the administrator. Usernames cannot exceed 128 characters. Besides alpha numericcharacters, '-', '_', '!' and '@' can also be used.
User Name
This code is provided to activate the token device or softwareassociated for your identification. This is sent to you by theadministrator either by post, e-mail, or SMS.
Activation Code
Enter two consecutive OTPs generated by your tokenOTP1 , OTP2
Choose a security question and answer to secure your account.This will allow the administrator to verify your identity forupdating or replacing the token device or software.
Question, Answer
5. To enroll the token, click Enroll.Once this procedure is completed, the status of the token changes from ASSIGNEDto ACTIVE. The user can now use the token for authentication.
Administering Users and Tokens Stored in an SQL Database 381
Synchronizing Tokens (Procedure for Users)The HOTP algorithm is sequence-based; therefore the token and the user profile databaseshare a counter value. The counter value of the token increments each time a requestis sent to the server. The counter value in the user profile database increments eachtime a client request is successfully authenticated. As a result, the counter value of thetoken does not always correspond with that in the database. In such scenarios, userscan use the Synchronize Token screen to synchronize their tokens.Users can also use this procedure to unlock locked tokens.To synchronize your tokens, complete the following steps:1. In your browser window, enter the url of the User Database Administration
Manager as follows:https://<hostname>/userdb/user/
NOTE: The connection between the browser and web server is secured usingHTTPS.
2. Type in the log-in name and the answer to the Security question that you haveprovided while activating the token.
3. From the main screen of the User Database Administration Manager, clickSynchronize Token.The Synchronize Token screen appears as shown in Figure 22-7.
Figure 22-7 The Synchronize Token Screen
4. Complete the form in the Synchronize Token screen according to the informationin Table 22-13.
382 SQL Access
Table 22-13 Fields in the Synchronize Token Form
DescriptionField Name
Enter the user name assigned to you by the administrator. Usernames cannot exceed 128 characters. Besides alpha numericcharacters, '-', '_', '!' and '@' can also be used.
User Name
Enter two consecutive OTPs generated by your tokenOTP 1, OTP 2
5. To synchronize or unlock the token, click Synchronize.The User Database Administration Service calculates the OTP using the counterin the user profile database and increments the counter value till the OTP generatedmatches the two consecutive OTPs entered by the user.
Terminating TokensIf a token is lost or cannot be reused, then the administrator can change the status ofthe token to TERMINATE. This token cannot be reused if its status is TERMINATE. Tochange a user's token status to TERMINATE, use the Token Status drop-down menu inthe Manage Users screen (if the user already exists).
Viewing User and Token StatisticsTo view user and token statistics, click Statistics in the User Database AdministrationManager. The User Statistics screen displays as shown in Figure 22-8.
Figure 22-8 The User Statistics Screen
Valid Token Status ValuesTable 22-14 lists the valid values that can be assigned to a token.
Administering Users and Tokens Stored in an SQL Database 383
Table 22-14 Valid Token Status Values
DescriptionToken Status
Indicates that the token has been assigned to a user, but has not yet beenactivated. Once the token is activated, the token status changes to ACTIVE.
ASSIGN
Indicates that the token is currently assigned to a userACTIVE
Indicates that the token is free and can be assigned to a user. When tokensare initially loaded into the database, their token status is AVAILABLE. Can
AVAILABLE
also be used to disassociate a token from a user, for example, when thetoken user is leaving the organization.
Used when there is more than the configured number of failedauthentication attempts. When a token status is set to LOCKED, no one can
LOCKED
authenticate using that token. To unlock the token, change the token statusto ACTIVE.
Indicates that a token user has lost his token. When a token status is set toTERMINATE, no one can authenticate using that token.
TERMINATE
Invoking the User Database Administration Manager Interface from Server ManagerTo invoke the User Database Administration Manager from the Server Manager,complete the following steps:1. Navigate to the Server manager directory using the following command:
# cd /opt/hpws22/tomcat/webapps/aaa
2. Add a new menu item in the menu listing file. In the end of the filemenulist.jsp.Add an entry for menu-item-userdb.html as follows: # vi menulist.jsp ……………………………………………………………. <%@ include file="menu-item-maintenance-close.html" %> <%@ include file="menu-item-wizards.html" %><%@ include file="menu-item-userdb.html" %>
<%@ include file="menu-item-help.html" %> ……………………………………………………………...
3. Create the menu-item-userdb.html file with information about the UserDatabase Administration Manager GUI using the menu-item-wizards.htmlfile as a reference, as follows:# sed 's#Secure LAN Advisor#UserDatabase Admin Manager#g' \ menu-item-wizards.html > /tmp/menu-item-userdb.html
If example.com is hosting the User Database Manager Interface:# sed 's#8021x/8021x_advisor.html#https://example.com/userdb/admin//#g' \/tmp/menu-item-userdb.html > menu-item-userdb.html
A menu item file for Server manager, menu-item-userdb.html is created.4. Reload the Server Manager screen to invoke the User Database Administration
Manager from the Server Manager Screen.
384 SQL Access
Multi-Row Support For SQL AccessCurrently, SQL Access handles only one row returned by an SQL query. If an SQLquery returns multiple rows of the database, only the first row is processed and theremaining ones are ignored. However, to support client functionality, SQL Accessmust handle multiple rows returned by an SQL query. For example, an SQL querychecking the database for expired sessions can return multiple rows, and disconnectrequests may have to be sent every second to all rows in the database. Currently, onequery is required per row, resulting in poor performance. Therefore, SQL Access isenhanced to support multiple rows.By default, the multi-row support is not enabled. To enable the multi-row feature foran SQL Action, add the following line:QueryType multi_row
Multi-row functionality can be used only in conjunction with another AATV, which isdesigned to handle the multiple rows returned by an SQL query. The CLIENT AATV,used to implement the client functionality at the HP-UX AAA Server, is an example ofsuch an AATV. Specifically, this AATV should handle two internal attributes whichare used for implementing multi-row functionality. The following table lists theseinternal attributes:
Table 22-15 Internal Attributes for Implementing Multi-Row Functionality
DescriptionTypeAttribute
Contains informationrequired to retrieve the
IntegerSQL-Statement-Handle-Info
SQL statement handle fora multi-row SQL action
Contains the status of theSQL statement handle.
IntegerSQL-Statement-Handle-Status
Allowed values are 0 (forEXPIRED) and 1 (forACTIVE)
The SQL Access AATV, after executing a multi-row SQL query, will save the SQLstatement handle and add the internal attribute SQL-Statement-Handle-Info tothe request. This internal attribute will contain the information required to retrieve theSQL statement handle. The second AATV should pass this internal attributeSQL-Statement-Handle-Info unchanged to the SQL Access AATV whileretrieving the next row. To stop processing the rows in a multi-row query and ignorethe remaining rows, the AATV must use the internal attributeSQL-Statement-Handle-Status. If the AATV passes in this attribute with valueset to 0, the SQL Access AATV will free the SQL statement handle and ignore theremaining rows.For more details on a specific implementation of the multi-row functionality using theCLIENT AATV, see Chapter 19 (page 291) and Chapter 20 (page 297).
Multi-Row Support For SQL Access 385
23 Simple Network Management Protocol (SNMP) SupportSimple Network Management Protocol (SNMP) Support provides a mechanism for acentrally located management workstation to monitor the activity of remote computersand network services. An SNMP management framework includes the following:• SNMP management workstation that requests information• Master agent that handles and responds to the requests• Application-specific subagent that translates the SNMP requests for and responses
from the applicationThe HP-UX AAA Server includes an SNMP application subagent. At startup, the serverautomatically activates its SNMP subagent and the subagent registers the applicationwith the master agent. The HP-UX AAA server can exchange information with anySNMP master agent software that supports the AgentX protocol. See RFC 2741 formore information about the AgentX protocol.Information exchanged through SNMP is represented by objects in the ManagedInformation Base (MIB). The MIB is defined by the IETF for use with network protocolsin the Internet community. The MIB includes extensions for RADIUS authenticationand accounting servers which are supported by the HP-UX AAA Server. See Chapter 35:“MIB Objects” (page 566) for more information.
IMPORTANT: The SNMP application sub-agent supports only IPv4 clients. In a mixedenvironment (comprising of IPv4 and IPv6 clients), the sub-agent can return informationon the IPv4 clients only. Information on the IPv6 clients will not be returned.
Setting Up SNMP to Monitor the HP-UX AAA ServerUse the following steps to set-up an SNMP workstation to monitor the HP-UX AAAServer:1. Install and start up an SNMP manager and master agent on the SNMP workstation.
You will need to copy the SNMP configuration file,iaaaAgent.conf, to the/usr/local/share directory on the SNMP workstation. The SNMP master agent thatyou use must support and be configured for the AgentX protocol.
2. After you have installed the AAA Server, load the RADIUS MIB files (includedwith the server) into the SNMP manager according to your SNMP managersinstructions.
3. Enter http://IP-Address:Port/aaa as the URL (orhttps://IP-Address:Port/aaa for HTTPS) in an Internet browser to accessthe Server Manager graphic interface. IP-Address is the machine that hosts themanagers program. Port is the port used by the Server Manager program forcommunication. By default the value is 8081 (8443 for HTTPS). If you are prompted
386 Simple Network Management Protocol (SNMP) Support
for a user name and password, you must enter the values specified duringinstallation.
4. From the navigation tree, click Server Properties.5. On the Server Properties screen that appears, select SNMP Properties.6. On the SNMP Server Properties screen that appears, select the Yes radio button
and click Modify.7. From the navigation tree, click Save Configuration.8. From the navigation tree, click Administration.9. Click Start.
If the server successfully starts, a green GO icon appears next to the name of theserver in the Status Frame (in the lower left corner of the programs interface). TheAAA subagent will check the appropriate sockets and TCP ports for an activemaster agent. When the subagent detects the running master agent, it will registerwith the master agent, and you can begin to send SNMP requests from theworkstation to the server.
10. To configure the SNMP manager to monitor the RADIUS information, completethe required steps for your SNMP manager.
NOTE: You must specify the same context name that you used to start theRADIUS server while configuring your SNMP manager to monitor RADIUSinformation. The SNMP manager uses the context name to distinguish one HP-UXAAA Server from another, on the same host. For more information on contextname, see Table 4-2 (page 77).
Setting Up SNMP to Monitor the HP-UX AAA Server 387
24 VPN TunnelingTunneling involves access to a server that provides secure intranet or other networkfunctionality through a dial-up or Internet connection from a client workstation. Thisprocess can be categorized as one of two types: voluntary or compulsory. Someapplications, such as secure access to corporate intranets through the Internet, arecharacterized by voluntary tunneling, where users create the tunnel through clientsoftware at their workstation. These tunnels are created independently of the AAAserver.Compulsory VPN tunnels are established by returning tunneling attributes to the accessdevice. The HP-UX AAA Server supports tagged attributes that can be used to specifytunneling alternatives, in the event that the access device cannot establish the preferredtunnel configuration.
NOTE: How you configure the server to handle hints in the Access-Request may alsoaffect how or if the tunnel is established
Establishing a Tunnel for a User• If the user profile is stored in a AAA server users file, select the Free tab from
the Modify User screen and then add the tunneling attributes that will define thetunnel.
• If the user profile is stored in an LDAP LDIF file, add the attributes to the profile,following the aaaReply: Tunneling-Attribute = Value syntax.
• If you want to specify alternative tunnels, you should use tagged attributes withthe Tunneling-Attribute =:Tag-no:Value syntax. Each set of attributes that establishone of the possible tunnels should be tagged with the same Tag-no. The order inwhich the access device should consider the tunnel alternatives is specified withthe Tunnel Preference attribute. In the following example, the access device willestablish a tunnel according to those attributes tagged with 1, since that group hasTunnel Preference set to “first,” and if the access device cannot establish the tunnelwith those attributes, it will use the alternative tagged with 2 (Tunnel Preferenceof “second.”)
388 VPN Tunneling
Tunnel-Type =:1:PPTP,Tunnel-Medium-Type =:1:IPv4,Tunnel-Client-Endpoint =:1:192.168.127.1, Tunnel-Server-Endpoint =:1:192.155.111.1, Tunnel-Password =:1:Michigan, Tunnel-Private-Group-Id =:1:engineering, Tunnel-Assignment-Id =:1:management, Tunnel-Preference =:1:first, Tunnel-Client-Auth-Id =:1:NET, Tunnel-Server-Auth-Id =:1:Michigan, Tunnel-Type =:2:L2TP, Tunnel-Medium-Type =:2:IPv4, Tunnel-Client-Endpoint =:2:192.168.127.1, Tunnel-Server-Endpoint =:2:192.170.130.1, Tunnel-Password =:2:California, Tunnel-Private-Group-Id =:2:engineering, Tunnel-Assignment-Id =:2:management, Tunnel-Preference =:2:second, Tunnel-Client-Auth-Id =:2:NET, Tunnel-Server-Auth-ID =:2:California
Establishing a Tunnel for a User 389
25 Using DHCPThe HP-UX AAA server can act as a Dynamic Host Configuration Protocol (DHCP)relay to request IP address assignments from a DCHP server. Currently, only DHCPv4is supported. To use DHCP, you must associate address pools with the AAA server’sincoming requests. The following are the two methods you can use to associate addresspools with incoming requests:• Associate an address pool with specific users or specific realms• Configure HP-UX AAA Server decision files to associate an address pool for a
condition. See Chapter 27 (page 411) for more information.The HP-UX AAA Server can act as a relay for most DHCP servers.
Required DHCP Server FeaturesDHCP server has the ability to assign addresses from its IP address pools based on theUser Class or Vendor Class Identification attribute.
Recommended DHCP Server Features• DHCP server has the ability to assign IP addresses outside the network it resides
in. Many RADIUS/DHCP deployments will require this capability.• DHCP server has the ability to send to ports above the well-known port range
(0-1023). Without this capability the AAA server will not be able to run as a non-rootprocess.
Defining DHCP Address Pools for Specific UsersUse the following steps to associate DHCP address pools with specific users. Theprocedure for associating address pools with specific users depends on where the userprofile is stored.
NOTE: The name of the pool referenced in the user profile must match the name ofa pool defined on the DHCP server.
To Associate an Address Pool with a User Profile in AAA Server Flat Files1. On the navigation tree, select Local Realms.
The Local Realms screen is displayed.2. Click the Users icon for the realm the user is in.
The Users screen appears.3. Click the Edit icon next to the user you want to associate with an address pool.
The Add/Modify Users screen appears.
390 Using DHCP
4. Select the Free tab on top of the Modify Users screen.5. Enter the address pool for the user in the Reply Item field, for example:
Address-Pool=<Name-of-pool>
6. Click Modify.
To Associate an Address Pool with a User Profile in an LDAP LDIF File1. From the command line, open the LDIF file the user profile is stored in.2. Add the following lines to the user profile:
aaaReply: Interlink:Address-Pool=<Name-of-pool>
Associating Address Pools with Realms and Other ConditionsUse the following steps to associate address pools with realms and other conditionsby modifying HP-UX AAA Server decision files. Refer to Chapter 26: “Customizingthe HP-UX AAA Server Using the Finite State Machine” (page 396) andChapter 27(page 411) for more information. The following steps and examples associate an IPaddress pool named test_pool with a realm named test.com.1. Create a policy file in/etc/opt/aaa/dhcp.grp as follows:
Group NORMAL { Condition { (User-Realm = test.com) } Reply { Decision = ACK Interlink:Address-Pool = "test_pool" }}Group NORMAL { Reply { Decision = ACK }}
2. Define a new state named CheckTestPolicy to check for the policy you createdin Step 1. Replace the following lines in/etc/opt/aaa/radius.fsm as follows:Replace:UserDone: *.*.ACK POLICY AuthWait *.*.NAK REPLY Hold
With:UserDone: *.*.ACK POLICY CheckTestPolicy *.*.NAK REPLY HoldCheckTestPolicy *.*.ACK POLICY AuthWait Xstring=decisionfile:dhcp.grp *.*.NAK REPLY Hold
Associating Address Pools with Realms and Other Conditions 391
Part V Customizing the HP-UX AAA ServerThis part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 26: “Customizing the HP-UX AAA Server Using the Finite State Machine”
(page 396)• Chapter 27: “Customizing the HP-UX AAA Server Using Policies” (page 411)• Chapter 28: “Customizing the HP-UX AAA Server Using the SDK” (page 446)
392
Table of Contents26 Customizing the HP-UX AAA Server Using the Finite State Machine...........................................396
States ................................................................................................................................396Using Xstring to call Policy .........................................................................................399Using Xstring to Call an Alternate authfile ................................................................399
Event Names ....................................................................................................................399Predefined Event Names ............................................................................................400Creating New Names .................................................................................................403
Actions .............................................................................................................................403FSM Tables...................................................................................................................405
Custom State Tables .........................................................................................................406Tracking Versions .......................................................................................................406Examples .....................................................................................................................406
Preprocessing Module ...........................................................................................406Interim Logging ..........................................................................................................408Custom Logging Format ............................................................................................408Proxy Accounting Messages........................................................................................409
27 Customizing the HP-UX AAA Server Using Policies...................................................................411Policy Overview................................................................................................................411Defining a Policy in a Decision File..................................................................................412
Action Commands.......................................................................................................413The delete Command..........................................................................................414The insert Command..........................................................................................415The modify Command..........................................................................................417The exit Command..............................................................................................418The log Command................................................................................................419The if Command..................................................................................................420
Attribute Specifications...............................................................................................422Attribute Names.....................................................................................................422Vendor Names........................................................................................................422Attribute Instance Specifications...........................................................................422
No Instance Specification..................................................................................423Numeric Instance Specification........................................................................423Keyword Instance Specification........................................................................423
Attribute Functions................................................................................................424The count Attribute Function.........................................................................424The length Attribute Function.......................................................................424The strcat Attribute Function.......................................................................425The substr Attribute Function.......................................................................426The tolower Attribute Function.....................................................................429The toupper Attribute Function.....................................................................430
Table of Contents 393
Value Types..................................................................................................................430Arithmetic Expressions...............................................................................................431
Arithmetic Operator Precedence and Association.................................................431Supported Boolean Operators.....................................................................................432
Boolean Operator Precedence and Association.....................................................433Type Compatibility......................................................................................................434
Invoking a Policy..............................................................................................................435Invoking Policies Through Predefined Policy Hooks.................................................435
Request Ingress Policy............................................................................................435User Policy..............................................................................................................436
Invoking Policy from User Profiles...................................................................437Reply Egress Policy................................................................................................437Proxy Egress Policy................................................................................................438Proxy Ingress Policy...............................................................................................439
Useful Attributes for Policy Conditions......................................................................440Modifying the FSM for Specific Customizations .......................................................441
Sample Policy Implementations.......................................................................................442Dynamic Access Control.............................................................................................442
Step 1 – Modifying the Default FSM for DAC.......................................................442Step 2 – Defining the DAC Policies........................................................................443
DNIS Routing..............................................................................................................444Step 1 – Modifying the Default FSM for DNIS Routing........................................444Step 2 – Defining the DNIS Routing Policies.........................................................444
28 Customizing the HP-UX AAA Server Using the SDK..................................................................446SDK Overview..................................................................................................................446Migrating Plug-ins Created Using Previous Versions of the SDK...................................448Prerequisites for Using the SDK.......................................................................................448SDK Directory Structure...................................................................................................448SDK Concepts...................................................................................................................448
Overview of AATVs....................................................................................................448AATV Components.....................................................................................................449
The init Function.................................................................................................449The action Function................................................................................................449The timer or callback Function...............................................................................450The cleanup Function.............................................................................................450
Creating Plug-ins..............................................................................................................450Using AATVs to Create a Plug-in................................................................................451Compiling and Loading a Plug-in...............................................................................452Testing and Debugging a Plug-in................................................................................453
Using the GNU Project Debugger..........................................................................453Using gdb to Debug Your Software Module....................................................453
Creating Plug-ins for AATVs............................................................................................454A3 and A8 Algorithm Plug-in for EAP-SIM...............................................................454
394 Table of Contents
Creating A3, A8 Plug-ins.......................................................................................455AKA Algorithm Plug-in for EAP-AKA.......................................................................456
Creating AKA Plug-ins..........................................................................................457
Table of Contents 395
26 Customizing the HP-UX AAA Server Using the FiniteState Machine
The main component of the server’s software engine is the Finite State Machine (FSM)and a few associated routines. At server startup, the FSM reads instructions from astate table by loading and parsing a .fsm file. By default, it loads the radius.fsmfile, unless it is missing or if you have specified another .fsm file using the radiusd-f command. The .fsm file defines a state table that includes the states, events, andactions that determine how a request is processed.You can track different versions of state tables by adding the following line to the .fsmfile:%FSMID Version-String
Version-String is the version information. This string will appear in radcheckoutput.
StatesIn the Finite State Machine, a request will transition through a series of states, beginningwith a state that includes possible starting events. The action specified to be called firstin response to an initial authentication request will return a value, an event thatdetermines the next state to transition to. Within each state, the next action is triggeredby an event (based on previous state and action and a value, typically ACK or NAK,returned by the previous action), which in turn directs the flow of the request to anotherstate, until an End state is reached. Figure 26-1 shows at a high level the process thatoccurs, as the result of a request, in the finite state machine.
396 Customizing the HP-UX AAA Server Using the Finite State Machine
Figure 26-1 Default FSM State Transitions
The actions triggered during this process read information from the server’sconfiguration, and from stored user profiles, and policy. Based on this information theactions perform the server’s authentication, authorization, and accounting functions.The server can be set up to do a variety of different functions by modifying existing orcreating new FSM state tables. For example, interim accounting messages can be loggedby calling the appropriate module at a certain point in the authentication process.Each state defined in a finite state table starts with a line containing the name of thestate, followed by a colon character. Each subsequent line is an event handler withthree required and two optional fields, delimited by spaces or tabs. Below is the syntaxof a state in a finite state table:State-name: Event-1 Action-1 Next-state-1 Xvalue=integer Xstring=string ... ... ... Event-n Action-n Next-state-n Xvalue=integer Xstring=string
States 397
State-name An arbitrary string to represent a state in the FSM. It can be anyprintable ASCII character except space, new line, carriage return,tab, and colon characters.• Every state except the Start state must be referenced by at
least one event handler in any state as its next state.• Every state except the End must have at least one associated
event handler.• Every state referenced in an event handler must be defined.
A state is defined only once in the FSM.
Event-n Three-tuple with each part separated by a period character inthe form Last-state.Last-action.Event-name
• Last-stateThe name of the state that generated the eventor an asterisk character (*). Use the asterisk character (*) tomatch any state if there is no last state for the event, or ifthe last state does not matter.
• Last-action The name of the action that generated theevent or an arbitrary string (found in the code or arrivedin a packet), prefixed with a plus character. This action canalso be an asterisk character (*). Use the asterisk character(*) to match any action if there is no last action, or if the lastaction does not matter. When preceded by a plus sign, thisstring does not refer to the last action, but a value that isassigned to an internal attribute, Interlink-Proxy-Action,according to the type of message received and from whereit was received.
Event Name The string returned from Last-actionAction-n Name of the action to call. The called action will return a value
that will be used to determine the next action. Refer to “Actions” (page 403) for a list of commonly called modules.Typically, the HP-UX AAA server invokes AUTHENTICATEupon receipt of an authentication request. AUTHENTICATE inturn invokes the proper authentication module (PROLDAP,SQL Access, etc.), depending on the configuration of the requestin question. This process is specific to the server’s default statetable.
Next-state-n Name of next state in the AAA transaction. The currentState-name, Action-n, and the value returned from the calledAATV (Event-name) will be used to determine which eventlisted under Next-state-n should be processed.
398 Customizing the HP-UX AAA Server Using the Finite State Machine
Xvalue=integer An A-V pair (integer value) that may be passed to an Action asan argument. Only one integer argument may be specified foreach event.
Xstring=string An A-V pair (string value) that may be passed to an Action asan argument. Only one string argument may be specified foreach event.
Using Xstring to call PolicyWith the POLICY module, you can use the Xstring parameter to specify an URL wherepolicy definitions are stored. These policies group requests based on Attribute Value(A-V) pairs in an Access-Request. These policies allow the request to be resolveddifferently according to those values. For example, with some additional modificationsto the FSM you can control access based on dial-in date and time, or perform DialedNumber Identification Service (DNIS) routing based on the number dialed, or othersuch criteria. Xstring=decisionfile:Filename
Where:Filename The name of the file.This syntax allows you to point to policy stored in a flat file (called a decision file, seeChapter 27 (page 411)).
NOTE: You can configure the FSM to call the POLICY action more than once. TheFSM must call POLICY in multiple instances for each different decision file you wishto use.
Using Xstring to Call an Alternate authfileWith the REALM action you can use the Xstring parameter to point to an alternateauthfile. Use the following syntac to use Xstring to call an alternate authfile:Xstring=Filename
Filename is the name of the alternate file.The authfile is used by the REALM action while processing the Authentication request.Set Xstring with the prefix name of the authfile to use an alternate authfile insteadof the default authfile.
Event NamesAfter an action completes its task, it returns an event name to the FSM. The previousstate, action, and the event name determine the current event, which in turn determinesthe next action of the FSM. The event names returned by the standard HP-UX AAAServer actions are predefined, but you can create your own names by modifying theFSM. To implement your own policy decisions or custom logging, you can configure
Event Names 399
the server to return predefined or custom event names by using the Decision attributein stored policy.
Predefined Event NamesSeveral event names that can be returned by an action are predefined in the server.
Table 26-1 Predefined Event Names
DescriptionEvent Name
The incoming request is an Accounting-Request.ACCT
Access-Challenge message must be sent in response to anaccess challenge.
ACC_CHAL
The incoming Accounting-Request is an interimaccounting message.
ACCT_ALIVE
The incoming Accounting-Request is a message to cancelthe session.
ACCT_CANCEL
The incoming Accounting-Request is a duplicate.ACCT_DUP
The originating NAS has just rebooted, so all activesessions from this client can be purged.
ACCT_MSTART
The originating NAS is about to reboot.ACCT_MSTOP
Received accounting message has a Status-Type ofAccounting-Off.
ACCT_OFF
Received accounting message has a Status-Type ofAccounting-On.
ACCT_ON
Received accounting message has a Status-Type of Start.ACCT_START
Received accounting message has a Status-Type of Stop.ACCT_STOP
The incoming Accounting-Request is a message to start asession through an established tunnel.
ACCT_TUNNEL_LINK_START
The incoming Accounting-Request is a message to end asession through an established tunnel.
ACCT_TUNNEL_LINK_STOP
The incoming Accounting-Request indicates that arequested tunnel could not be established.
ACCT_TUNNEL_REJECT
The incoming Accounting-Request is a message toestablish a tunnel.
ACCT_TUNNEL_START
The incoming Accounting-Request is a message toeliminate a tunnel.
ACCT_TUNNEL_STOP
Acknowledgment of the previous action.ACK
400 Customizing the HP-UX AAA Server Using the Finite State Machine
Table 26-1 Predefined Event Names (continued)
DescriptionEvent Name
The incoming Accounting-Request that the user has beendenied access to an established tunnel.
ACT_TUNNEL_LINK_REJECT
The incoming request is an Access-Request.AUTHEN
Received Access-Request has a Status-Type ofAuthenticate-Only.
AUTH_ONLY
The incoming Access-Request is a continuation of anin-progress EAP conversation. In general, you can allow
CONTINUE
the server to handle these events without any modification.This event is not pre-defined, it must be defined in theFSM file.
The request is a CLIENT request.CLIENT_REQ
The request must be dropped without any furtherprocessing. This event is not pre-defined, it must be
DROP
defined in the FSM file with a value that matches the valueof DROP for the Interlink-Reply-Status attributedefined in the dictionary file.
The incoming Access-Request is a duplicate. Generally,you should allow the server to handle these events withoutmodification.
DUP
The previous action generated an error. Generally, youcan allow the server to handle these events withoutmodification.
ERROR
The incoming Accounting-Request is anaccounting-interim-update. Generally, you can allow the
LASCP
server to handle these events without modification. Thisevent is not pre-defined, it must be defined in the FSMfile.
Negative acknowledgment of the previous action.NAK
This event is returned by the REALMAction when a user'srealm cannot be found in the authfile.
NO_SUCH_REALM
Event Names 401
Table 26-1 Predefined Event Names (continued)
DescriptionEvent Name
This event is returned by the reply-egress policy. Thisevent handles post reply egress actions when OTPauthentication is configured.
NOTE: The default policy file uses SQLAccess.
POST_REPLY_EGRESS
Proxies OTP to the target proxy server when OTPauthentication is configured.
NOTE: The default policy file uses RAD2RAD AATV.
PROXY_CREDENTIAL
This event may be returned by the RAD2RAD AATV(RADIUS proxy) module to indicate that a request is about
PROXY_EGRESS
to be forwarded. In the default FSM this invokes the proxyreply-egress policy. This event is not pre-defined, it mustbe defined in the FSM file.
This event is returned by the AUTHENTICATE Action ifthe user profile includes an out-of-date value for theExpiration configuration attribute.
PW_EXPIRED
This event is returned by iaaaUsers, PROLDAP, oranother data store action if the action could not locate theuser’s profile in the configured data store.
RETRIEVE_ERROR
Retrieves token information from the repository.RETRIEVEOTP_INFO
This event is returned by iaaausers, PROLDAP, SQLAccess, or another data store action if the action couldlocate the user profile in the configured data store.
RETRIEVE_SUCCESS
The number of received duplicate requests has exceededthe retry limit.
RETRY_LIMIT
Typically used after a reply-egress policy to cause therequest to be forwarded or the reply to be sent. This eventis not pre-defined, it must be defined in the FSM file.
SEND
The request has timed out due to inactivity.TIMEOUT
The timer value has expired.TIMER
The previous action generated a pending event. Generally,you should allow the server to handle these events withoutmodification.
WAIT
EAP-SIM Authentication needs to be done based onPermanent Identity
SIM_AUTH_BY_PERMANENT_ID
EAP-SIM Authentication needs to be done based onPseudonym Identity
SIM_AUTH_BY_PSEUDONYM
402 Customizing the HP-UX AAA Server Using the Finite State Machine
Table 26-1 Predefined Event Names (continued)
DescriptionEvent Name
EAP-SIM Authentication needs to be done based on FastReauth Identity
SIM_AUTH_BY_FAST_REAUTH_ID
EAP-SIM Pseudonym or Fast Reauth Identity databaseupdate
SIM_UPDATE
EAP-AKA Authentication needs to be done based onPermanent Identity
AKA_AUTH_BY_PERMANENT_ID
EAP-AKA Authentication needs to be done based onPseudonym Identity
AKA_AUTH_BY_PSEUDONYM
EAP-AKA Authentication needs to be done based on FastReauth Identity
AKA_AUTH_BY_FAST_REAUTH_ID
EAP-AKA Pseudonym or Fast Reauth Identity databaseupdate
AKA_UPDATE
EAP-AKA Sequence Number re-synchronization.AKA_RESYNCHRONIZATION
Creating New NamesYou can create custom event names. An event can be defined anywhere in the statetable, but it must be defined before it is referenced. Use the following syntax for creatingnew event names:event Name
Name Can be any alphanumeric string and can include underscores (_).
ActionsThe actions in the state table correspond to the AATV actions defined. These actionsperform discrete functions, such as initiating an authentication request, replying to anauthentication request, or logging an accounting record. Any action in the state tablemust exist in a HP-UX AAA library or plug-in (located in the /opt/aaa/aatvdirectory). Table 26-2 lists some of the available actions.
Table 26-2 Available Actions
DescriptionActions
Writes Livingston call detail recordsACCT
Direct FSM to next state based on reason code of the Accounting-RequestACCT_SWITCH
Signifies successACK
Parses and verifies the password received in the request against thepassword in the stored user profile.
iaaaAuthenticate
Actions 403
Table 26-2 Available Actions (continued)
DescriptionActions
Initial action to handle an Access-RequestAUTHENTICATE
Verifies check items in user profileCHK_DNY
Exits the FSMCLEANUP
Enqueues the CLIENT request in a message queue and spawns a newCLIENT request.
CLIENT
Resume processing of an in-progress EAP conversation.CONTINUE
Performs EAP authenticationEAP
Attempts to retrieve a user profile stored in a users file.iaaaUsers, iaaaFile
Retrieves user profile from a users or realm file and verifies passwordFILE
Assigns IP address from a reserved pool of addressesIPADDR
Unconditionally removes pending eventsKILL
Evaluates realm-based authorizationLAS
Initial action to handle an Accounting-RequestLAS_ACCT
Writes Merit session log recordsLOG
No action placeholderNULL
Retrieves UNIX user profile and verifies passwordPASSWD
Checks for pending eventsPENDING
Evaluates complex policy decisions that apply to a requestPOLICY
Forwards proxy requests.ProxySend
Allocates tokensPOSTLAS
Retrieves user profile from an LDAP server and verifies passwordPROLDAP
Sends RADIUS proxy requestsRAD2RAD
Resolves DNS namesRADDNS
Receives RADIUS requests and repliesRADIUS
Attempts to locate where a user profile is stored for the realm extractedfrom a user request.
iaaaRealm
Handles realm-based authenticationREALM
Repeat an actionREDO
Send a RADIUS reply (access or accounting) to a clientREPLY
404 Customizing the HP-UX AAA Server Using the Finite State Machine
Table 26-2 Available Actions (continued)
DescriptionActions
Translates the Interlink-Reply-Status attribute to an FSM event.ReplyDispatch
Prepares to generate reply messages prior to reply-egress policy.ReplyPrep
Generates reply messages after reply-egress policy.ReplySend
Translates the Interlink-Proxy-Action attribute to an FSM event.RequestDispatch
Triggers the SQL action specified in the xstring argumentSQLAccess
For Status-Server (Management-Poll) requestsSRV_STATUS
Performs timeout logging. If thexstring value oftracing isoff, defaultlogging is disabled.
TIMEOUT
Encrypts Tunnel-Password and resolves hints from clientTUNNELING
EAP-SIM, EAP-AKA protocol action functionEAP-SIMAKA
Performs EAP-SIM EAP-AKA credential lookup using configured AATVSIMAKA-Credentials
Calculates The Vector for EAP-SIM EAP-AKASIMAKA-VectorCalc
Performs EAP-SIM EAP-AKA Fast-Reauth database lookup usingconfigured AATV
SIMAKA-ReauthLookup
Performs EAP-SIM EAP-AKA Fast-Reauth database update usingconfigured AATV
SIMAKA-ReauthUpdate
Performs EAP-SIM EAP-AKA Pseudonym database lookup UsingConfigured AATV
SIMAKA-PseudonymUpdate
Performs EAP-SIM EAP-AKA Pseudonym database update usingconfigured AATV
SIMAKA-PseudonymUpdate
Performs re-synchronization of the Sequence Number for EAP-AKA usingconfigured AATV
SIMAKA-ResyncUpdate
Performs Authentication Result Update for EAP-AKA using configuredAATV
SIMAKA-AuthResultUpdate
FSM TablesTable 26-3 lists the various FSM tables you can use.
Table 26-3 Predefined FSM Tables
FunctionFilename
Basic authentication, authorization, and accounting functions/etc/opt/aaa/radius.fsm
For use with legacy applications that require the finite state tableused in HP-UX AAA Server versions before A.06.02.
/opt/aaa/examples/config/merit.fsm
Actions 405
Table 26-3 Predefined FSM Tables (continued)
FunctionFilename
Logs all accounting messages in Merit-style session logs./opt/aaa/examples/config/logall.fsm
Template file that allows accounting messages to be logged at aremote proxy server.
/opt/aaa/examples/config/proxyacct.fsm
Template file that adds an example of DNIS routing to default.fsm/opt/aaa/examples/config/DNIS.fsm
Template file that adds an example of dynamic access control(DAC) to default.fsm
/opt/aaa/examples/config/DAC.fsm
Sample FSM file required to implement accounting without sessionmanagement using SQL access
/opt/aaa/examples/config/sqlacess-acct.fsm
Sample FSM file required to implement accounting with sessionmanagement using SQL access
/opt/aaa/examples/config/sqlaccess-acct-sess.fsm
To use any of the above predefined state tables for the HP-UX AAA server, copy therequired .fsm file to /etc/opt/aaa/radius.fsm and start the AAA server
NOTE: The product is installed with logall.fsm as radius.fsm in /etc/opt/aaa/.
Custom State TablesThe server can be set up for different functions by modifying existing FSM tables, orcreating new FSM tables. Edit the state table for authorization sequence, or to haveinterim accounting messages logged by calling the appropriate module at a certainpoint in the authentication process.
Tracking VersionsYou can embed version information into a state table using the following syntax:%FSMID Version
Version Can be any string and will appear as the ID in radcheck output.
ExamplesState table modifications can range from simple to more involved customization andoffer a great deal of flexibility when configuring the HP-UX AAA software.
Preprocessing ModuleAn Access-Request message may need to be pre-processed for a variety of reasons. Forexample, if the client sends a User-Name value with extraneous information, theextraneous information may need to be stripped out before the server authenticates
406 Customizing the HP-UX AAA Server Using the Finite State Machine
the user. Preprocessing requires that you write or obtain a plug-in that will parse themessage and pass the processed A-V pairs to the iaaaUsers action.Modify the state table to call the preprocessing plug-in when the message is firstreceived. Add a preprocessing state that calls the iaaaUsers action and transitionsto the UsersCheck state.
Custom State Tables 407
1 START:2 *.+AUTHEN.ACK PREPROC Preauth3 *.+AUTHENTICATE.ACK PREPROC Preauth4 Preauth:5 *.PREPROC.ACK iaaaUsers UsersCheck6 *.PREPROC.NAK REPLY Hold7 . . .
Lines 1-3 *.+AUTHEN.ACK or+AUTHENTICATE.ACK indicates that the receivedmessage is an Access-Request. PREPROC indicates the action, whichcalls the custom PREPROC software module. PREPROC is programmedto parse User-Name, strip out the extraneous information, and assignthe result to the User-Id attribute. (The server uses User-Id to locate astored user profile.) If PREPROC is successful it returns an ACK eventname; otherwise, it returns a NAK. Preauth indicates the next state theFSM must proceed to, afterPREPROC returns anACK orNAK event name.
Line 4 As described for steps 1 to 3, Preauth is the next state after PREPROChas parsed User-Name and returned an ACK or NAK value.
Line 5 If PREPROC returns an ACK value, handling of the request continuesnormally with the modified user name.
Line 6 If PREPROC returns a NAK value, the request will be rejected.
NOTE: When listing an event, you need to specify the last action only if it is requiredfor the finite state table to correctly determine the next action. In this case, the Preauthevents *.*.ACK and *.*.NAK on lines 5 and 6 would also work.
Interim LoggingTo indicate that a session is still active, the client will send an accounting message atregular intervals (defined by the client) during the session. To generate session logswhen the server receives this accounting message, you need to modify one line in theAACTlog state. The following example uses the default radius.fsm FSM file.*.*.ACCT_ALIVE LOG REPLYHold
The REPLY action has been replaced with LOG, which is the Action that writes thesession log. If you want to log other accounting messages, you must change the actionto LOG for the event that corresponds to the message that must be logged.
NOTE: A AAA Server-provided state table, logall.fsm, will log all accountingmessages.
Custom Logging FormatUsing a custom-logging format requires that you write or obtain a plug-in that willgenerate a session log. In each instance when you want to use your custom format, youmust replace the LOG action in the state table with the name of the appropriate action
408 Customizing the HP-UX AAA Server Using the Finite State Machine
defined in your plug-in. TheACCTLog state in the following example uses a loggingformat generated by MYLOG for an ordinary session and uses another format generatedby TUNNELLOG for tunnel sessions.ACCTlog: *.*.ACCT_START REPLY Hold *.*.ACCT_STOP MYLOG REPLYHold *.*.ACCT_ALIVE REPLY Hold *.*.ACCT_MSTART REPLY Hold *.*.ACCT_MSTOP MYLOG REPLYHold *.*.ACCT_CANCEL REPLY Hold *.*.ACCT_ON MYLOG REPLYHold *.*.ACCT_OFF MYLOG REPLYHold *.*.ACCT_TUNNEL_START REPLY Hold *.*.ACCT_TUNNEL_STOP TUNNELLOG REPLYHold *.*.ACCT_TUNNEL_REJECT TUNNELLOG REPLYHold *.*.ACCT_TUNNEL_LINK_START REPLY Hold *.*.ACCT_TUNNEL_LINK_STOP TUNNELLOG REPLYHold *.*.ACCT_TUNNEL_LINK_REJECT TUNNELLOG REPLYHold
Proxy Accounting MessagesIf you have a distributed network of AAA servers, you can choose to centralize logrecords for some or all of the accounting logs at a single location. The RAD2RAD actioncan forward accounting messages to another server, as specified by an Xstring value.If all accounting messages will be forwarded to a remote server, the ACCTlog state inthe forwarding server's state table can be removed, or commented out as shown below.1 . . . 2 ACCTwait: 3 *.*.ACK RAD2RAD REPLYHold Xstring="default.accounting.proxy.server" 4 IPPool: 5 *.*.ACK POSTLAS Tunneling 6 *.*.NAK POSTLAS REPLYHold 7 . . . 8 REPLYHold: 9 *.*.ACK REPLY Hold 10 *.*.NAK REPLY Hold 11 *.*.ACC_CHAL REPLY Hold 12 *.*.ACCT_DUP RAD2RAD REPLYHold Xstring="default.accounting.proxy.server" 13 Hold: 14 *.*.TIMEOUT NULL End 15 End:
Line 1 to 2 The FSM handles the request normally until it reaches theACCTwait state.
Lines 2 to 4 RAD2RAD forwards the message todefault.accouting.proxy.server. When a response is received fromthe remote server, the FSM transitions to the REPLYHold state.
Lines 5 to 8 The next state listed in the state table is IPPool, since ACCTlog isno longer required. The remaining states handle authenticationrequests.
Custom State Tables 409
Lines 9 to 15 Handle the accounting response from the remote server and closethe request.
NOTE: This example appears in the AAA Server-provided template file,proxyacct.fsm.
410 Customizing the HP-UX AAA Server Using the Finite State Machine
27 Customizing the HP-UX AAA Server Using PoliciesThis chapter explains how you can use policies to customize the HP-UX AAA Server.This chapter also discusses some sample policy implementations.This chapter addresses the following topics:• “Policy Overview” (page 411)• “Defining a Policy in a Decision File” (page 412)
— “Action Commands” (page 413)— “Attribute Specifications” (page 422)— “Attribute Functions” (page 424)— “Value Types” (page 430)— “Arithmetic Expressions” (page 431)— “Supported Boolean Operators” (page 432)— “Type Compatibility” (page 434)
• “Invoking a Policy” (page 435)— “Invoking Policies Through Predefined Policy Hooks” (page 435)— “Modifying the FSM for Specific Customizations ” (page 441)
• “Sample Policy Implementations” (page 442)— “Dynamic Access Control” (page 442)— “ DNIS Routing” (page 444)
Policy OverviewAdvanced policy actions enable you to manipulate the RADIUS contents based on thecontents of the RADIUS request and reply packets, and various system contexts (forexample, a local IP Address). Policy modules are invoked using the Finite State Machine(FSM) and can be executed at any time during processing of the RADIUS packet. Whena policy AATV is invoked, you can specify the policy definition file. The followingpredefined policy files are included in the default FSM:• request-ingress.grp
• reply-egress.grp
• proxy-egress.grp
• proxy-ingress.grp
Policy Overview 411
Notes:• Customers can also write their own policy decision files and invoke them from
the FSM or the user profiles.• This chapter discusses only the new (and easier to use) format for creating decision
files. The old format contains policy group entries that are still supported. However,the old format is not documented in this chapter. For information about the oldsyntax, see Appendix E (page 596).
• You cannot create a single decision file using syntax from both formats.
Defining a Policy in a Decision FileA decision file is evaluated from beginning to end against the request, by removing,modifying and/or adding A-V pairs as specified until an Exit command is encountered.Any remaining lines are not evaluated. The Exit command specifies the event to bereturned to the FSM. The event is used to control the flow through the FSM. If the endof the file is reached without executing an Exit command then the ACK event is returnedto the FSM. For more information on FSMs, see Chapter 26 (page 396).
412 Customizing the HP-UX AAA Server Using Policies
Example 27-1 An example of a policy file that restricts Session-Timeout to one hour forguests, removes unwanted attributes, and provides administrative privileges toadministrators
# Guests have a session-timeout of one hour. Normal users# have 5 hours.if (substr (User-Name after "@") = "guest.example.com"){ insert Session-Timeout = 3600} else
{ insert Session-Timeout = 18000}if( NAS-IP-Address = "192.168.0.1"){# Delete Filter-Id for NASes that do not support it. delete Filter-Id}if( User-Name = "admin"){# Modify Service-Type to provide administrative privileges. modify Service-Type = "Administrative"}
This section describes the syntax and usage of the various commands. It also explainshow to specify attributes and values. This section discusses the following topics:• “Action Commands.”• “Attribute Specifications” (page 422)• “Value Types” (page 430)• “Supported Boolean Operators” (page 432)• “Type Compatibility” (page 434)
Action CommandsA decision file contains a series of action commands that specify the action to beperformed by the policy. Following are the action commands that you can specify:• “The delete Command.”• “The insert Command.”• “The modify Command” (page 417)• “The exit Command” (page 418)• “The log Command” (page 419)• “The if Command” (page 420)The following sections discuss these action commands in detail.
Defining a Policy in a Decision File 413
The delete Command
Syntax
delete <attr-spec>
Parameters
The <attr-spec> parameter is an attribute specification. For more information onspecifying attributes, see “Attribute Specifications” (page 422).
Operation
The delete command deletes the specified attribute instance(s) from the request. If<attr-spec>, refers to an instance that is not present, no instance is deleted.
Examples
Table 27-1 discusses some examples that illustrate the use of the delete command.
Table 27-1 Examples Illustrating the Use of the delete Command
ResultCommandAttributes in the Request
NAS-Port = 2NAS-IP-Address = "2.3.4.5"
delete Reply-Message[*]NAS-Port = 2 Reply-Message = "Hello, world!" Reply-Message = "So long"NAS-IP-Address = "2.3.4.5"
NAS-Port = 2Reply-Message = "Hello,
delete Reply-MessageNAS-Port = 2 Reply-Message = "Hello,
world!"NAS-IP-Address = "2.3.4.5"
world!" Reply-Message = "So long"NAS-IP-Address = "2.3.4.5"
NAS-Port = 2Reply-Message = "So long"NAS-IP-Address = "2.3.4.5"
delete Reply-Message[0]NAS-Port = 2Reply-Message = "Hello, world!"Reply-Message = "So long"NAS-IP-Address = "2.3.4.5"
NAS-Port = 2Reply-Message = " Hello, world!"
delete NAS-IP-Address[*]NAS-Port = 2Reply-Message = "Hello, world!"
414 Customizing the HP-UX AAA Server Using Policies
Table 27-1 Examples Illustrating the Use of the delete Command (continued)
ResultCommandAttributes in the Request
NAS-Port = 2Reply-Message = " Hello, world!"
delete NAS-IP-Address[0]NAS-Port = 2Reply-Message = "Hello, world!"
NAS-Port = 2Reply-Message = " Hello, world!"
deleteNAS-IP-Address[last]
NAS-Port = 2Reply-Message = "Hello, world!"
The insert Command
Syntax
insert <attr-spec> = <value-expr>
Parameters
• <attr-spec>: The <attr-spec> parameter is an attribute specification. For moreinformation on specifying attributes, see “Attribute Specifications” (page 422).
• <value-expr>: The <value-expr> parameter is a value expression. It can be a valuespecification, an attribute specification, an arithmetic expression, or an attributefunction. For more information, see “Attribute Specifications” (page 422),“Arithmetic Expressions” (page 431), “Value Types” (page 430), and “AttributeFunctions” (page 424).
NOTE: The types of <attr-spec> and <value-spec> must be compatible. For moreinformation, see “Type Compatibility” (page 434).
The instance location specified by <attr-spec> indicates the desired target location forthe inserted instance. The algorithm used is “final opportunity", as opposed to "earliestopportunity". This implies that inserting "last" is the same as inserting at the end, andinstance n occurs just before the already-present instance n (or the end if instance n isnot already present).
Operation
The insert command inserts <attr-spec> with <value-expr> into the request. Table 27-2discusses the behavior of the insert command in various scenarios.
Defining a Policy in a Decision File 415
Table 27-2 Behavior of the insert Command in Various Scenarios
ThenIf
the attribute is inserted at the end of the listThe <attr-spec> parameter refers to an instance thatis not present
the tag for the inserted attribute is set to 0The <attr-spec>parameter refers to a tagged attribute(tag-int or tag-str) and <value-spec> is not a taggedvalue
the tag is ignoredThe <attr-spec> parameter refers to an attribute thatis not tagged and <value-spec> is a tagged value
Examples
Table 27-3 discusses some examples illustrating the use of the insert command.
Table 27-3 Examples Illustrating the Use of the insert Command
ResultCommandAttributes in the Request
NAS-Port = 2 Reply-Message =
insert Reply-Message =Reply-Message
NAS-Port = 2 Reply-Message = "message#1" "message#1"Reply-Message = Reply-Message = "message#2" "message#2"NAS-IP-Address = "2.3.4.5"
NAS-IP-Address = "2.3.4.5"Reply-Message = "message#2"
NAS-Port = 2Reply-Message = "a new
insert Reply-Message[0]= "a new message"
NAS-Port = 2 Reply-Message = "message#1" message"Reply-Message = Reply-Message = "message#2" "message#1"NAS-IP-Address = "2.3.4.5"
Reply-Message = "message#2"NAS-IP-Address = "2.3.4.5"
Reply-Message = "Hello, world!"
insertReply-Message[begin] ="Hello, world!"
NAS-Port = 2 NAS-IP-Address = "2.3.4.5" NAS-Port = 2
NAS-IP-Address = "2.3.4.5"
NAS-Port = 2Xvalue = 10Xvalue = 12
insert Xvalue = Nas-Port+ 20 - Xvalue[0]
NAS-Port = 2 Xvalue = 10
Tunnel-Password = :2:"abc"Tunnel-Password = :3:"def"
insert Tunnel-Password =:3:"def"
Tunnel-Password = :2:"abc"
Reply-Message = "hello"Reply-Message = "def"
insert Reply-Message =:3:"def"
Reply-Message = "hello"
416 Customizing the HP-UX AAA Server Using Policies
Table 27-3 Examples Illustrating the Use of the insert Command (continued)
ResultCommandAttributes in the Request
Reply-Message = "abc"NAS-Port = 1
insert NAS-Port = count(Reply-Message[*] )
Reply-Message = "abc"
Idle-Timeout = 10Xvalue = 20Session-Timeout = 200
insert Session-Timeout =Idle-Timeout * Xvalue
Idle-Timeout = 10Xvalue = 20
For information on attribute functions (such as the count attribute function), see“Attribute Functions” (page 424).
The modify Command
Syntax
modify <attr-spec> = <value-expr>
Parameters
• <attr-spec>: The <attr-spec> is an attribute specification. For more information onspecifying attributes, see “Attribute Specifications” (page 422).
• <value-expr>: The <value-expr> is a value expression. It can be a value specification,an attribute specification, an arithmetic expression, or an attribute function. Formore information, see “Attribute Specifications” (page 422), “ArithmeticExpressions” (page 431), “Value Types” (page 430), and “Attribute Functions”(page 424).
NOTE: The types of <attr-spec> and <value-expr> must be compatible. For moreinformation on compatibility, see “Type Compatibility” (page 434).
Operation
The modify command modifies <attr-spec> to obtain the value <value-expr>.
NOTE: If <attr-spec> refers to a tagged attribute (tag-int or tag-str) and <value-spec> isa tagged value, the tag of <attr-spec> is not modified. The value of the <attr-spec>parameter is only modified.
Examples
Table 27-4 discusses some examples illustrating the use of the modify command.
Defining a Policy in a Decision File 417
Table 27-4 Examples Illustrating the Use of the modify Command
ResultCommandAttributes in the Request
Reply-Message = "123" Reply-Message = "abc"
modify Reply-Message ="abc"
Reply-Message = "123" Reply-Message = "456"
Reply-Message = "123" Reply-Message = "123"
modify Reply-Message =Reply-Message[0]
Reply-Message = "123" Reply-Message = "456"
NAS-Identifier = "wxyz"modify NAS-Identifier ="wxyz"
NAS-Identifier = "abc.def.ghi"
Tunnel-Password = :2:"def"modify Tunnel-Password ="def"
Tunnel-Password = :2:"abc"
Tunnel-Password = :2:"ghi"modify Tunnel-Password =:4:"ghi"
Tunnel-Password = :2:"abc"
Reply-Message = "abc" Tunnel-Password = :17:"abc"
modify Reply-Message =Tunnel-Password
Reply-Message = "hello" Tunnel-Password = :17:"abc"
Reply-Message = "hello" Tunnel-Password = :17:"hello"
modify Tunnel-Password =Reply-Message
Reply-Message = "hello" Tunnel-Password = :17:"abc"
NAS-Port = 2 Reply-Message = "abc" Reply-Message = "def"
modify NAS-Port = count(Reply-Message[*] )
NAS-Port = 7 Reply-Message = "abc" Reply-Message = "def"
Reply-Message = "def" Reply-Message = "def"
modify Reply-Message[0]= Reply-Message[1]
Reply-Message = "abc" Reply-Message = "def"
Idle-Timeout = 5Xvalue = 20Session-Timeout = 100
modify Idle-Timeout =Session-Timeout /Xvalue[0]
Idle-Timeout = 10Xvalue = 20Session-Timeout = 100
Nas-Port = 2Xvalue = 7
modify Xvalue = Xvalue +Nas-Port - 5
Nas-Port = 2Xvalue = 10
The exit Command
Syntax
exit "<event-name>"
Parameters
The <event-name> parameter must be a quoted string and must specify an event that isdefined. There are a number of predefined events. You can also define additional eventsin the FSM file using the %event<name> syntax. For more information on FSM events,see “Event Names ” (page 399).
418 Customizing the HP-UX AAA Server Using Policies
NOTE: Event names are case-insensitive (MyEvent is considered identical withMYEVENT).
Operation
The exit command terminates the evaluation of the policy and returns the namedevent to the FSM. The use of an undefined event name results in an undefined-eventload-time error.
The log Command
Syntaxlog "<log-level>" "<log-message>” log "<log-level>" "<log-message>”, <attr-spec>log "<log-level>" "<log-message>”, <attr-spec>, <attr-spec>, ...<attr-spec>
Parameters
• <log-level>: The <log-level> parameter must be a quoted string and a log-level type.Following are the valid log levels:— ERROR
— CRITICAL
— ALERT
— WARNING
— INFO
NOTE: The <log-level> parameter is case-insensitive. For example, ERROR isconsidered identical with Error.
• <log-message>: The <log-message> parameter must be a quoted string. You can usemultiple instances of <attr-spec> and cause all named instances to be reported inthe log file. For more information on attribute specifications, see “AttributeSpecifications” (page 422). If <attr-spec> refers to an instance that is not present, thisis indicated in the log file output.
Operation
Executing the log command results in a message being written to the log file. Whenattributes are specified, they are appended to the log message. All log output linesinclude the name of the decision file and the line location of the log command thatgenerated the message. All log output is generated using the standard logging functionsthat prepend a timestamp to the output line.
Defining a Policy in a Decision File 419
ExamplesLog “Warning” “This user should not come in through this NAS”, User-Name, NAS-IP-Address
Results in the following logs in the logfile:<date>: decisionfile://request-ingress.grp(line 100, character 1): This user should not come in through this NAS, RADIUS:User-Name[last]="test_user", RADIUS:NAS-IP-Address[last]=15.146.225.145
The if Command
Syntax
• if (<bool-expr> {<action-list1>} else {<action-list2>}
• if (<bool-expr> {<action-list>}
Parameters
• <bool-expr>: The <bool-expr> parameter is a Boolean expression.• <actionlist1> and <actionlist2>: The <actionlist1> and <actionlist2> are sequences of
action commands that can include additional if commands, nested to an arbitrarydepth. When the else clause is omitted, <action-list2> can be considered as anempty sequence of action commands.
Operation
The if command first evaluates the boolean expression <bool-expr>. If <bool-expr>evaluates to true, the sequence of action commands <action-list1> is executed. If<bool-expr> evaluates to false and an else clause is present, the sequence of actioncommands <action-list2> is executed.
420 Customizing the HP-UX AAA Server Using Policies
Example 27-2 Examples Illustrating the Use of the if Command
Example 1The following if statement:if ( Session-Limit[1] < 30 ){ modify Session-Limit[1] = 30}else{ if ( Session-Limit[1] > 240 ) { modify Session-Limit[1] = 240 }}
With the following input:Session-Limit[0] = 10 Session-Limit[1] = 300
Results in:Session-Limit[0] = 10Session-Limit[1] = 240
Example 2The following if statement:if ( (NAS-IP-Address = "192.168.1.2") &&((NAS-Identifier = .jack.) || (Port-Limit > 20))){ exit "NAK"}
With the following input:NAS-IP-Address = “192.168.1.2NAS-Identifier = “fred”Port-Limit = 23
Results in:A NAK event is returned to the FSM. Depending on the FSM, the request may berejected.Example 3The following if statement:if( Idle-Timeout * 10 = Session-Timeout + Xvalue ) { exit "ACK"}
With the following input:
Defining a Policy in a Decision File 421
Idle-Timeout = 10Session-Timeout = 90Xvalue = 10
Results in:An ACK event is returned to the FSM.
Attribute SpecificationsYou can use the following keywords to specify an attribute:• “Attribute Names.”• “Vendor Names.”• “Attribute Instance Specifications.”• “No Instance Specification.”• “Numeric Instance Specification.”• “Keyword Instance Specification” (page 423)The following sections describe these keywords in detail.
Attribute NamesAttribute names defined in the server's dictionary file can be used. Attribute namesare case-insensitive. For example, Reply-Message is considered identical withREPLY-MESSAGE. For more information on attribute names, see “The dictionaryFile ” (page 531).
Vendor NamesIf multiple vendors have used the same name to define an attribute, you mustdifferentiate these names by prefixing the vendor’s name to that of the attribute in thefollowing format.<vendor-name>:<attribute-name>Vendor names are defined in the server'svendors file. For more information on vendornames and the syntax of vendor names in the vendors file, see “The vendors File ”(page 538).
Attribute Instance SpecificationsA given attribute can have more than one instance on the request. As a result, you mustspecify the instance of a given attribute that is of interest. You must also specify theabsolute location of an attribute instance (for example, when inserting an attributename).
422 Customizing the HP-UX AAA Server Using Policies
Attribute instance specifications are provided using the [] syntax, after the attributename. The instance of interest is indicated inside the square brackets ([]). You canspecify an attribute instance in one of the following ways:• “No Instance Specification.”• “Numeric Instance Specification.”• “Keyword Instance Specification” (page 423)While specifying attribute instance specifications, ensure that there is no white spacearound and between the square brackets ([]).
No Instance Specification
You need not specify a specific instance if it is of no consequence. The no instancespecification is equivalent to specifying the last keyword. For more information onthe last keyword, see “Keyword Instance Specification.”
Numeric Instance Specification
When a specific instance is required, you can specify it numerically. Instances arenumbered from 0 (the first instance). Negative instance numbers are not allowed.
Keyword Instance Specification
When a specific instance is required, it can be specified using one of the followingkeywords, or by using the asterisk (*) symbol:• The begin keyword: If you want to specify an attribute instance located at the
beginning of the list, use the begin keyword. This keyword is supported only bythe insert command, on the left side of the = operator. Following is an exampleof a correctly formatted keyword instance specification:insert Reply-Message[begin] = "This is first"
For more information on the insert command, see “The insert Command”(page 415).Using the begin keyword with other commands results in aninvalid-instance-specification load-time error.
• The last keyword: If you want to specify the last instance of an attribute , usethe last keyword. Following is an example of a correctly formatted keywordinstance specification:Reply-Message[last]
NOTE: This is the default value if no keyword is specified.
• The asterisk keyword: If you want to specify all instances of an attribute, use theasterisk (*) symbol. The following example specifies all instances of theReply-Message attribute:Reply-Message[*]
Defining a Policy in a Decision File 423
This format is supported only by the delete command, the log command, andthe count() attribute function. Using this format in unsupported contexts resultsin an invalid-instance-specification load-time error. For more information on thedelete and log action commands, see “The delete Command” (page 414) and“The logCommand” (page 419). For more information on the count() attributefunction, see “The count Attribute Function” (page 424).
Attribute FunctionsFollowing are the supported attribute functions:• “The count Attribute Function” (page 424)• “The length Attribute Function” (page 424)• “The strcat Attribute Function” (page 425)• “The substr Attribute Function” (page 426)• “The tolower Attribute Function” (page 429)• “The toupper Attribute Function” (page 430)The following sections describe these attribute functions in detail.
The count Attribute Function
Syntax
count (<attr-spec>)
Parameters
The <attr-spec> parameter is an attribute specification. For more information onspecifying attributes, see “Attribute Specifications” (page 422). Numeric instances,lastand * can be used as arguments for the count attribute function. If no attributes arespecified, last is taken as the default.However, you cannot use attribute functions as arguments to the count function.
Operation
Returns an integer value that indicates the number of instances, as follows:• If <attr-spec> refers to the * instance, then count() yields the total number of
<attr-spec> instances present.• If <attr-spec> refers to a specific instance that is present, then count() yields the
value 1.• If <attr-spec> refers to an instance that is not present, then count() yields the value
0.
The length Attribute Function
Syntax
length (<attr-spec>)
424 Customizing the HP-UX AAA Server Using Policies
Parameters
The <attr-spec> parameter is an attribute specification. For more information onspecifying attributes, see “Attribute Specifications” (page 422).
Operation
Returns an integer value that indicates the number of characters in the string attribute.For a tag-str attribute, the tag octet is not included. If <attr-spec> refers to an instancethat is not present, then a no-such-instance run-time error is generated.
The strcat Attribute Function
Syntax
strcat (<value-expr>, <value-expr>)
Parameters
The <value-expr> parameter is a value expression. It can also be a string valuespecification, a string attribute specification, or an attribute function that returns stringvalue. For more information, see“Attribute Specifications” (page 422), “Value Types”(page 430), and “Attribute Functions” (page 424).
Operation
Returns a string value that is a concatenation of the value expressions used in the strcatfunction. For a tag-str attribute, the tag octet is not included. If <value-expr> refers to aninstance that is not present, then a no-such-instance run-time error is generated.Table 27-5 illustrates the usage of the strcat attribute function.
Table 27-5 Examples of the strcat Attribute Function
ResultCommandAttributes in the Request
Reply-Message = "123" Reply-Message = "123456"
insert Reply-Message =strcat (Reply-Message,"456")
Reply-Message = "123"
Reply-Message = "123" Tunnel-Password =
modify Tunnel-Password[0]= strcat(
Reply-Message = "123" Tunnel-Password = :2:"abc" :2:"def123"
Tunnel-Password = :2:"def"Tunnel-Password,Reply-Message)Tunnel-Password =
:2:"def"
Reply-Message = "123" Tunnel-Password = :2:"abc"
insert Reply-Message =strcat (
Reply-Message = "123" Tunnel-Password = :2:"abc"
Reply-Message = "bc123"substr(Tunnel-Passwordafter “a” ),Reply-Message)
Defining a Policy in a Decision File 425
Table 27-5 Examples of the strcat Attribute Function (continued)
ResultCommandAttributes in the Request
Reply-Message = "123ABC" Tunnel-Password = :2:"abc"”
modify Reply-Message =strcat ( Reply-Message,toupper( Tunnel-Password) )
Reply-Message = "123" Tunnel-Password = :2:"abc"
Reply-Message = "123" Tunnel-Password = :2:"ABC"
insert Tunnel-Password =strcat ( tolower(
Reply-Message = "123" Tunnel-Password = :2:"ABC"
Tunnel-Password = :0:"abc123"
Tunnel-Password ),Reply-Message )
Reply-Message = "123" Tunnel-Password = :2:"123456abc"
modify Tunnel-Password =strcat( Reply-Message,strcat ( "456",Tunnel-Password ) )
Reply-Message = "123" Tunnel-Password = :2:"abc"
The substr Attribute Function
The substr function can be used with the following keywords:• “The offset Keyword” (page 426)• “The before Keyword” (page 427)• “The after Keyword” (page 428)The following sections describe these keywords in detail.
The offset Keyword
Syntax
substr (<attr-spec> offset <start>)substr (<attr-spec> offset <start> length <number>)
Parameters
Following are the parameters for the offset keyword:• <attr-spec>: The <attr-spec> parameter is an attribute specification. For more
information on specifying attributes, see “Attribute Specifications” (page 422).• <start>: Specifies the offset from the beginning of the string to the first character
of the desired substring. It must be a non-negative integer constant.• <number>: The optional length of the desired substring. It must be a non-negative
integer constant.
426 Customizing the HP-UX AAA Server Using Policies
NOTE: If length <number> is not present then the length defaults to theremainder of the string.
Operation
Returns the requested substring with same type as the source. If the offset is off theend of the string, then substr returns an empty string.
Example 27-3 Examples Illustrating the Use of the offset Keyword
If Reply-Message = "a string of characters" , then:Example 1substr ( Reply-Message offset 0 length 8 )
returns the following string:a string
Example 2substr ( Reply-Message offset 16 length 82 )
returns the following string:acters
Example 3substr ( Reply-Message offset 12 )
returns the following string:characters
Example 4substr ( Reply-Message offset 32 )
returns an empty string.
NOTE: If <attr-spec> refers to an instance that is not present, then ano-such-instance run-time error is generated.
The before Keyword
Syntax
substr (<attr-spec> before “<before-string>”)substr (<attr-spec> before last “<before-string>”)
Defining a Policy in a Decision File 427
Parameters
Following are the parameters for the before keyword:• <attr-spec>: The <attr-spec> parameter is an attribute specification. For more
information on specifying attributes, see “Attribute Specifications” (page 422).• <before-string>: Must be a quoted string constant.
Operation
Returns the requested substring with same type as the source.If <before> is specified, the substring starts from the beginning of the string up to butnot including the first occurrence of <before-string>.If <before-last> is specified, the substring starts from the beginning of the string up tobut not including the last occurrence of <before-string>.
NOTE: If <before> or <before-string> is not found, the entire string is returned.
Example 27-4 Examples Illustrating the Use of the before Keyword
If Reply-Message = “a string of characters”, then:Example 1substr ( Reply-Message before " of" )
returns the following string:a string
Example 2substr ( Reply-Message before last " " )
returns the following string:a string of
Example 3substr ( Reply-Message before "not-there" )
returns the entire string.
NOTE: If <attr-spec> refers to an instance that is not present, then a no-such-instancerun-time error is generated.
The after Keyword
Syntax
substr (<attr-spec> after “<after-string>”)
substr (<attr-spec> after last "<after-string>")
428 Customizing the HP-UX AAA Server Using Policies
Parameters
Following are the parameters for the after keyword:• <attr-spec>: The <attr-spec> parameter is an attribute specification. For more
information on specifying attributes, see “Attribute Specifications” (page 422).• <after-string>: Must be a quoted string constant.
Operation
Returns the requested substring with same type as the source.If <after> is specified, the substring starts after the first occurrence of <after-string>.If <after-last> is specified, the substring starts after the last occurrence of <after-string>.If <after-string> is not found, the empty string is returned.
Example 27-5 Examples Illustrating the Use of the after Keyword
If Reply-Message = "a string of characters", then:Example 1substr ( Reply-Message after " of" )
returns the following string:“ characters”
Example 2substr ( Reply-Message after last " " )
returns the following string:characters
Example 3substr ( Reply-Message after "not-there" )
returns an empty string.
NOTE: If <attr-spec> refers to an instance that is not present, then a no-such-instancerun-time error is generated.
The tolower Attribute Function
Syntax
tolower (<attr-spec>)
Defining a Policy in a Decision File 429
Parameters
• <attr-spec>: The <attr-spec> parameter is an attribute specification. For moreinformation on specifying attributes, see “Attribute Specifications” (page 422).
Operation
Returns the string value converted to lowercase with same type as the source. If<attr-spec> refers to an instance that is not present, then a no-such-instance run-timeerror is generated.
The toupper Attribute Function
Syntax
toupper (<attr-spec>)
Parameters
• <attr-spec>: The <attr-spec> parameter is an attribute specification. For moreinformation on specifying attributes, see “Attribute Specifications” (page 422).
Operation
Returns the string value converted to uppercase with same type as the source. If<attr-spec> refers to an instance that is not present, then a no-such-instance run-timeerror is generated.
Value TypesYou can specify the following value types for attributes:• Integer Values: Integer values can be specified as decimal integers, including a
leading '-' sign. They can also be specified as hexadecimal integers prefixed with0x, in which case they are treated as unsigned. A tag can also be specified byprefixing the :tag: syntax to the value. The tag value must be in the range of 0 to31.
NOTE: Integer values can be used with integer, tag-int, and short type attributes.
• Named IntegerValues:Named integer values defined in the server's dictionaryfile can be specified by enclosing these values in double quotes.
NOTE: Named integer values can only be used with attributes of type integerand tag-int that have defined name values in the dictionary.
• StringValues: String values are enclosed in double quotes ("). Tags can be specifiedby prefixing the :tag: syntax prefixed to the value.
430 Customizing the HP-UX AAA Server Using Policies
NOTE: String values can be used with string, tag-str, and octets type attributes.
• IP Address Values: IP address values are enclosed in double quotes ("), andspecified using standard dotted-quad notation (in case of IPv4 addresses) andcolons (in case of IPv6 addresses). Using an invalid IP address results in asyntax-error load-time error.
NOTE: IP address values can be used only with attributes of type ipaddr,ipv6addr, ifid, and ipv6prefix.
• DateValues: You can compare and copy the value of date type attributes. However,you cannot specify date value constants. The use of a constant value in conjunctionwith a date type attribute results in a syntax-error load-time error.
Arithmetic ExpressionsThe integer type attributes, attribute functions returning integer type, and integervalues can be combined to form arithmetic expressions. The attribute types whichqualify as integer type are integer, short, octet, and tag-int.The supported operations are addition, subtraction, multiplication, and division.Table 27-6 “Supported Arithmetic Operators” lists the arithmetic expressions that aresupported in the policy files.
Table 27-6 Supported Arithmetic Operators
DescriptionOperator
Addition+
Subtraction and Negation—
Multiplication*
Division/
Arithmetic Operator Precedence and AssociationFollowing are the precedence and association rules in decreasing order:• Precedence Rules:
Following are the precedence rules in decreasing order:— ( )— - (negation)
Defining a Policy in a Decision File 431
— * /— + -
• Association Rules:Following are the association rules in decreasing order:— + - left-to-right— * / left-to-right— - (negation) non-associative
The following example illustrates the use of arithmetic expressions.
Example 27-6 Using arithmetic expressions
Example 1insert Xvalue = Xvalue + 10 insert Nas-Port = Nas-Port + Xvalue[0] modify Xvalue = count( Framed-IP-Address[*]) + Tunnel-Type modify Acct-Session-Time = ( Session-Timeout + Idle-Timeout ) * (Xvalue – 10 ) if( Acct-Session-Time + 10 = Session-Timeout + Idle-Timeout ) { modify Acct-Session-Time = Acct-Session-Time / 10 } if( count( Login-IP-Host ) * Login-TCP-Port != Xvalue * 10 ) { insert Login-TCP-Port = Login-TCP-Port + 1}
Supported Boolean OperatorsTable 27-7 lists the operators you can use to create an expression with variouscombinations of A-V pairs.
Table 27-7 Supported Boolean Operators
DescriptionOperator
Equal toThe = operator
Not equal toThe != operator
Less thanThe < operator
Less than or equal toThe <= operator
Greater thanThe > operator
Greater than or equal toThe >= operator
Logical andThe && operator
Logical orThe || operator
Logical notThe ! operator
You can also use parentheses to nest expressions.
432 Customizing the HP-UX AAA Server Using Policies
Boolean Operator Precedence and AssociationWhen multiple operators appear in a Boolean expression, the following precedenceand association rules are applied:• Precedence Rules:
Following are the precedence rules in decreasing order:— ( )— !— <, >, <=, >=— !=— &&— ||— =
• Association Rules:Following are the association rules:— && left-to-right— || left-to-right— ! right
The following examples illustrate the rules of precedence:
Defining a Policy in a Decision File 433
Example 27-7 Examples Illustrating Precedence Rules
Example 1The boolean expression:Reply-Message = "hello" && NAS-Port > 7 ||Reply-Message = "goodbye" || Reply-Message = "nothing"
is fully parenthesized as:( ( (Reply-Message = "hello") && (NAS-Port > 7) ) ||(Reply-Message = "goodbye") ) ||(Reply-Message = "nothing")
and is evaluated as:if ( Reply-Message = "hello" ) if ( NAS-Port > 7 ) return true if ( Reply-Message = "goodbye" ) return true if ( Reply-Message = "nothing" ) return true return false
Example 2The boolean expression:Reply-Message = "goodbye" || ! Reply-Message = "hello" && NAS-Port > 7
is fully parenthesized as:( (Reply-Message = "goodbye") || ( ! (Reply-Message = "hello") ) && (NAS-Port > 7)
and is evaluated as: if ( Reply-Message = "goodbye" ) if ( NAS-Port > 7 ) return true else return false else if ( Reply-Message = "hello" ) return false else if ( NAS-Port > 7 ) return true else return false
Type CompatibilityTable 27-8 lists the compatible attribute types.
434 Customizing the HP-UX AAA Server Using Policies
Table 27-8 Compatible Attribute Types
Compatible Attribute TypesValue Type
Integer-value • integer• tag-int• short• octet
String-value • string• tag-str• octets
• dateDate-value
IP-address-value • ipaddr• ipv6addr• ifid• ipv6prefix
You must not mix attributes from different value-type groups, because this can causea type mismatch load-time error.
Invoking a PolicyYou can invoke policy using one of the following methods:• “Invoking Policies Through Predefined Policy Hooks.”• “Modifying the FSM for Specific Customizations ” (page 441)This section also discusses the commonly used attributes for specifying policies.
Invoking Policies Through Predefined Policy HooksThe following predefined hooks can be used to invoke policies without modifying theFSM:• “Request Ingress Policy.”• “User Policy” (page 436)• “Reply Egress Policy” (page 437)• “Proxy Egress Policy” (page 438)• “Proxy Ingress Policy” (page 439)
Request Ingress PolicyRequest ingress policy can be configured in the request-ingress.grp decision filein the server's configuration directory. The policy configured in this file is applied as
Invoking a Policy 435
the first step in the FSM, before the request is dispatched for processing. The requestingress policy can be used to alter the request in one of the following ways:• A-V pairs may be added, changed, or removed.• The request classification may be altered.• The request may be rejected immediately.• The request may be dropped entirely and no reply is sent.Figure 27-1 (page 436) illustrates the flow of the request ingress policy.
Figure 27-1 Flow of the Request Ingress Policy
User PolicyAfter authentication, all requests are subjected to user policy. The user policy is appliedonly after successful authentication. A user policy can be specified in a Policy-Pointerattribute on the request, either as a check item or a reply item.If the Policy-Pointer attribute is found in the check items, then the HP-UX AAA Serverdoes not look for one in the reply items. The value of the Policy-Pointer attribute mustspecify the URL for the decision file to be evaluated.If a request contains a Policy-Pointer attribute, either as a check item or a reply item,the specified policy is applied.If the request does not contain a Policy-Pointer, then no user policy is applied. In thiscase, the POLICY action returns an ACK event to the FSM.Figure 27-2 illustrates the flow of the user policy.
436 Customizing the HP-UX AAA Server Using Policies
Figure 27-2 Flow of the User Policy
Invoking Policy from User Profiles
In the user profile (can be local users file, LDAP, or SQLAccess), add a Policy-Pointeras a check or reply item with the full pathname of the decision file containing the groupauthorization policies. Enclose the pointer in single or double quotes. The Policy-Pointerstring cannot be more than 63 characters in length. For example:carl Password = carl, Policy-Pointer = “decisionfile://path-to-file” or fred Password = fred Policy-Pointer = “decisionfile://path-to-file”
Reply Egress PolicyReply egress policy can be defined in the reply-egress.grp decision file in theserver's configuration directory. The reply egress policy is applied as the final step inthe FSM, just before the RADIUS reply message is created and sent. The reply egresspolicy can be used to alter the request in one of the following ways:• A-V pairs may be added, modified, or removed• The reply type may be changed• The request may be dropped entirely and no reply is sent.
NOTE: If the client is defined as type=NAS or type=PROXY+PRUNE (possiblyincluding vendors), the pruning rules specified in the dictionary file are appliedaccording to the reply type that was in effect before the reply-egress policy is evaluated.
Figure 27-3 (page 438) illustrates the flow of information in the reply egress policy.
Invoking a Policy 437
Figure 27-3 Flow of the Reply Egress Policy
Proxy Egress PolicyProxy egress policy can be defined in the proxy-egress.grp decision file in theserver's configuration directory. The proxy egress policy is applied before the RADIUSproxy request message is created and sent. The proxy egress policy can be used to alterthe request in one of the following ways:• A-V pairs may be added, modified, or removed.• The request may be rejected immediately.• The request may be dropped entirely and no reply is sent.• The proxy target host may be changed.
IMPORTANT: Do not modify, or remove any Proxy-State or Proxy-Action A-V pairsbecause it can interfere with the proxy functionality.
Figure 27-4 (page 439) illustrates the flow of the proxy egress policy.
438 Customizing the HP-UX AAA Server Using Policies
Figure 27-4 Flow of the Proxy Egress Policy
Proxy Ingress PolicyProxy ingress policy can be defined in the proxy-ingress.grp decision file in theserver's configuration directory. The proxy ingress policy is applied after the proxyresponse is received. The proxy ingress policy can be used to alter the request in oneof the following ways:• A-V pairs may be added, modified, or removed.• The reply type may be altered.• The request may be rejected immediately.• The request may be dropped entirely and no reply is sent.Figure 27-5 (page 440) illustrates the flow of the proxy ingress policy.
Invoking a Policy 439
Figure 27-5 Flow of the Proxy Ingress Policy
Useful Attributes for Policy ConditionsTable 27-9 lists and describes attributes that are typically used for policy groupconditions or replies.
Table 27-9 Attributes Typically Used in Policy Group Conditions and Replies
DescriptionAttribute
This attribute contains the code from the RADIUS packet header.It can have an Access-Request or an Accounting-requestvalue.
Interlink-Packet-Code
This attribute contains an event which indicates the type of therequest. This is also the event which will be delivered to the FSM
Interlink-Proxy-Action
(as per the default FSM). If this policy returns ACK, it can have oneof the following values:• AUTHEN - This value indicates a normal access request.• AUTH_ONLY - This value indicates an Authenticate-Only type
request.• AUTHENTICATE- This value indicates a proxied access request,
or an inner authentication request in the case of tunneled EAPmethods like TTLS or PEAP.
• ACCT - This value indicates an accounting request.• LAS_ACCT - This value indicates a proxied accounting request.• MGT_POLL - This values indicates a server status request
(radcheck request)
440 Customizing the HP-UX AAA Server Using Policies
Table 27-9 Attributes Typically Used in Policy Group Conditions and Replies (continued)
DescriptionAttribute
This attribute contains information about whether this is a normalrequest or a continuation of an in-progress EAP conversation. Itcan have a REQUEST or CONTINUATION value.
Interlink-Request-Type
This attribute contains the reply status. It can have one of thefollowing values:
Interlink-Reply-Status
• ACK - This results in an Access-Accept response being sent foran Access-Request and an Accounting-Response forAccounting-Request.
• ACC_CHAL - This results in an Access-Challenge response beingsent for an Access-Request. No response is sent for anAccounting-Request.
• NAK - This results in an Access-Reject response being sent for anAccess-Request. No response is sent for an Accounting-Request.
This attribute contains the name of the proxy target, which isnormally configured in one of the authfiles. The proxy target canbe overridden in this policy file by modifying this attribute.
Interlink-Proxy-Target
Contains the userid portion of the NAI (userid@realm) after theserver parses the NAI
User-ID
Contains the realm portion of the NAI (userid@realm) after theserver parses the NAI
User-Realm
A string that contains the time of day when the request was received.It uses a 24-hour clock in the hh:mm format.
Time-of-Day
An integer that represents the day of the week when the requestwas received, where 0 represents Sunday and 6 represents Saturday.
Day-Of-Week
A string that contains the date and time when the request wasreceived. It uses a 24-hour clock in the yyyy:mm:dd:hh:mm format.
Date-Time
Modifying the FSM for Specific CustomizationsTo invoke policies from within the FSM, you must use the POLICY AATV. The policyto be evaluated must be passed in the xstring parameter. The xstring parameter usesthe following URL syntax:decisionfile:// <name of decision file>
For example, if MyPolicy.policy is a decision file present in the configurationdirectory, then use the following URL as the value of xstring parameter for the POLICYAATV to invoke this policy:decisionfile://MyPolicy.policy
For more information on FSM modifications, and the xstring parameter, see Chapter 26(page 396).
Invoking a Policy 441
When a policy is evaluated, it can return an event to the FSM to direct the subsequentprocessing of a request. The policy can return events to the FSM in the following ways:• Exit Command: Using the Exit command terminates the evaluation of the policy.
The specified event is returned to the FSM.• Default Event: If evaluation of a decision file reaches the end without encountering
an Exit command, the default event is returned to the FSM. The default event isACK.
• Error Conditions: When an error occurs, an ERROR event is returned to the FSM.
Sample Policy ImplementationsHP-UX AAA Server A.08.01 contains sample FSM and decision files to support policiesfor the following implementations:• “Dynamic Access Control.”• “ DNIS Routing” (page 444)The following sections discuss these implementations in detail.
Dynamic Access ControlDynamic Access Control (DAC) enables you to provide different levels of networkaccess to the same users depending on the following:• Access periods• Account and password expiry date and timeDynamic Access Control uses three Interlink-specific attributes to check the values inuser requests. Table 27-10 describes the interlink-specific attributes used by DAC.
Table 27-10 Interlink-specific Attributes Used by DAC
DescriptionAttribute
A string that contains the time of day when the request was received.It uses a 24-hour clock in hh:mm format.
Time-of-Day
An integer that represents the day of the week when the request wasreceived, where 0 represents Sunday and 6 represents Saturday.
Day-Of-Week
A string containing the date and time when the request was received.It uses a 24-hour clock in yyyy:mm:dd:hh:mm format.
Date-Time
To implement the sample policy for Dynamic Access Control, you must complete thefollowing steps:• “Step 1 – Modifying the Default FSM for DAC.”• “Step 2 – Defining the DAC Policies” (page 443)
Step 1 – Modifying the Default FSM for DACTo modify the default radius.fsm file for DAC, complete the following steps:
442 Customizing the HP-UX AAA Server Using Policies
1. Replace the radius.fsm file in the server's configuration directory with /opt/aaa/examples/config/DAC.fsm. For example, if the server's configurationdirectory is /etc/opt/aaa/radius.fsm, then enter the following command:# cp /opt/aaa/examples/config/DAC.fsm /etc/opt/aaa/radius.fsm
NOTE: Take a backup of /etc/opt/aaa/radius.fsm before replacing it.
IMPORTANT: If you are using a different decision file than the supplied DAC.grpdecision file, change the CheckDAC state so that the POLICY action calls the DACdecision file. For example,CheckDAC: *.*.ACK POLICY AuthWait Xstring=decisionfile://DAC.grp
2. Copy the sample decision file /opt/aaa/examples/config/DAC.grp to theserver's configuration directory using the following command:# cp /opt/aaa/examples/config/DAC.grp /etc/opt/aaa/
Step 2 – Defining the DAC PoliciesThe default DAC.grp decision file contains sample entries. You must edit the DAC.grpdecision file to define your DAC policies. To edit the DAC.grp decision file, completethe following steps:1. Modify each group in the DAC.policy file according to your implementation
requirements. For example,# Daytime Access Check if ( (Access-Group = "daytime") && ((Time-Of-Day >= "06:00") && (Time-Of-Day <= "20:00")) ) { insert Reply-Message = "Daytime access allowed" exit "ACK"}
NOTE: The Reply-Message reply item attribute may not be returned if the useris authenticated using a tunneled EAP method.
Comment out any condition you do not need by placing a hash symbol (#) beforeeach line. The last line must remain unchanged so that a user who does not matchone of the conditions is rejected.
2. If you rename the DAC.grp file, move it to the server's configuration directoryand edit radius.fsm so that the CheckDAC state Xstring parameter points to thecorrect file name.
Sample Policy Implementations 443
DNIS RoutingIn a typical DNIS routing scheme, requests are handled according to the CallingStation-Id and Called-Station-Id attributes. The POLICY action matches theCalling-Station-Id and Called-Station-Id attribute values in theAccess-Request to the conditions defined in the DNIS decision file, and returns thematching policy group reply items and the FSM events Forward and Abandon. Therequired events and states are defined in the DNIS.fsm file delivered with the server.To implement the sample policy for DNIS Routing, complete the following steps:• “Step 1 – Modifying the Default FSM for DNIS Routing.”• “Step 2 – Defining the DNIS Routing Policies” (page 444)
Step 1 – Modifying the Default FSM for DNIS RoutingTo modify radius.fsm to support DNIS routing, complete the following steps:1. Replace the radius.fsm file in the server's configuration directory with /opt/
aaa/examples/config/DNIS.fsm. For example, if the server's configurationdirectory is /etc/opt/aaa/radius.fsm, then enter the following command:# cp /opt/aaa/examples/config/DNIS.fsm /etc/opt/aaa/radius.fsm
NOTE: Take a backup of /etc/opt/aaa/radius.fsm before replacing it.
2. Modify the Start4 state, as shown below, so that the Xstring parameter pointsto the fully qualified domain name or IP address of the server to which you areforwarding requests. The server must be listed in the HP-UX AAA server’sclients file. The clients file entry is needed to obtain the shared secret. Formore information, see Chapter 7 (page 100) and Chapter 9 (page 117). For moreinformation on the clients file, see “The clients File” (page 526)Start4: *.*.Forward RAD2RAD Start4a Xstring=192.168.0.0
3. Save and close the radius.fsm file.4. Copy the sample decision file /opt/aaa/examples/config/DNIS.grp to the
HP-UX AAA server's configuration directory using the following command:# cp /opt/aaa/examples/config/DNIS.grp /etc/opt/aaa/
Step 2 – Defining the DNIS Routing PoliciesYou must edit the DNIS.grp file to define DNIS routing policies. To edit the DNIS.grpfile, complete the following steps:
444 Customizing the HP-UX AAA Server Using Policies
1. Edit the DNIS.grp decision file to reflect your station-based access policies. Forexample, to change the Calling-Station and Called-Station numbers in theControlled Access condition, edit the DNIS.grp file as follows:# Controlled Accessif ( (Calling-Station-Id = "7341234567") ||(Called-Station-Id = "7341236543") ){ exit "Forward"}
You can enter additional attributes to these access groups if your policies requirethat other conditions must be met.Comment out any condition you do not need by placing a hash symbol (#) beforeeach line. The last line must remain unchanged so that it authenticates a user whodoes not match one of the other conditions.
2. If you rename theDNIS.grp file, move it to the HP-UX AAA server's configurationdirectory and editradius.fsm so that theStart3 stateXstringparameter pointsto the correct file name.
Sample Policy Implementations 445
28 Customizing the HP-UX AAA Server Using the SDKThis chapter describes how to use the Software Developer's Kit (SDK) to customize theHP-UX AAA Server. This chapter addresses the following topics:• “SDK Overview.”• “Migrating Plug-ins Created Using Previous Versions of the SDK” (page 448)• “Prerequisites for Using the SDK” (page 448)• “SDK Directory Structure” (page 448)• “SDK Concepts” (page 448)
— “Overview of AATVs” (page 448)— “AATV Components” (page 449)
• “Creating Plug-ins” (page 450)— “Using AATVs to Create a Plug-in” (page 451)— “Compiling and Loading a Plug-in” (page 452)— “Testing and Debugging a Plug-in” (page 453)
• “Creating Plug-ins for AATVs” (page 454)For information on the header files, data structures, and APIs included with the SDK,see Appendix D (page 579).
SDK OverviewThe SDK is a tool that enables you to customize the way the HP-UX AAA Serverprocesses RADIUS requests. This kit is particularly useful for creating plug-ins to extendor even replace server processes, such as how an authentication or accounting requestis handled. Using this SDK, you can create plug-ins to handle tasks such as customizedlogging of accounting requests, and pre and post-authentication tasks.Example 28-1 illustrates how to use an SDK plug-in to customize authentication andauthorization services.
446 Customizing the HP-UX AAA Server Using the SDK
Example 28-1 Example of a Pre-Paid Billing Application Using a Plug-in Created Usingthe HP-UX AAA Server SDK
In this example, a service provider wants to implement a service where blocks of connecttime are purchased in advance. In addition to being authenticated, each user must beauthorized based on his or her account balance. Only those users with a positive balanceare granted network access and their session is limited to the time equivalent of theirbalance at the time they are authenticated. Figure 28-1 (page 447) shows how the plug-inworks.
Figure 28-1 SDK Plug-in Example
Two tasks (AATVs) are identified to implement this service. You can create a singlesoftware module with an AATV for both the tasks or you can create two softwaremodules with each containing a single AATV. The first task authenticates and authorizesthe user as a part of the RADIUS Access-Request process. This AATV performs thefollowing functions:1. Retrieves the user credentials and account balance from a database2. Authenticates the user based on the credentials3. Authorizes the user if there is a positive account balance4. Converts the account balance into the equivalent amount of connect time and
returns that time as a Session-Timeout Reply-ItemThe second task is to update the user’s account balance based on the time used duringeach user session. To work properly, this must be done in real-time. Therefore, thedatabase must be updated at the time the RADIUS Accounting-Stop is received. ThisAATV performs the following tasks:1. Converts the length of the user session into a dollar amount2. Debits the user account by the computed value of the completed session
SDK Overview 447
Migrating Plug-ins Created Using Previous Versions of the SDKPlug-ins created using previous versions of the SDK must be ported to use the newSDK and recompiled before using it with HP-UX AAA Server A.08.01. For informationon recompiling your plug-in, see “Compiling and Loading a Plug-in” (page 452)
Prerequisites for Using the SDKHP recommends installing the HP aC++ Compiler (# B3913DB) to compile plug-inscreated using the HP-UX AAA Server SDK.
SDK Directory StructureThe HP-UX AAA Server SDK consists of the following files and directories:• The /opt/aaa/include/sdk.h header file• The following sample plug-ins:
— /opt/aaa/examples/sdk/CSI/checkCSI.c
— /opt/aaa/examples/sdk/ace/samplesc.c
• READMEs that describe the sample AATVs
Important Note:For information on the header files, data structures, and APIs included with the SDK,see Appendix D (page 579).
SDK ConceptsThis section explains how the plug-ins interface with the HP-UX AAA Server operation.To ensure that the HP-UX AAA Server processes the functions included in your plug-ins,you can modify the state tables in the Finite State Machine (FSM) to refer to the functions(actions) defined in your custom plug-ins, or you can add it to the authfile forauthentication AATVs. Modified FSM tables can include instructions to add or changethe order of the processing steps. Plug-ins can be inserted as steps anywhere in theFSM table. AATVs are directly referenced as actions in the FSM table. For moreinformation on AATVs, see “Overview of AATVs.”
Overview of AATVsAn AATV is a framework for various functionalities, such as password validation.These AATVs are functional blocks that perform basic AAA functions, such asauthentication, authorization, and accounting. However, an AATV's functions are notlimited to these. This framework provides you enough flexibility to add your ownplug-ins as well.
448 Customizing the HP-UX AAA Server Using the SDK
AATV ComponentsAn AATV is implemented as a shared library that contains specific functions. Thesefunctions are called from the HP-UX AAA Server. An AATV can contain the followingfunctions:• “The init Function.”• “The action Function.”• “The timer or callback Function” (page 450)• “The cleanup Function” (page 450)
NOTE: These functions are optional. However, you must implement at least one ofthese functions.
The init FunctionThe init function establishes the environment required for other AATV functions.The init function is commonly used to open sockets and to create or open files forwriting, or reading module specific configurations.Following is the prototype of the init function:void myinit();
The action FunctionThe action function responds immediately to a received RADIUS request. Followingis the prototype of the action function:static int myaction(sdk_authreq_t *authreq, int value, constchar *string);
Following are the input parameters:authreq A pointer to the authreqvalue The Xvalue from the FSM table for this action if configured. If not, 0 is
passed in by the Server.string This parameter can have one of the following values:
• The Xstring from FSM table if the AATV is configured in the FSM.• The Xstring from authfile if the AATV is configured to process an
authentication request.• If the Xstring parameter is not configured, NULL is passed.
The action function returns an event code. This event code determines the next actionto be taken in the FSM. Following are the two commonly used event codes:AAA_EV_ACK Defined as 0. It indicates that the operation is successful.AAA_EV_NAK Defined as –1. It indicates that the operation failed.
SDK Concepts 449
IMPORTANT: All common event codes and corresponding event names are definedin the sdk.h header file. You can also define new event codes, for example, in scenarioswhere the AATV action produces multiple results that need to be handled by an AATVseparately. However, do not use the sdk.h file to define new event codes. Instead, usethe FSM file radius.fsm to define new event codes. Use the following syntax to createnew event codes:% event event_name event_code
The new event codes and event names must not overlap with the ones defined in thesdk.h file. To avoid event code or event name synchronization issues, use event codesthat are larger than 500.
The timer or callback FunctionThe timer or callback function is called once a second to enable AATVs to perform thescheduled work at regular intervals. However, if the server is blocked, the functionmay not be called for each elapsed second. This function is typically used for periodiccleanup of any session information saved by the AATV.The timer function does not have any parameter; the function returns an event code.Following is the prototype of the timer or callback function:int mytimer();
The cleanup FunctionThe cleanup function is called when the HP-UX AAA Server terminates. This functionis used to perform tasks such as flushing out the last records to a file before closingthat file and closing sockets.The cleanup function does not have any parameter and does not return a value.Following is the prototype of the cleanup function:void mycleanup();
Creating Plug-insYou can create plug-ins using the following sample plug-ins:• /opt/aaa/examples/sdk/csi/checkCSI.c
• /opt/aaa/examples/sdk/ace/samplesc.c
The following sections describe the working of these sample plug-ins, as well asprocedures to do the following tasks:• “Using AATVs to Create a Plug-in” (page 451)• “Compiling and Loading a Plug-in” (page 452)• “Testing and Debugging a Plug-in” (page 453)
450 Customizing the HP-UX AAA Server Using the SDK
The ACE AATVThe ACE AATV is a sample challenge-response authentication AATV. At a high level,this plug-in performs the following functions:1. Checks that the User-Id A-V pair is present in the request. If it is not present, an
error is returned.2. If the User-Id A-V pair is present, then it checks whether the State A-V pair is
present. If the State A-V pair is present, it proceeds to step 3.If it is not present, it creates aStateA-V pair with theUser-Id value and appendsa string .pw to it, and inserts the State A-V pair into the REPLY queue. AReply-Message A-V pair is created with a challenge string that prompts the userto enter a challenge response.
NOTE: In this sample AATV, the State A-V pair contains the password.However, it can also contain a pointer to a password, or a session table.
3. If the State A-V pair is present, it checks the user's challenge response againstthe value in the State A-V pair. If the values match, the user is authenticated. Ifthe values do not match, the connection is terminated.
For more information on the ACE AATV, see the README located at /opt/aaa/examples/sdk/ace/README.
The checkCSI AATVThe checkCSI AATV is typically used for preprocessing RADIUS Access-Requests.This AATV enables the HP-UX AAA Server to authenticate the user based onCalling-Station-Id instead ofUser-Name. For more information on thecheckCSIAATV, see the README file located at /opt/aaa/examples/sdk/csi/README.
Using AATVs to Create a Plug-inYou can create a plug-in using one of the sample plug-ins as a base. The procedure andthe example described in this section use the checkCSI.c to create a plug-in.To create a plug-in using the checkCSI.c file, complete the following steps:1. Rename the checkCSI.c file and open it for editing.2. Add the function prototype for the action function. For example,
static int checkCSI (AUTH_REQ * authreq, int Value, const char * checkString);
where:• The Value parameter is the Xvalue from the fsm file• The checkString parameter is the Xstring from the fsm file
Creating Plug-ins 451
3. Add the aatv_load function to register the AATV to the HP-UX AAA Server.The aatv_load function, shown below, initializes the global aatv_info_v2_tstructure that contains the function pointer to the init(), action(), timer(),and cleanup() functions.int aatv_load (aatv_info_v2_t **aatv_list, int * aatv_count)
where:aatv_list is a list of all the AATVs that are loaded.aatv_count is the number of AATVs that are loaded.aatv_info_v2_t is the data structure containing the function pointer to the
init(),action(),timer(), andcleanup() functions.For more information on the aatv_info_v2_t datastructure, see “Header Files, Data Structures, and APIs inthe HP-UX AAA Server SDK” (page 579).
4. Set the parameters of the aatv_info_v2_t data structure. Add them toaatv_list and set the value of aatv_count.
NOTE: You can also add init (), timer (), and cleanup () functions, basedon your requirements. These functions are not used in this example, because thecheckCSI AATV does not use them.
Compiling and Loading a Plug-inTo compile and load a plug-in, complete the following steps:
NOTE: Before you start this procedure, ensure that the HP-UX AAA Server is notrunning.
1. Navigate to the /opt/aaa/examples/sdk/CSI directory.2. Enter the following command:
# cc -I /opt/aaa/include -c +z checkCSI.c
3. Enter the following command to link the AATV with the libradlib file:# ld -b -o checkCSI.so -L/opt/aaa/lib -lradlib checkCSI.o
4. Enter the following command to copy the compiled plug-in to the /opt/aaa/aatv/ directory:# cp checkCSI. so /opt/aaa/aatv/
After copying the AATV to the /opt/aaa/aatv/ directory, you can configurethe AATV name in the authfile or in the FSM.
5. Start the radiusd daemon by entering the following command:# /opt/aaa/bin/radiusd
452 Customizing the HP-UX AAA Server Using the SDK
6. To ensure that the AATV is loaded correctly, check the logfile for an entry similarto the following:read_dyn_cfg: Loaded shared object: <aatvname>, <No. of aatvs>
Testing and Debugging a Plug-inYou must test the software module before you start using it in a productionenvironment. You can use several different methods to debug any modules that youcreate. This section discusses testing the software module using the GNU ProjectDebugger (gdb).
Using the GNU Project DebuggerHP recommends using gdb to debug software modules created using the HP-UX AAAServer SDK.
NOTE: To debug a software module with gdb, your program must be compiled withdebug information enabled (using the -g option).
Using gdb to Debug Your Software Module
To debug your software module using gdb, complete the following steps:1. Determine the RADIUS server’s process ID by entering the following command:
# ps -ef | grep radiusd
2. End the RADIUS server process by entering the following command:# kill <radius pid>
3. Enter the following command:# chatr +dbg enable /opt/aaa/bin/radiusd
4. Start radiusd by entering the following command:# /opt/aaa/bin/radiusd
5. Start the debugger by entering the following command:# gdb
This command starts a gdb session in UNIX and the gdb prompt appears. You canaccess help by typing help at the gdb prompt. For more information about gdb,enter man gdb at the command prompt.If you start the gdb session from some other location, you must specify the directoryin which your plug-in module source code is located (for more information, seegdb help).
6. At the gdb prompt, enter the dir command to include the path of your softwaremodule, as shown in the following example:# gdb> dir /opt/aaa/examples/sdk/csi
Creating Plug-ins 453
7. Attach the radius pid, as follows:# gdb> attach <radius pid>
An output similar to the following displays:Reading symbols from /opt/aaa/aatv/proldap.so...done. Reading symbols from /opt/aaa/aatv/securidAatv.so...done. Reading symbols from /opt/aaa/aatv/snmpAgent.so...done. Reading symbols from /opt/aaa/aatv/tacplus.so...done. Reading symbols from /opt/aaa/aatv/tunneling.so...done. Reading symbols from /opt/aaa/aatv/vlogit.so...done. Reading symbols from /opt/aaa/aatv/samplesc.so...done
8. Set a breakpoint at the specified line of function, as shown in the following example:# gdb> b <function>
9. Enter the continue command, as shown below:# gdb> c
10. At another window prompt, enter the radpwtst command as shown in thefollowing example:# radpwtst -a localhost -w password test_user
11. Use gdb commands to step through the code and look at the data to see how it isbeing processed in your plug-in module.
12. To quit gdb, enter the following command:# gdb> q
Creating Plug-ins for AATVsThis section addresses plug-ins that are used to customize AATVs, such as ExtensibleAuthentication Protocol (EAP) Subscriber Identity Module (SIM) and EAPAuthentication and Key Agreement (AKA). This section addresses the following:• “A3 and A8 Algorithm Plug-in for EAP-SIM” (page 454)• “AKA Algorithm Plug-in for EAP-AKA” (page 456)
A3 and A8 Algorithm Plug-in for EAP-SIMThe Global System for Communications (GSM) A3 and A8 algorithms are used inEAP-SIM. The content of A3 and A8 algorithm plug-ins is specific to the EAP-SIMprotocol requirements. [GSM-03.20] specifies the general GSM authentication procedureand the external interface of the A3 and A8 algorithms. The operations of these functionsare associated with the domain of an individual GSM network operator. Therefore, thefunctions are not standardized. Instead, each operator specifies the functions. The A3and A8 algorithm plug-ins are software modules that contain these specific functions.They customize the GSM authentication for each network operator.
454 Customizing the HP-UX AAA Server Using the SDK
An A3 or A8 plug-in may include zero or one A3 algorithm. If you write a plug-in forA3, an A8 plug-in with the same name must exist. Similarly, if you write a plug-in forA8, an A3 plug-in with the same name must exist.
Creating A3, A8 Plug-insYou can create a plug-in using one of the sample plug-ins as a base. The procedure andthe example described in this section use the sample_sim_a3a8.c file to create aplug-in.To create a plug-in using the sample_sim_a3a8.c file, which is available at /opt/aaa/examples/sdk/sim_a3a8, complete the following steps:1. Rename the sample_sim_a3a8.c file and open it for editing.2. Add any header file specific to your module along with the following mandatory
header files:#include "sdk.h"#include "plugin.h"#include <syslog.h>
You can also add other header files that you require.3. Change the (a3impl and a8impl) function names in the following prototype, if
required:static int a3impl( const unsigned char * ki, const unsigned char * rand, unsigned char * sres );
static int a8impl( const unsigned char * ki, const unsigned char * rand, unsigned char * kc );
NOTE: Changing the function names is not mandatory. However, the parametersmust not be modified.
4. Register the A3 and A8 algorithm plug-ins.1. To modify the number of plug-ins, change the array size ofplugin_array[1]
to the number of plug-ins to be written for this module.2. Modify the plugin_load function in the following code:
sim_a3a8_plugin_info_t * sim_a3a8_info;static const char func[] = "plugin_load";
a. Set the name of the plug-in in the following code to the required name:sim_a3a8_info->name = "sample_sim_a3a8";
b. Set the description of the plug-in in the following code:sim_a3a8_info->info = "Sample EAP-SIM A3/A8 algorithm plugin";
Creating Plug-ins for AATVs 455
c. If the (a3impl and a8impl) function names are modified, make thecorresponding changes in the following code:sim_a3a8_info->a3 = a3impl;sim_a3a8_info->a8 = a8impl;
d. Enter the value of plugin_array as described in the code. For example,for the second plug-in, modify the code as follows:plugin_array[0].type = SIM_A3A8;plugin_array[0].info = (void *)sim_a3a8_info;
e. If there is more than one plug-in, modify the value accordingly in thefollowing code:*plugin_count = 1;
5. To implement the sample A3 algorithm, modify the following code:unsigned int idx;for ( idx = 0; idx < 4; ++idx ){ sres[idx] = 0;}return SDK_SUCCESS;
On success, A3 Algorithm returns sdk_success. Otherwise, it returnssdk_failure.
6. To implement the sample A8 algorithm, modify the following code:unsigned int idx;for ( idx = 0; idx < 8; ++idx ){ kc[idx] = 0;}return SDK_SUCCESS;
On success, A3 Algorithm returns sdk_success. Otherwise, it returnssdk_failure.
AKA Algorithm Plug-in for EAP-AKAThe GSM AKA algorithms are used in EAP-AKA. The content of the AKA 3GPPalgorithm plug-ins is specific to the EAP-AKA protocol requirements. [GSM-03.20]specifies the general GSM authentication procedure and the external interface of thef1, f1x, f2, f3, f4, f5 and f5x functions. The operations of these functions are associatedwith the domain of an individual GSM network operator. Therefore, the functions arenot standardized. Instead, each operator specifies the functions. AKA algorithm plug-insare software modules that contain these specific functions. They customize the GSMauthentication for each network operator.
456 Customizing the HP-UX AAA Server Using the SDK
Creating AKA Plug-insYou can create a plug-in using one of the sample plug-ins as a base. The procedure andthe example described in this section use the checkCSI.c file to create a plug-in.To create a plug-in using the sample_aka_algo.c file, which is available at /opt/aaa/examples/sdk/aka_algo, complete the following steps:1. Rename the sample_aka_algo.c file and open it for editing.2. Include the following mandatory header files:
#include "sdk.h"#include "plugin.h"#include <syslog.h>
You can also add other header files that you require.3. Change the (f1impl, f1ximpl, f2impl, f3impl, f4impl, f5impl and
f5ximpl) function names in the following prototypes, if required:static int f1impl( const unsigned char * ki, const unsigned char * rand, const unsigned char * sqn, const unsigned char * amf, unsigned char * maca );
static int f1ximpl( const unsigned char * ki, const unsigned char * rand, const unsigned char * sqn, const unsigned char * amf, unsigned char * macs );
static int f2impl( const unsigned char * ki, const unsigned char * rand, unsigned char * res );
static int f3impl( const unsigned char * ki, const unsigned char * rand, unsigned char * ik );
static int f4impl( const unsigned char * ki, const unsigned char * rand, unsigned char * ck );
static int f5impl( const unsigned char * ki, const unsigned char * rand, unsigned char * ak );
static int f5ximpl( const unsigned char * ki, const unsigned char * rand, unsigned char * ak );
Creating Plug-ins for AATVs 457
NOTE: Changing the function names is not mandatory. However, the parametersmust not be modified.
4. Register the AKA algorithm plug-ins.1. If your plug-in includes more than one plug-in entry, modify the array size
accordingly. To modify the array size, change the value withinplugin_array[1] to the number of plug-ins to be written for this module.
2. Modify the plugin_load function in the following code:aka_algo_plugin_info_t * aka_algo_info;static const char func[] = "plugin_load";
a. Set the name of the plug-in in the following code to the required name:aka_algo_info->name = "sample_aka_algo";
b. Set the description of the plug-in in the following code:aka_algo_info->info = "Sample EAP-AKA algorithm plugin";
c. If the (f1impl, f1ximpl, f2impl, f3impl, f4impl, f5impland f5ximpl) function names are modified, make the correspondingchanges in the following code:aka_algo_info->f1 = f1impl;aka_algo_info->f1x = f1ximpl;aka_algo_info->f2 = f2impl;aka_algo_info->f3 = f3impl;aka_algo_info->f4 = f4impl;aka_algo_info->f5 = f5impl;aka_algo_info->f5x = f5ximpl;
d. Enter the value of the plugin_array as described in the code. Forexample, for the second plug-in, modify the code as follows:plugin_array[1].type = AKA_ALGO;plugin_array[1].info = (void *)aka_algo_info;
e. If there is more than one plug-in, complete the described steps for each ofthem. Also, modify the value accordingly in the following code:*plugin_count = 1;
5. To implement the sample f1() algorithm, modify the following code in the f1implfunction:unsigned int idx;for ( idx = 0; idx < 8; ++idx ){ macs[idx] = 0;}return SDK_SUCCESS;
458 Customizing the HP-UX AAA Server Using the SDK
On success, the f1() algorithm returns sdk_success. Otherwise, it returnssdk_failure.
6. To implement the sample f1x() algorithm, modify the following code in thef1ximpl function:unsigned int idx;for ( idx = 0; idx < 8; ++idx ){ maca[idx] = 0;}return SDK_SUCCESS;
On success, the f1x() algorithm returns sdk_success. Otherwise, it returnssdk_failure.
7. To implement the sample f2() algorithm, modify the following code in the f2implfunction:unsigned int idx;for ( idx = 0; idx < 8; ++idx ){ res[idx] = 0;}return SDK_SUCCESS;
On success, the f2() algorithm returns sdk_success. Otherwise, it returnssdk_failure.
8. To implement the sample f3() algorithm, modify the following code in the f3implfunction:unsigned int idx;for ( idx = 0; idx < 16; ++idx ){ ik[idx] = 0;}return SDK_SUCCESS;
On success, the f3() algorithm returns sdk_success. Otherwise, it returnssdk_failure.
9. To implement the sample f4() algorithm, modify the following code in the f4implfunction:unsigned int idx;for ( idx = 0; idx < 16; ++idx ){ ck[idx] = 0;}return 0;
On success, the f4() algorithm returns sdk_success. Otherwise, it returnssdk_failure.
Creating Plug-ins for AATVs 459
10. To implement the sample f5() algorithm, modify the following code in the f5implfunction:unsigned int idx;for ( idx = 0; idx < 6; ++idx ){ ak[idx] = 0;}return SDK_SUCCESS;
On success, the f5() algorithm returns sdk_success. Otherwise, it returnssdk_failure.
11. To implement the sample f5x() algorithm, modify the following code in thef5ximpl function:unsigned int idx;for ( idx = 0; idx < 6; ++idx ){ ak[idx] = 0;}return SDK_SUCCESS;
On success, the f5x() algorithm returns sdk_success. Otherwise, it returnssdk_failure.
460 Customizing the HP-UX AAA Server Using the SDK
Part VI TroubleshootingThis part of the HP-UX AAA Server A.08.01 Administrator’s Guide is organized as follows:• Chapter 29: “Troubleshooting Overview” (page 464): Describes the AAA environment and
an overview of HP-UX AAA Server troubleshooting.• Chapter 30: “Troubleshooting Procedures” (page 469): Provides a troubleshooting flowchart
followed by specific troubleshooting tables that enable you to identify the problem, andtake the necessary corrective actions.
• Chapter 31: “Troubleshooting Resources” (page 509): Describes the troubleshootingresources available in the Server Manager and the HP-UX AAA Server.
• Chapter 32: “Reporting Problems” (page 513): Provides a checklist of information that youmust collect before reporting a problem to HP.
461
Table of Contents29 Troubleshooting Overview.....................................................................................................464
AAA Environment Components......................................................................................464HP-UX AAA Server Operation.........................................................................................465Probable Causes for Failure..............................................................................................467
Configuration Problems..............................................................................................467External Service Problems...........................................................................................467Protocol Limitations....................................................................................................468RADIUS Client and Supplicant Considerations.........................................................468
30 Troubleshooting Procedures...................................................................................................469Troubleshooting Flowchart...............................................................................................469
Troubleshooting Flowchart Process............................................................................471Troubleshooting the Server Manager Administration Utility..........................................472
Common Problems With the Server Manager............................................................473Troubleshooting Server Manager Launch Problems.............................................475Troubleshooting Remote Management Problems..................................................476
Troubleshooting the HP-UX AAA Server.........................................................................477Troubleshooting HP-UX AAA Server Startup Problems............................................478
Common Problems with HP-UX AAA Server Startup..........................................478Troubleshooting Bind Errors at HP-UX AAA Server Startup..........................482
Troubleshooting an Unresponsive HP-UX AAA Server.............................................483Troubleshooting Common Configuration Problems.............................................484Troubleshooting External Services.........................................................................488
Identifying External Service Failures using Logfile Error Messages...............488Identifying Unrecorded External Datastore Failures.......................................493Identifying Proxy Server Failures.....................................................................493Identifying Unrecorded DHCP Failures...........................................................493
Troubleshooting Access-Rejects from the HP-UX AAA Server..................................494Common Authentication Failure Problems...........................................................494
EAP Problems..............................................................................................................502Troubleshooting Provisioning Errors..........................................................................506Troubleshooting the HP-UX AAA Server Admin Utility...........................................506
31 Troubleshooting Resources.....................................................................................................509HP-UX AAA Server Troubleshooting Utilities.................................................................509
The radcheck Utility: For Checking the Server Status..............................................509The radpwtst Utility: For Testing Authentication....................................................510The raddbginc Utility: For Setting Debug Output Levels........................................510The radsignal Utility: For Rolling Over the Debug Output to New Files..............511
The HP-UX AAA Server Logfile and Debug File.............................................................511The HP-UX AAA Server Logfile.................................................................................511The HP-UX AAA Server Debug File...........................................................................511
462 Table of Contents
32 Reporting Problems...............................................................................................................513Server Set Up Information................................................................................................513Server Manager Related Information...............................................................................514External Components.......................................................................................................514
External Databases......................................................................................................514SNMP Servers..............................................................................................................514DHCP Servers..............................................................................................................514OpenSSL......................................................................................................................514
EAP Related Information..................................................................................................514Clients..........................................................................................................................515Access Points...............................................................................................................515
Table of Contents 463
29 Troubleshooting OverviewThis chapter of the HP-UX AAA Server Administrator's Guide provides an overviewof HP-UX AAA Server troubleshooting with respect to the AAA environment.This section discusses the following:• “AAA Environment Components” (page 464)• “HP-UX AAA Server Operation” (page 465)• “Probable Causes for Failure” (page 467)
AAA Environment ComponentsThe AAA environment consists of the following interoperating components:• HP-UX AAA Server Daemon, Libraries, Configuration Files, and Utilities: Perform
the authentication, authorization, and accounting functions to process requests.• Web Based Server Manager Administration Utility: Configures and manages the
servers. The Server Manager can retrieve logfile messages and statistics fromHP-UX AAA Servers.
• Supplicants: Application software that request access to network services viaRADIUS clients.
• RADIUS Clients: Communicate with the HP-UX AAA Server using the RADIUSprotocol standard. They serve as enforcement points to control access to networkservices.
• External Services: Interoperate with the HP-UX AAA Server to provide user profilestorage (databases) and other services such as DHCP (IP address management)and SNMP (network management).
Figure 29-1 depicts the AAA environment and components. Troubleshooting the AAAenvironment involves determining the component that caused the problem and takingthe necessary corrective actions.
464 Troubleshooting Overview
Figure 29-1 AAA Environment Components
HP-UX AAA Server OperationFigure 29-2 depicts the HP-UX AAA Server operation from the troubleshootingperspective.
HP-UX AAA Server Operation 465
Figure 29-2 HP-UX AAA Server Operation
The HP-UX AAA Server operation consists of the following steps:1. The user or device that requires authentication communicates with the RADIUS
client and provides authentication credentials such as user name and password.At this stage, incorrect supplicant configuration or invalid credentials can lead toauthentication failures or an unresponsive HP-UX AAA Server.
NOTE: Troubleshooting the supplicant is outside the scope of this chapter. Seeyour supplicant vendor’s documentation for troubleshooting information.
2. The RADIUS client (for example, access point or NAS) sends a RADIUSAccess-Request Message to the HP-UX AAA Server.At this stage, incorrect client configuration and bad RADIUS messages can leadto authentication or accounting failures, or an unresponsive HP-UX AAA Server.
3. The HP-UX AAA Server examines the request and validates the user credentialsbased on the configured authentication mechanism.At this stage, incorrect HP-UX AAA Server configuration, internal errors, or invalidcredentials passed to it by the RADIUS client can cause authentication/accountingfailures. These cases may cause the HP-UX AAA Server to ignore the RADIUSclient’s request.
4. Based on the configured authentication mechanism, the HP-UX AAA Server cancontact one or more external services:
466 Troubleshooting Overview
a. The HP-UX AAA Server can contact an external service such as a database orLDAP directory server to retrieve user information and perform authentication.
b. The HP-UX AAA Server can forward the request to a proxy HP-UX AAA Serverfor authentication.
c. The HP-UX AAA Server can contact a DHCP server for IP address management.If the external service is busy, unavailable, or invalid credentials are passed to itby the HP-UX AAA Server, the HP-UX AAA Server will not authenticate the userand may not respond.
5. If authentication is successful, the HP-UX AAA Server returns an Access-Acceptmessage along with provisioning attributes to the RADIUS client.The RADIUS client allows the supplicant to connect to the configured networkservice.At this stage, incorrect attributes returned to the RADIUS client (or incorrectattributes expected by the RADIUS clients) can prevent the supplicant fromconnecting to the network service.
The HP-UX AAA Server is administered through the Server Manager. Here, problemswith the browser, Tomcat, and RMI object, or incorrect credentials by the administratorcan lead to problems while launching or using the Server Manager.
Probable Causes for FailureThis section discusses the problems, limitations, and considerations beforetroubleshooting the AAA environment.
Configuration ProblemsThe RADIUS client, supplicant, or the HP-UX AAA Server is configured incorrectlyand lead to problems.Some configuration related problems can result in the HP-UX AAA Server silentlydiscarding the message without any reply being sent to the RADIUS client. For example,if the authentication queue is full, subsequent authentication requests are dropped.
External Service ProblemsThe HP-UX AAA Server interoperates with external services in the environment, suchas database servers, LDAP, DHCP, and SNMP. The following problems can be causedby external services:• An external service failure can result in the HP-UX AAA Server not sending a
reply back to the RADIUS client.• The RADIUS message packet contains information about the realm. The realm
configuration specifies the external datastore used for user profile lookup. This
Probable Causes for Failure 467
information can be used to identify the external service accessed to process theRADIUS request.Some external service failures do not result in the HP-UX AAA Server recordinga message in the server logfile. For example, if the HP-UX AAA Server times outon waiting on a busy database server, it does not record an error in the logfile. Noreply is sent to the RADIUS client.
Protocol LimitationsThe HP-UX AAA Server communicates with the RADIUS client using the RADIUSprotocol. The RADIUS protocol has the following limitations:• RADIUS packets are transmitted using the connectionless UDP transport protocol.
Therefore, a RADIUS request that does not reach the recipient needs to beretransmitted by the sender. Usually, the sender retransmits the request if it timesout while waiting for the acknowledgement.
• The RADIUS protocol specification allows the HP-UX AAA Server to sendAccess-Accept and Access-Reject messages only, in response to an Access-Request.The HP-UX AAA Server cannot send status information about a request to theRADIUS client.
Messages that do not contain correct information in accordance with the RADIUSprotocol specifications will be silently discarded by the HP-UX AAA Server withoutany reply or status being sent to the clientSupplicants connecting to the HP-UX AAA Server over a WLAN can use EAP protocols.The same EAP protocols must be configured at the supplicant, access point, and HP-UXAAA Server EAP realm configuration.
RADIUS Client and Supplicant ConsiderationsThe HP-UX AAA Server supports several RADIUS clients, supplicants, and OTP tokengenerators. For a list of RADIUS clients, supplicants, and OTP token generators thathave been certified for the HP-UX AAA Server, see the HP-UX AAA Server A.08.01Release Notes (T1428-90067). Consider the following:• If the RADIUS client does not receive a reply from the HP-UX AAA Server, it
behaves as if the HP-UX AAA Server is offline. It can retransmit the request afterthe timeout to the same HP-UX AAA Server or a secondary HP-UX AAA Server,based on the configuration.
• Not all RADIUS clients maintain an error log.
468 Troubleshooting Overview
30 Troubleshooting ProceduresThis chapter describes how to troubleshoot problems that you encounter while usingthe HP-UX AAA Server in the AAA environment. This chapter includes a diagnosticflowchart and troubleshooting tables that enable you to identify the problem andperform the appropriate corrective actions.This chapter addresses the following topics:• “Troubleshooting Flowchart” (page 469)• “Troubleshooting the Server Manager Administration Utility” (page 472)• “Troubleshooting the HP-UX AAA Server” (page 477)
Troubleshooting FlowchartFigure 30-1 enables you to identify whether the problem is with the Server Manager,the HP-UX AAA Server startup, or its operation. The flowchart will lead you toindividual troubleshooting sections that describe how to identify the problem andperform the necessary corrective steps.
Troubleshooting Flowchart 469
Figure 30-1 Troubleshooting Flowchart
470 Troubleshooting Procedures
Troubleshooting Flowchart ProcessThis section describes the troubleshooting process that you can follow to troubleshootand identify problems with the HP-UX AAA Server. Each step listed below maps tothe problem that is depicted in Figure 30-1.1. Can launch Server Manager and view all applets and icons?
Launch the Server Manager administration and verify if all the applets and iconscan be viewed.
ResolutionProblem
See “Troubleshooting the Server Manager Administration Utility”(page 472). If you are able to resolve the problem using the suggestionslisted in this section, but are facing other problems, proceed to step 2.If you are not facing any other problems, end the troubleshootingprocess.If you are unable to resolve the problem using the suggestions listed inthis section, report it to HP after collecting all the information listed inChapter 32: “Reporting Problems” (page 513).
Unable to launch ServerManager?
End the troubleshooting process. If you face a different problem, proceedto step 2.
Able to launch ServerManager?
2. Can start/administer HP-UX AAA Server from Server Manager?Try to start and administer the HP-UX AAA Server from the Server Manageradministration utility.
ResolutionProblem
The problem may be with the HP-UX AAA Server startup or a remotemanagement issue. See “Troubleshooting Remote Management
Unable to start oradminister the ServerManager? Problems” (page 476) or “Troubleshooting HP-UX AAA Server Startup
Problems” (page 478).If you are able to resolve the problem using the suggestions listed inthis section, but are facing other problems, proceed to step 3.If you are not facing any other problems, end the troubleshootingprocess.
End the troubleshooting process. If you face a different problem, proceedto step 3.
Able to start oradminister the ServerManager?
Troubleshooting Flowchart 471
3. HP-UX AAA Server responds to request?Check to see if the HP-UX AAA Server responds to access-requests fromclients/supplicants.
ResolutionProblem
See “Troubleshooting an Unresponsive HP-UX AAA Server”(page 483).
Is the server not respondingto requests?
If you are able to resolve the problem using the suggestions listed inthis section, but are facing other problems, proceed to step 4.If you are not facing any other problems, end the troubleshootingprocess.
End the troubleshooting process. If you face a different problem,proceed to step 4.
Is the server responding torequests?
4. HP-UX AAA Server returns Access-Accept (when the user is expecting anAccess-Accept)?Check to see if the HP-UX AAA Server returns Access-Accepts toclients/supplicants.
ResolutionProblem
See “Troubleshooting Access-Rejects from the HP-UX AAA Server”(page 494).If you are able to resolve the problem using the suggestions listedin this section, but the user still cannot connect to the networkservice, see “Troubleshooting Provisioning Errors” (page 506).If you are not facing any other problems, end the troubleshootingprocess.
Is the server returning Access-Rejects?
If the HP-UX AAA Server returns Access-Accept to theclient/supplicant, but the user cannot connect to the networkservice, see “Troubleshooting Provisioning Errors” (page 506). Ifyou are not facing any other problems, end the troubleshootingprocess.If you are unable to resolve the problem using the suggestionslisted in this section, report the problem to HP after collecting allthe information listed in Chapter 32: “Reporting Problems”(page 513)
Is the server returning AccessAccepts?
Troubleshooting the Server Manager Administration UtilityThis section describes how to troubleshoot problems with the Server Manageradministration utility.
472 Troubleshooting Procedures
Common Problems With the Server ManagerTable 30-1 lists the common problems that you can encounter while using the ServerManager administration utility. Compare the problem you observe with those listedin this table and perform the corresponding corrective actions.
Table 30-1 Common Problems with the Server Manager
SolutionCauseProblem
Server Manager cannot belaunched for the followingreasons:
Cannot launch the Server Manager 1. Use a supported browser. Fora list of supported browsers,see HP-UX AAA Server A.08.01Release Notes (T1428-90070).• An unsupported browser is
used. 2. Specify the correct URL andport number in the browseraddress bar.
• Incorrect URL or portnumber specified.
3. Verify that Tomcat is running.• Tomcat is not running.4. Verify that the correct Tomcat
username and password (as• Incorrect Tomcat username
or password.specified in /opt/hpws22/• Java Version lower than 1.5
is used. tomcat/conf/tomcat-users.xml isspecified.
5. Use Java Version 1.5 or later.For more information, see“Troubleshooting Server ManagerLaunch Problems” (page 475).
Install JRE and enable JavaScriptfor your browser. For more
The Java Runtime Environment(JRE) is not installed for your
Cannot view the Server Managerapplets and icons
information, see your vendor’sdocumentation.
browser. Or, JavaScript is notenabled for your browser.
The RMI object is not running.Can launch the Server Manager,but cannot start, stop, administer,
1. Verify that the RMI object isrunning. If not, start the RMIobject.or view statistics of the HP-UX
AAA Server 2. Ensure that port 7790 is usedby the Java process.
3. Ensure that the shared secretfor rmi.config.secret isthe same on the HP-UX AAAServer and the system runningthe Server Manager.
4. Check the RMI log files in/opt/aaa/remotecontrol/.
5. Ensure that Java Version 1.5 isused.
For more information, see“Troubleshooting RemoteManagement Problems” (page 476).
Troubleshooting the Server Manager Administration Utility 473
Table 30-1 Common Problems with the Server Manager (continued)
SolutionCauseProblem
Tomcat is not IPv6 enabled.Can launch the Server Manager,but cannot start, stop, load or save
1. Stop tomcat.2. Execute the following
command:export JAVA_OPTS=”$JAVA_OPTS \-Djava.net.preferIPv4Stack=false”
or view statistics of the HP-UXAAA Servers configured with aIPv6 address in the ‘Domain Nameor IP address field’.
3. If you get this error afterexecuting the above command:“JAVA_OPTS: Parameter not set” then execute the following command,
export JAVA_OPTS=”-Djava.net.preferIPv4Stack=false”
Otherwise skip this step.
4. Start Tomcat.
The RMI object is not running. 1. Verify that the RMI object isrunning. If not, start the RMIobject.
2. Ensure that port 2099 is usedby the Java process using thefollowing command:# lsof –i:2099
Port 2099 must be in theLISTEN state and used by aJava process
3. Ensure that the shared secretfor rmi.config.secret isthe same on the HP-UX AAAServer and the system runningthe Server Manager.
For more information, see“Troubleshooting RemoteManagement Problems”
Server is configured with invalidvalues for Server Attributes,
Can launch the Server Manager,but cannot start the server. Starting
1. Verify that the RMI object isrunning. If not, start the RMIobject.such as the combination of the
Listen IP Address andthe server fails with either of thefollowing messages “Address 2. Modify the configured Server
Attributes which is failing toAdministration Port values ofthe server is already in use by
already in use” (OR) “Can’t assignrequested address.” start using HP-UX AAA Server
Manager.another server, host names oraddresses specified in the For more information, see
“Administering HP-UX AAA‘Domain Name or IP Address’and ‘Listen IP Address’ do not
474 Troubleshooting Procedures
Table 30-1 Common Problems with the Server Manager (continued)
SolutionCauseProblem
correspond to the same host.HP-UX AAA Server Manager
Servers Using HP-UX AAA ServerManager”
has not validated theses valuesbecause the RMI object was notrunning when the server wasconfigured.
Error while parsing the groupconfiguration file.
Can launch the Server Manager,but get ‘Parse Error’ in the HP-UXAAA Server Status Frame.
1. Stop the HP-UX AAA ServerManager and Tomcat.
2. Stop the RMI Objects runningon all the remote hosts.
3. Start the Tomcat and HP-UXAAA Server Manager.
4. Start the RMI Objects on all theremote hosts.
5. Modify all the Serversconfigured. For moreinformation, see“Administering HP-UX AAAServers Using HP-UX AAAServer Manager”
Troubleshooting Server Manager Launch ProblemsThis section describes how to troubleshoot problems when you cannot launch theServer Manager administration utility.If you are unable to launch the Server Manager, complete the following steps:1. Verify that you are using a supported browser. For a list of supported browsers,
see HP-UX AAA Server A.08.01 Release Notes at www.docs.hp.com in the Internetand Security Solutions section.
2. Verify the port number specified in the URL. The default port number is 8081(HTTP) or 8443 (HTTPS). This is configured in Tomcat’s /opt/hpws22/tomcat/conf/server.xml file. If secure communication (HTTPS) is used, ensure thatthe SSL configuration matches that described in Using Secure Socket Layer (SSL)for Secured Remote Server Manager Administration on page 48.
3. Verify that the user name and password provided in the browser matches the username and password configured in/opt/hpws22/tomcat/conf/tomcat-users.xml.
4. Verify that the Tomcat server is running by entering the following command:# ps -efx | grep tomcat | grep -v grep
If Tomcat is running, following is a portion of the output that is displayed:root 15408 1 Mar 29 ? 10:10 /opt/java1.5bin/IA64N/java
Troubleshooting the Server Manager Administration Utility 475
If the Tomcat server is not running, export the Java path and then use the Tomcatstartup script to start Tomcat, as follows:# export JAVA_HOME=/opt/java1.5# /opt/hpws22/tomcat/bin/startup.sh
Verify that the Tomcat server is running after running the startup script.If the Tomcat server is not running, check the Tomcat server logs, /opt/hpws22/tomcat/logs/catalina.out.
5. Use the lsof command to verify that the Tomcat port (usually 8081 for HTTP or8443 for HTTPS) is in the LISTEN state and is used by the correct process. Forexample:# lsof -i :8081
The port must be in theLISTEN state used by aJavaprocess with the same processID as the Tomcat bootstrap process displayed in Step 4.
NOTE: The lsof tool is an open source tool and is not available by default onHP-UX operating systems.
6. If the problem persists, report it to HP after collecting the information listed inChapter 32: “Reporting Problems” (page 513).
Troubleshooting Remote Management ProblemsThis section describes how to troubleshoot remote management problems. If you areunable to use the Server Manager to administer an HP-UX AAA Server, complete thefollowing steps:1. Verify that the version number of the HP-UX AAA Server is same as that of the
Server Manager administration utility.2. Verify that the RMI object is running, by entering the following command:
# ps -efx | grep RMIServerManagement | grep -v grep
If the RMI object is running, following is a portion of the output that is displayed:root 23965 1 0 14:46:47 pts/ta 0:00 /opt/java1.5/bin/IA64N/java
If the RMI service is not displayed, start the RMI object by entering the followingcommand:# /opt/aaa/remotecontrol/rmistart.sh
476 Troubleshooting Procedures
NOTE: Before starting and stopping the RMI server, the JAVA_HOMEenvironment variable must be set to appropriate path. For example, to use Java6,export JAVA_HOME to the /opt/java6 path. If the JAVA_HOME environmentvariable is not set or set incorrectly, the default value /opt/java1.5 is used tostart and stop the RMI Server.
3. Verify that port 2099 is in the LISTEN state and that it is used by the correct process,by entering the following command:# lsof -i :2099
Port 2099 must be in the LISTEN state and used by a Java process with the samePID as the RMI service displayed in Step 2.
NOTE: The lsof tool is an open source tool and is not available by default onHP-UX operating systems.
4. Verify the shared secret configured for rmi.config.secret in/opt/aaa/remotecontrol/rmiserver.properties (located on the serverbeing managed) and/opt/hpws22/tomcat/webapps/aaa/WEB-INF/gui.properties (locatedat the system running the Server Manager) are the same.
5. Check the following RMI log files for errors:• /opt/aaa/remotecontrol/admin.log - If you cannot start or stop the
HP-UX AAA Server or reload the server configuration.• /opt/aaa/remotecontrol/file.log - If you cannot load or save the
HP-UX AAA Server configuration.• /opt/aaa/remotecontrol/maintenance.log - If you cannot view the
HP-UX AAA Server Status or the Server Logfile, Accounting, or Statisticsscreens.
6. If the problem persists, report the problem to HP after collecting the informationlisted in Chapter 32: “Reporting Problems” (page 513).
Troubleshooting the HP-UX AAA ServerThis section describes how to troubleshoot problems with HP-UX AAA Server startupand operation. The troubleshooting flowchart in Figure 30-1 leads you to one of thefollowing sections:• “Troubleshooting HP-UX AAA Server Startup Problems” (page 478)• “Troubleshooting an Unresponsive HP-UX AAA Server” (page 483)• “Troubleshooting Access-Rejects from the HP-UX AAA Server” (page 494)• “Troubleshooting Provisioning Errors” (page 506)
Troubleshooting the HP-UX AAA Server 477
Troubleshooting HP-UX AAA Server Startup ProblemsThis section describes how to troubleshoot problems encountered while starting theHP-UX AAA Server.To troubleshoot HP-UX AAA Server startup problems, complete the following steps:1. Search for the failure error messages in the HP-UX AAA Server logfile using the
Server Logfile screen in the Server Manager administration utility. For moreinformation on using the Server Logfile screen, see “Using Server Manager toRetrieve Logfile Information” (page 142).
2. Compare the failure error messages and the command line errors to those listedin Table 30-2, and perform the appropriate corrective actions.
Common Problems with HP-UX AAA Server StartupTable 30-2 lists the common problems that you can encounter while attempting to startthe HP-UX AAA Server. Compare the problem that you observe with those listed inthis table and perform the necessary corrective actions:
Table 30-2 Common Problems with HP-UX AAA Server Startup
TroubleshootingProblem
Error '13' (Permission denied). Cannot launch radiusd daemon.User '<user name>' cannot open '/var/opt/aaa/logs/logfile'.Verify read/write permissions for user on the file
Log MessageThe logfile doesnot haveread-writepermissions for
This error can occur whenradiusd is started as a non root user,and it was previously started as a root user.
Causethe user who istrying to start theradiusddaemon. To start radiusd as a non root user, see Running the HP-UX
AAA Server as a non-root User on page 51.Solution
478 Troubleshooting Procedures
Table 30-2 Common Problems with HP-UX AAA Server Startup (continued)
TroubleshootingProblem
radiusd: Error '13' (Permission denied). Cannot launch radiusddaemon. User <user name> cannot open
Log MessageIncorrectpermissions
/var/opt/aaa/run/radiusd.pid. Verify read/write permissions foruser on the file.
The radius.pid file does not have read-write permissionsfor the user who is trying to start the radiusd daemon.
Cause
To start radiusd as a non root user, see Running the HP-UXAAA Server as a non-root User on page 51.
Solution
setupv6sock: could not bind socketOr
Log MessageSocket errors
setupsock: could not bind socketCommand line error:bind: address already in use
This problem occurs because of one of the following reasons:Cause• An instance of the radiusd daemon is already running.• The ports configured for authentication and accounting are
being used by a different process.
Solution 1. Use grep to verify if the radiusd daemon is running. If thedaemon is running, use the existing instance of the daemon,or restart radiusd after killing the existing instance.
2. Check for other processes using the authentication andaccounting port configured for the radiusd and radacctentries, respectively in /etc/services.
3. If the authentication or accounting port is occupied, configuredifferent ports in /etc/services and restart radiusd.You can also configure different ports using the Start Optionsin the Administration screen of Server Manager.
For more information, see “Troubleshooting Bind Errors atHP-UX AAA Server Startup” (page 482).
Troubleshooting the HP-UX AAA Server 479
Table 30-2 Common Problems with HP-UX AAA Server Startup (continued)
TroubleshootingProblem
open_library: Cannot open shared object '<AATV>': ‘<error>'.Log MessageUnable to loadAATVs
The specified AATV cannot be loaded due to one of the followingreasons:
Cause
• A dependent library cannot be found at the specified location• The AATV or its dependent library does not have executable
permissions
Solution • Ensure that all the dependent libraries are present in thespecified locations
• Ensure that the AATV and dependent libraries haveexecutable permissions. See the chmod(1M) manpage for moreinformation on changing permissions.
read_auth: Missing AATV for entry on line 3 of /etc/opt/aaa/authfile
Log MessageInvalid ormissing AATV
The AATV specified in/etc/opt/aaa/authfile is not found.Cause
Specify a valid existing AATV in /etc/opt/aaa/authfileSolution
doconfig: init_fsm() failed rad_fsminit: non-reachable state logall-3.00::unreachable <line no> <date><time> rad_fsminit:state invalid seen but not defined
Log MessageFSM-relatedproblems
The FSM file /etc/opt/aaa/radius.fsm contains anundefined state at line <line no>.
Cause
Ensure that the state specified on the <line no> is correct. Ifthe correct state has been specified, define it.
Solution
See “States ” (page 396)for more information on defining a state.
doconfig: init_fsm() failed rad_fsminit: invalid event name:'invalid' line <line no>
Log Message
The FSM file /etc/opt/aaa/radius.fsm contains an invalidevent name specified on line <line no>.
Cause
Edit the /etc/opt/aaa/radius.fsm to specify a valid eventname at line <line no>.
Solution
See “Event Names ” (page 399) for more information onspecifying events.
480 Troubleshooting Procedures
Table 30-2 Common Problems with HP-UX AAA Server Startup (continued)
TroubleshootingProblem
doconfig: init_fsm() failed rad_fsminit: invalid action name:'invalid' line <line no>
Log MessageFSM-relatedproblems
The FSM file /etc/opt/aaa/radius.fsm contains an invalidaction specified at line <line no>.
Cause
Edit the /etc/opt/aaa/radius.fsm to specify a valid actionname at line <line no>.
Solution
See “Actions ” (page 403)for more information on specifyingactions.
doconfig: init_fsm() failed rad_fsminit: duplicate state: line<line no><date><time>: ‘state’<date><time>doconfig:init_fsm() failed
Log Message
The FSM file/etc/opt/aaa/radius.fsm contains a duplicatestate specified at line line no.
Cause
Edit the /etc/opt/aaa/radius.fsm to remove the duplicatestate at line <line no>.
Solution
See “Event Names ” (page 399) for more information onspecifying events.
vend_init: Missing Vendor number on line <line no> ofvendors dict_init: Could not initialize the 'vendors' file
Log Message
The/etc/opt/ aaa/vendors file is missing a vendor numberentry on line line no.
Cause
Edit the /etc/opt/aaa/vendors file to specify the vendornumber in line no.
Solution
dict_init: Invalid value <invalid> in column <column no>at line <line no> in /etc/opt/aaa/dictionary. Specify <correctvalue range>.
Log Message
The/etc/opt/aaa/dictionary file contains an invalid valueat line line no.
Cause
Edit the /etc/opt/aaa/dictionary file and specify a validvalue as specified by <correct value range>.
Solution
read_auth: Missing AATV for entry on line 15 of/etc/opt/aaa/authfile doconfig: iaaa_config_files() failed.
Log MessageHP-UX AAAServer fails tostart
Authfile may have configured realm entries for Oracle or SecurIDauthentication.
Cause
Starting with HP-UX AAA Server A.08.00 release, Oracle andSecurID AATVs are obsolete. The corresponding entries must
Solution
Troubleshooting the HP-UX AAA Server 481
Table 30-2 Common Problems with HP-UX AAA Server Startup (continued)
TroubleshootingProblem
be removed from the /etc/opt/aaa/authfile and /etc/opt/aaa/EAP.authfile.HP recommends that you use the SQL Access AATV insteadof Oracle AATV, EAP-PEAP instead of EAP-LEAP, and OATHstandard-based authentication instead of SecurID authentication.For information on how to configure SQL database basedauthentication, see Chapter 22 “SQL Access”. For informationon how to configure OTP or Two-factor authentication, seeChapter 16 “OATH Standards-Based OTP Authentication”.
RealmEAP::configure: Unknown AATV 'CiscoLEAP' in'/etc/opt/aaa/EAP.authfile' at '12' for EAP-Type. Specify a valid
Log MessageHP-UX AAAServer logs an
AATV for EAP-TYPE RealmEAP::readauth: AATV for EAP-Typeerror messagewhile starting is missing or not valid for realm 'oracle.test.test' on line 13 in
/etc/opt/aaa/EAP.authfile read_auth: /etc/opt/aaa/EAP.authfile( 3 entries) read to memory, 1 error
Authfile has configured realm entries for EAP-LEAPauthentication.
Cause
Starting with HP-UX AAA Server A.08.00 release, EAP-LEAPAATV is obsolete. The corresponding entries must be removed
Solution
from the /etc/opt/aaa/authfile and /etc/opt/aaa/EAP.authfile.HP recommends that you use EAP-PEAP instead of EAP-LEAP.For information on EAP-PEAP, seeChapter 13 “Securing LANAccess With EAP”
Troubleshooting Bind Errors at HP-UX AAA Server Startup
This section describes how to troubleshoot problems when you cannot start the HP-UXAAA Server because of bind errors.If you are unable to start the HP-UX AAA Server, complete the following steps:1. Check if the radiusd daemon is already running by entering the following
command:# ps -ef |grep radiusd
If radiusd is running, the radiusd process must be displayed.If the radiusd daemon is already running, you can stop and start the HP-UXAAA Server from the Server Manager Administration utility or the command line.For more information, see “Starting HP-UX AAA Servers Using Server Manager”(page 74) or “Starting HP-UX AAA Servers From the Command Line” (page 77).You can also continue with the HP-UX AAA Server instance that is already running.
2. Enter the following command to verify that the authentication and accountingports specified for the RADIUS service in /etc/services (entries for radius
482 Troubleshooting Procedures
andradacct respectively) are in theLISTEN state and used by the correct process.For example:# lsof -i :<authentication port>
The authentication port (default, 1812) and accounting port (default, 1813) mustbe in the LISTEN state and used by the radius process.
NOTE: The lsof tool is an open source tool and is not available by default onHP-UX operating systems.
3. If another process is using the authentication or accounting port, configure differentports in the /etc/services file or from the Start Options in the Administrationscreen of Server Manager
Troubleshooting an Unresponsive HP-UX AAA ServerTo troubleshoot an unresponsive HP-UX AAA Server, first determine whether theHP-UX AAA Server is receiving requests.To determine whether the HP-UX AAA Server is receiving requests, perform thefollowing steps:1. View the HP-UX AAA Server logfile using the Server Logfile screen as described
in “Using Server Manager to Retrieve Logfile Information” (page 142). The serverlogfile messages are displayed.
2. If the message was received, check the logfile for error messages and comparethem to the errors listed in the following sections:• “Troubleshooting Common Configuration Problems” (page 484): Lists errors
caused because of incorrect configuration on the HP-UX AAA Server or theRADIUS client
• “Troubleshooting External Services” (page 488): Lists errors caused byunresponsive or failed external services
3. If the HP-UX AAA Server received the request and remained unresponsive, butdid not log an error in the logfile, see “Troubleshooting External Services”(page 488).
If the HP-UX AAA Server did not receive the request, perform the following steps:1. Verify that the DNS server is available by entering the nslookup command. For
more information on the nslookup command, see nslookup(1M).2. Ensure that the RADIUS client is receiving requests from the supplicant and is
configured to send requests to the correct HP-UX AAA Server.3. If proxy HP-UX AAA Servers are used, see “Identifying Proxy Server Failures”
(page 493) to check for proxy server failures.
Troubleshooting the HP-UX AAA Server 483
Troubleshooting Common Configuration ProblemsTable 30-3 lists the problems caused because of incorrect configuration on the RADIUSclient or the HP-UX AAA Server. Compare the error recorded in the logfile with thefollowing and perform the appropriate corrective actions.
Table 30-3 Common Configuration Problems
TroubleshootingProblem
Request from unknown client <client IP orhostname> dropped. Configure client in
Log MessageRequest dropped
/etc/opt/aaa/clients or Access Devices screen in ServerManager.
The HP-UX AAA Server is not configured to receiverequests from the RADIUS client.
Cause
Solution 1. Ensure that the RADIUS client is sending requests tothe correct HP-UX AAA Server.
2. If the client is configured correctly, configure theHP-UX AAA Server to receive requests from the clientusing the Access Devices screen of the Server Manager.
3. If the HP-UX AAA Server receives the request from aproxy server, configure the proxy server using theProxies screen of the Server Manager.
For information about configuring RADIUS clients, seeConfiguring RADIUS Client Using the Access DevicesScreen on page 89.
484 Troubleshooting Procedures
Table 30-3 Common Configuration Problems (continued)
TroubleshootingProblem
get_radrequest: Request dropped. Unknown RADIUSpacket 'invalid(66)' received from client'example.com:50390
Log MessageRequest dropped
Orget_radrequest: ill formed packet from <server> [55421] -code = 1, vers = 1, len(hdr) = 1000, len(rcvd) = 56Orget_radrequest: NO a/v pairs from <server> [55697] - access(type 1), len = 20OrRequest from 'example.com: port' dropped. InvalidRADIUS request received from '<client-name>' [udp-port= '<udp-port>''] of type '<type>' (type-code = '<type-code>'),version = '<version>' and length = '<length>'
The HP-UX AAA Server received a bad RADIUS requestthat did not contain correct information, or did notconform to the RADIUS protocol.
Cause
Solution 1. Ensure that the RADIUS client transmits packets thatconform to the RADIUS protocol standards. See HP-UXAAA Server A.08.01 Release Notes (T1428-90070) fora list of supported RADIUS protocol RFCs.
2. Ensure that the RADIUS client is current with the latestpatches.
3. Perform a packet trace using the raddbginc utility orWireshark.
For information on the raddbginc utility and the debugfile, see “The raddbginc Utility: For Setting DebugOutput Levels” (page 510).For more information on WireShark, see thedocumentation for Internet Express at www.docs.hp.com.
Unable to execute <exit> command. Attributes are notvalid arguments for the <exit> command. Pre-defined
Log MessageRequest dropped
events or events defined in the FSM file should bespecified within quotes as argument to <exit>
This error message occurs if a string is specified withoutquotes. If the string is specified as an attribute, then it is
Cause
not defined in the dictionary file. If the string isspecified as a string constant, then it is not enclosed inquotes.
If the string is specified as a string constant, check that itis enclosed within double quotes. If it specified as anattribute, check that it is defined in the dictionary file.
Resolution
Troubleshooting the HP-UX AAA Server 485
Table 30-3 Common Configuration Problems (continued)
TroubleshootingProblem
The specified attribute instance 'RADIUS:State[10]' couldnot be found.
Log MessageRequest dropped
This error can occur if one of the policy files is using anattribute instance that is not present in the incomingrequest.
Cause
If you are unsure whether the attribute used in the policyfile will be present in all the incoming requests, verify that
Resolution
it is present in the request before actually using it. Youcan use the count attribute function to verify that theattribute is present. For example,if ( count(State) = 10 && State = "xxxxx" )
Instance <begin> is not allowed in the argument for<tolower>. Only numeric instances and 'last' are allowed
Log MessageRequest dropped
This error can occur if you have used the begin keywordto specify the first occurrence of an attribute instance with
Cause
any command other than theinsert command. For moreinformation on the usage of the begin keyword, see“Keyword Instance Specification” (page 423).
Use numeric instances to specify the first occurrence ofan attribute instance. For example:tolower(User-Name[0])
Resolution
Instance '*' is not allowed in the argument for 'tolower'.Only numeric instances and 'last' are allowed.
NOTE: In this example, tolower has been used.However, this kind of error message can appear wheneverany unsupported arguments are specified.
Log MessageRequest dropped
This error can occur if you have specified an asterisk withcommands or attribute functions that do not support it.
Cause
For more information on the usage of the asteriskkeyword, see “Keyword Instance Specification” (page 423).
Specify a particular instance instead of specifying allinstances of an attribute where it is not supported.
Resolution
AAASQL_aatv_action: No such attribute 'Client-Request-Create-ActionId'of vendor 'HP' found in the Authreq
Log MessageCannot generate clientrequests.
AAASQL_aatv_action: No such attribute 'Client-Request-Update-ActionId'of vendor 'HP' found in the Authreq
486 Troubleshooting Procedures
Table 30-3 Common Configuration Problems (continued)
TroubleshootingProblem
AAASQL_aatv_action: No such attribute 'Client-Request-Timeout-ActionId'of vendor 'HP' found in the Authreq
The HP-UX AAA Server is not configured to set the SQLAccess action IDs used for generation of client requests.
Cause
Verify the policies configured in theclient-request-init.grp file. Ensure that the
Resolution
Client-Request-Create-ActionId,Client-Request-Update-ActionId andClient-Request-Timeout-ActionId attributes areassigned correct SQL Access action IDs for all theconfiguredCLIENT actions. Ensure that theCLIENT actionnames configured in the aaa.config file match theCLIENT action names used in this policy file.For more information on HP-UX AAA Server clientfunctionality, see Chapter 19 “Configuring the HP-UXAAA Server for Client Functionality ”
AAASQL_aatv_action: No such attribute 'Client-Request-Cleanup-ActionId' of vendor 'HP' found in the Authreq
Log MessageResponses to clientrequests getting dropped.
The HP-UX AAA Server is not configured to set the SQLAccess action IDs used for processing the responses toclient requests.
Cause
Verify the policies configured in theclient-reply-ingress.grp file. Ensure that the
Resolution
Client-Request-Cleanup-ActionId attribute isassigned the correct SQL Access action ID for variousresponse types.For more information on HP-UX AAA Server clientfunctionality, see Chapter 19 “Configuring the HP-UXAAA Server for Client Functionality ”
parse error: syntax errorLog MessageRequest dropped
This error occurs if the syntax used in the policy files isincorrect. The error may also occur if an operator is usedwithout spaces along with its operand.
Cause
For example,insert Session-Timeout = Idle-Timeout- 10ORinsert Session-Timeout = Idle-Timeout -10
Use a space between the operators and operands.SolutionFor example,insert Session-Timeout = Idle-Timeout - 10
Troubleshooting the HP-UX AAA Server 487
Troubleshooting External ServicesThis section describes how to troubleshoot problems related to external services.External service failures cause the HP-UX AAA Server to be unresponsive. If the logfilerecords an error, see “Identifying External Service Failures using Logfile Error Messages”(page 488) to determine the problem and perform the necessary corrective actions.However, not all external service problems result in error messages being recorded inthe logfile. If the HP-UX AAA Server remains unresponsive but no error is recordedin the server logfile, see the following sections:• “Identifying External Service Failures using Logfile Error Messages” (page 488)• “Identifying Proxy Server Failures” (page 493)• “Identifying Unrecorded DHCP Failures” (page 493)
Identifying External Service Failures using Logfile Error Messages
Compare the errors recorded in the HP-UX AAA Server logfile with those listed inTable 30-4 and perform the appropriate corrective actions:
Table 30-4 External Service Failure Problems
TroubleshootingProblem
proldap_open: Cannot connect to LDAP server 'server'. ERROR'-1' (Can't contact LDAP server). LDAP server not found. Verify
Log MessageUnable to connectto the LDAPServer. LDAP properties in the Local Realms configuration in Server
Manager or verify LDAP server host and port configurationvalues in the appropriate authfile in '/etc/opt/aaa
This problem may occur if the LDAP Server is not running,or if the LDAP properties are not correctly configured.
Cause
Solution 1. Ensure that the LDAP server is running.2. Verify the following LDAP configuration parameters for
the affected realm:• Host• Port
For more information on verifying the LDAP configurationfor a realm, see “Configuring Realms for LDAP ” (page 112).
488 Troubleshooting Procedures
Table 30-4 External Service Failure Problems (continued)
TroubleshootingProblem
get_open_result: Cannot connect to LDAP server '<servername>' as LDAP user (Keyword 'Keyword')
Log MessageUnable to connectto the LDAP serveras administrator 'cn=value,dc=value,dc=value,dc=com'. ERROR '49' (Invalid
credentials). Access denied . Verify LDAP properties in theLocal Realms configuration in Server Manager or verify LDAPuser and password in the appropriate authfile in '/etc/opt/aaa
This problem may occur if the LDAP properties are notcorrectly configured.
Cause
Verify the following LDAP configuration parameters for theaffected realm:
Solution
• Administrator• Password• Search Base• Filter• Authentication TypeFor more information on verifying the LDAP configurationfor a realm, see “Configuring Realms for LDAP ” (page 112).
Connecting DB '<database>' with service'example:152/ora10g', user 'system'
Log MessageUnable to opendatabaseconnection OCI_ERROR(AAA_OCIServerAttach -1): ORA-12541: TNS:no
listener 2006: OCI_ERROR(AAA_OCISessionBegin -1):ORA-24327: need explicit attach before authenticating a userFailed to open database connections for db_oci db id.
No listener is running on the Oracle server. If the listener isrunning, the connection configuration (hostname and port) isincorrect
Cause
Verify that an instance of the Oracle database server is runningon the server and port specified in theDBID structure of/etc/opt/aaa/sqlaccess.config.
Solution
For more information on using the SQL Access feature withOracle, see Chapter 22 (page 338).
Connecting DB '<database>' with service'example:1521/ora10g', user 'system'OCI_ERROR
Log MessageUnable to connectto the Oracledatabase server (AAA_OCIServerAttach -1): ORA-12154: TNS:could not resolve
the connect identifier specifiedOCI_ERROR(AAA_OCISessionBegin -1): ORA-24327: needexplicit attach before authenticating a user Failed to opendatabase connections for db_oci db id
The Oracle server and port that the HP-UX AAA Server istrying to connect to cannot be resolved.
Cause
Troubleshooting the HP-UX AAA Server 489
Table 30-4 External Service Failure Problems (continued)
TroubleshootingProblem
Specify the correct server and port specified in the DBIDstructure of/etc/opt/aaa/sqlaccess.config.For more
Solution
information on using the SQL Access feature with Oracle, seeChapter 17, SQL Access on page 221.If thesqlaccess.config configuration is correct, the OCI clientis unable to resolve the database name. Ensure that thetnsnames.ora file contains all the databases that your OCIclient can connect to. Also ensure that the TNS_ADMN pathvariable is set to the location of tnsnames.ora.For more details, see your vendor’s documentation.
490 Troubleshooting Procedures
Table 30-4 External Service Failure Problems (continued)
TroubleshootingProblem
wrong ODBCdatastore in sqlaccess.config Connecting DB'<database>' with data source '<data source>', user
Log MessageUnable to connectto the MySQLdatabase server '<user name>'SQL_ERROR(IM002 0): [unixODBC][Driver
Manager]Data source name not found, and no default driverspecifiedSQL_ERROR(08003 0): [unixODBC][DriverManager]Connnection does not exist ERROR:AAA_SQLAllocHandle(SQL_HANDLE_STMT) failed!
An incorrect ODBC datastore was specified for the MySQLserver.
Cause
Specify the correct value for ODBCDataStore in the DBIDstructure of /etc/opt/aaa/sqlaccess.config.
Solution
For more information on using the SQL Access feature withMySQL, see Chapter 22 (page 338).
Connecting DB '<database>' with data source'<datasource>', user '<user name>'SQL_ERROR(HYT00 2005):
Log Message
[unixODBC][MySQL][ODBC 3.51 Driver]Unknown MySQLServer Host'minolt'(0)SQL_ERROR(080030):[unixODBC][DriverManager]Connnection does not existERROR:AAA_SQLAllocHandle(SQL_HANDLE_STMT)failed!Failed to open database connections for db_odbc db id.
The MySQL server that the HP-UX AAA Server is trying toconnect to cannot be resolved.
Cause
Specify the correct server and port in the MySQL serverodbc.ini file. For more information on using the SQL Accessfeature with MySQL, see Chapter 22 (page 338).
Solution
Connecting DB '<database>' with data source '<datasource>', user '<user name>'SQL_ERROR(HYT00 2003):
Log Message
[unixODBC][MySQL][ODBC 3.51 Driver] Can't connect toMySQL server on 'example' (239)SQL_ERROR(08003 0):[unixODBC][Driver Manager]Connnection does not existERROR: AAA_SQLAllocHandle(SQL_HANDLE_STMT)failed!Failed to open database connections for db_odbc db id
No instance of the MySQL server is found on the serverspecified in the odbc.ini file.
Cause
Verify that an instance of the MySQL database server isrunning on the server specified in the odbc.ini file.
Solution
You can also check if the correct port is listed in the odbc.inifile.For more information on using the SQL Access feature withMySQL, see Chapter 22 (page 338).
Troubleshooting the HP-UX AAA Server 491
Table 30-4 External Service Failure Problems (continued)
TroubleshootingProblem
Authentication: 205/0 '<user name>' via <hostname/IPaddress> from <hostname/IP address> port <port
Log MessageUnable to connectto the DHCP server
no> Outbound (8 retries) - FAILED DHCP server notresponding -- total 24, holding 0
The DHCP server is busy or unavailable.Cause
Verify if the DHCP server is running and can service IPaddress requests.
Solution
Or,Specify an alternate DHCP server.
mschap2Authenticate: user ‘<user name>’ hasunknown hash ‘crypt’
Log MessageTwo-factorauthenticationusing MS-CHAP v2
mschap2Authenticate: user ‘<user name>’ hasfails when theunknown hash ‘sha’ or Mschap2Authenticate: encrypted useruserpassword is stored‘<user name>’ has unknown hash ‘SHA’in LDAP and the
token informationmschap2Authenticate: user ‘<user name>’ has is stored in SQL
database. unknown hash ‘ssha’ or Mschap2Authenticate: user ‘<user name>’ has unknown hash ‘SSHA’
mschap2Authenticate: user ‘<user name>’ hasunknown hash ‘md5’
Two-factor authentication using MS-CHAP v2 supports onlyclear text user password stored in LDAP.
Cause
If the user encrypted password is stored in the SQL Database,SQL Access conversion function is required to convert the
Solution
respective encrypted password to clear text user password.MS-CHAP v2 supports only clear text user password storedin LDAP.
iaaa.SNMP: AgentX master agent failed to respond to ping.Attempting to re-register.
Log MessageRequest droppedfor around 18seconds.
This problem may occur if the SNMP master agent is notresponding.
Cause
Ensure that the SNMP master agent is running and isresponding.
Solution
For more information on SNMP properties, see “Theiaaa.SNMP Property” (page 521).
492 Troubleshooting Procedures
Identifying Unrecorded External Datastore Failures
If your AAA environment uses one or more external datastores, a failure in a datastorecan cause the HP-UX AAA Server to be unresponsive, but not record an error to thelogfile.To determine if an unrecorded external datastore failure is causing the problem,complete the following steps:1. Examine the Access-Request for the User-Name attribute value to determine the
realm.2. Select the realm from the Local Realms screen of the Server Manager,3. Check the User Profile Storage selection in the Modify Realms screen.This
determines the datastore used for the user profile. If an external datastore (forexample, SQL Access) is selected, check the datastore access parameters specifiedfor the datastore. If Database via SQL Access is selected, the database accessparameters are specified in the DBID structure of the /etc/opt/aaa/sqlaccess.config file.
4. Ensure that the external datastore is responsive.
Identifying Proxy Server Failures
If your AAA environment uses proxy HP-UX AAA Servers, a failure in one or moreproxies can cause the HP-UX AAA Server to be unresponsive, but not record an errorto the logfile.If proxy HP-UX AAA Servers are used, verify the proxy configuration for each proxystarting with the proxy server closest to the RADIUS client/supplicant. For each proxyserver, use the Add/Modify Proxy screen of the Server Manager and verify the following.• Shared Secret: The shared secret on the proxy server must match that of the remote
server to which the requests are forwarded.• Realms to Forward: Ensure that the appropriate realms are selected.• Authentication Relay Port: Ensure that the correct UDP port that is used to relay
authentication requests (configured in /etc/services) is specified. The defaultauthentication relay port is 1812.
• Accounting Relay Port: Ensure that the correct UDP port that is used to relayaccounting requests (configured in /etc/services) is specified. The defaultaccounting relay port is 1813.
For more information on proxy server configuration, see Configuring Proxies on page119. If a proxy server is offline or does not forward the requests, see “TroubleshootingFlowchart” (page 469) to troubleshoot it.
Identifying Unrecorded DHCP Failures
Unrecorded DHCP failures can occur because of a shortage of addresses in theconfigured address pool, or if the DHCP server sends a malformed packet to the HP-UXAAA Server.
Troubleshooting the HP-UX AAA Server 493
To determine if an unrecorded DHCP failure caused the problem, complete the followingsteps:1. Access the datastore used for user profile storage as described in “Identifying
Unrecorded External Datastore Failures” (page 493).2. If the DHCP address pool is configured, ensure that there are sufficient addresses
in the pool.3. Ensure that the DHCP server is sending valid packets to the HP-UX AAA Server.
Troubleshooting Access-Rejects from the HP-UX AAA ServerThe HP-UX AAA Server sends an Access-Reject message to the RADIUS client ifauthentication fails. Authentication failures occur because of incorrect configurationon the HP-UX AAA Server or the RADIUS client, or due to incorrect credentials passedto the HP-UX AAA Server.Use the following sections to troubleshoot problems related to authentication failures.• “Common Authentication Failure Problems” (page 494): This section lists the
common problems related to authentication failures and the necessary correctiveactions.
• “EAP Problems” (page 502): This section lists EAP implementation-specific problemsrelated to authentication failures.
Common Authentication Failure ProblemsCompare the error messages recorded in the logfile to those in Table 30-5 and performthe corresponding corrective actions.
Table 30-5 Common Authentication Failure Problems
TroubleshootingProblem
Authentication failed. Unsuccessful password comparison foruser '<user name>' in realm '<realm name>'. Verify password
Log MessageUnable toauthenticate
in request and user profile. Verify shared secret match betweenclient '<client>' and client configuration in '/etc/opt/aaa/clients'or Access Devices screen in Server Manager
This error occurs because of any of the following reasons:Cause• The shared secret configured for the RADIUS client and the
HP-UX AAA Server do not match.• The password provided by the user does not match the
password configured in the user profile datastore.
Solution 1. Ensure that the shared secret configured on the RADIUS clientmatches the one specified in the Access Devices screen of theServer Manager.
2. Ensure that the password supplied by the user is correct.
494 Troubleshooting Procedures
Table 30-5 Common Authentication Failure Problems (continued)
TroubleshootingProblem
session_allowed: Access rejected. Active sessions for user is atmaximum configured (Simultaneous-Use) limit '<limit>
Log MessageUnable toauthenticate
The HP-UX AAA Server received an Access-Request from a userwhose number of active sessions equal the configuredsimultaneous session limit.
Cause
Or,The NAS went offline abruptly and resulted in a stale session inthe HP-UX AAA Server, for the affected user.
Advise the user to terminate the existing session before attemptingto start a new one.
Solution
If the user does not have an active open session, use the Sessionscreen of the Server Manager to delete the stale session. For moreinformation, see Chapter 14 (page 169).Or,Increase the simultaneous session limit for the user. For moreinformation on configuring simultaneous sessions, see “LimitingSimultaneous Sessions” (page 172).
Troubleshooting the HP-UX AAA Server 495
Table 30-5 Common Authentication Failure Problems (continued)
TroubleshootingProblem
aaa_realm: Request denied. Unknown realm '<realm name>'for user '<user name>'. Verify realm configuration through
Log MessageUnable toauthenticate
Server Manager or in files '<authfile>' for the realm and'<EAP.authfile>' for the realm or default realm entry
The HP-UX AAA Server is not configured to service requestsfrom the realm.
Cause
Solution 1. Ensure that the client is configured to send requests to thecorrect HP-UX AAA Server.
2. If the client configuration is correct, configure the realm in theHP-UX AAA Server as described in Chapter 8 (page 105).
parse_password: Authentication failed.Incomplete or no profilefound for user '<user name>' in realm '<realm name>'. Verifythat a complete user profile exists for the user
Log MessageUnable toauthenticate
The request contains an incorrect user name.CauseOrThe user is not a part of the realm
Solution 1. Verify that the user belongs to the realm.2. If the user belongs to the realm, configure the user profile in
the data store for the realm.If the datastore is the local file, use the Users screen in theServer Manager to configure the user.For more information on configuring local users, seeChapter 10 (page 127).
3. Verify that the correct realm and Otp-ActionIdareconfigured in the request-ingress.grp file.
If you have modified the configuration, save the configurationand restart the HP-UX AAA Server.
compare_password_hash: Hash mechanism '<incorrect>' isnot supported
Log Message
An invalid password hash mechanism is specified manually forthe user in the user profile.
Cause
Solution 1. Navigate to the Users screen of the Server Manager and selectthe user.
2. Select a password hash mechanism.If you have modified the configuration, save the configurationand restart HP-UX AAA Server.
496 Troubleshooting Procedures
Table 30-5 Common Authentication Failure Problems (continued)
TroubleshootingProblem
check_request: Access denied. Request does not match check item'<check item attribute>' for user '<user name>' in realm
Log MessageUnable toauthenticate
'<realm name>'. Expected: '<IP address>',received: '<IPaddress>'Orcheck_request: Access denied. Request matched deny item '<denyitem attribute>' for user '<user name>' in realm '<realmname>'
The attribute value sent by the client does not match the CHECKitem value configured for the user profile.
Cause
Or,The attribute value sent by the client matches the DENY valueconfigured for the user profile.
Solution 1. Verify the attributes sent by the client to the HP-UX AAAServer.
2. If the client sent correct attributes, verify the CHECK andDENY items configured for the user in the user profiledatastore.
If the datastore is the local file, use the Users screen in the ServerManager to configure the user.For more information on configuring local users, see Chapter 10(page 127).If you have modified the configuration, save the configurationand restart the HP-UX AAA Server.
Troubleshooting the HP-UX AAA Server 497
Table 30-5 Common Authentication Failure Problems (continued)
TroubleshootingProblem
dhcpRelayAatv_ActionFunction: Request failed. DHCP Relay isdisabled. Verify DHCP Server-Name/ IP-Address at DHCP server
Log MessageUnable toauthenticate
properties in the Server Manager at Server Properties > DHCPRelay Properties or in /etc/opt/aaa/aaa.config Authentication: 24/0'<user name>' via <host name/IP address> from <hostname/IP address> port <port no> Outbound - FAILEDProblem allocating IP address -- total 0, holding 0
The DHCP configuration in the /etc/opt/aaa/aaa.configfile is incorrect.
Cause
Manually edit the/etc/opt/aaa/aaa.config file and modifythe value <value> or keyword <keyword>
Solution
Or1. Navigate to the DHCP Relay screen through the Server
Properties screen of the Server Manager.2. Ensure that you specify a correct entry for the DHCP server
and port.3. If you have modified the configuration, save the configuration
to the HP-UX AAA Server and restart it.
dhcpRelayAatv_InitFunction: ERROR attribute not in'<attribute>' dictionary dhcpRelayAatv_InitFunction: DHCPRelay disabled: No DHCP server configured. check dictionary
Log Message
An attribute used for DHCP configuration in /etc/opt/aaa/aaa.config was not found in the dictionary file.
Cause
Manually edit the /etc/opt/aaa/dictionary file and addthe attribute <attribute>.
Solution
498 Troubleshooting Procedures
Table 30-5 Common Authentication Failure Problems (continued)
TroubleshootingProblem
Sequence counter resynchronization failed for user<user name>in realm <realm name> after <number> unsuccessful OTPvalidations. The last sequence counter attempted is <number>.
Log MessageUnable toauthenticate
The HP-UX AAA Server is not able to resynchronize the sequencecounter as the OTP in the request is incorrect. This can happenbecause of one of the following reasons:
Cause
• The OTP is out of synchronization beyond the value configuredin OTP-Lookup-Window.
• The length of the OTP does not match the configured value.• The OTP is incorrect (wrongly entered by the user).• The shared secret to be used to generate OTP may not be in
the binary format.
Validate the OTP using the User Database Administration tool.You can also check if the OTP-Token-Length for the user is
Resolution
correct. In addition, you can check if the user has correctly enteredthe OTP.Verify that you have used theAAAConvertandSetHexToBinaryString()conversionfunction or your own conversion function to convert the sharedsecret to binary.
Configured OTP token length for user <user name> in realm<realm name> is less than 6. The valid OTP token length iseither 6, 7 or 8. Verify that the configured token length is valid
Log MessageUnable toauthenticate
OrConfigured OTP token length for user <user name> in realm<realm name> is greater than 8. The valid OTP token length iseither 6, 7 or 8. Verify that the configured token length is valid"
The OTP is wrongly configured in the OTP-Token-Lengthattribute or in the otp_token_length system-wideconfiguration item.
Cause
Check the value of the OTP-Token-Length attribute in the userprofile, in the request-ingress.grp file, or in the
Resolution
aaa.config file. For more information, see “Attributes forConfiguring OTP Authentication” (page 192).
Troubleshooting the HP-UX AAA Server 499
Table 30-5 Common Authentication Failure Problems (continued)
TroubleshootingProblem
Invalid OTP Action Id. The OTP Action Id set through the bitmask for user <user name> in realm <realm name> is zero.
Log MessageUnable toauthenticate
The valid OTP Action Id value is range from 1 to 127. Configurethe valid OTP Action Id.OrInvalid OTP Action Id. The OTP Action Id set through the bitmask for user<user name> in realm<realm name> is negative.The valid OTP Action Id value is range from 1 to 127. Configurethe valid OTP Action Id.OrInvalid OTP Action Id. The OTP Action Id set through the bitmask for user <user name> in realm <realm name> is greaterthan the maximum OTP Action Id value 127. The valid OTPAction Id value is range from 1 to 127. Configure the valid OTPAction Id.
An invalid OTP action is configured in therequest-ingress.grp file.
Cause
Check the configuration in the request-ingress.grp file. Thevalue for the OTP Action must be between 1 and 127. For more
Resolution
information on OTP authentication configuration, see “AdvancedOTP Authentication Configuration Concepts” (page 187).
The token for user <user name> in realm <realm name> isnot active. HP-UX AAA Server validates the OTP only for activetokens. Verify the token status in the token repository.
Log MessageUnable toauthenticate
OrThe token with serial number <serialnumber> for user <username> in realm <realm name> is not active. The current tokenstatus is<tokenstatus>. HP-UX AAA Server validates the OTPonly for active tokens. Verify the token status in the tokenrepository.
The token status of the user is in a state other than ACTIVE. OTPauthentication can happen only if the user's token status isACTIVE.
Cause
Use the Manage Users screen in the User DatabaseAdministration Manager to change the user's token status to
Resolution
ACTIVE. For more information on this procedure, see “ModifyingUser Credentials” (page 377). For more information on tokenstatuses, see “Valid Token Status Values” (page 383).
500 Troubleshooting Procedures
Table 30-5 Common Authentication Failure Problems (continued)
TroubleshootingProblem
Shared secret for user <user name> in realm <realm name>is <number> bytes. The shared secret must not be less than 16
Log MessageUnable toauthenticate
bytes. Verify the length of the shared secret in the tokenrepository.
The length of the shared secret is too short.Cause
Verify that you have entered a shared secret that is more than 16bytes.
Resolution
Shared secret not found for user <user name> in realm <realmname>. The shared secret is required to generate and validate the
Log MessageUnable toauthenticate
OTP. Verify that the shared secret is configured in the tokenrepository.
The shared secret is not configured in the token repository.Cause
Check that the shared secret is configured in the tokens table inthe SQL database for that user. In addition, verify that the correct
Resolution
realm name is configured in the/etc/opt/aaa/authfile and/etc/opt/aaa/request-ingress.grp file
Sequence counter resynchronization failed for user<user name>in realm <realm name>. The sequence counter is required to
Log MessageSequence counternot found for user
generate and validate the OTP. Verify that the sequence counteris configured in the token repository
The sequence counter is not configured in the token repositoryCause
Check that the sequence counter is configured in the tokens tablein the SQL database for that user. In addition, verify that the
Resolution
correct realm name is configured in the /etc/opt/aaa/authfile and /etc/opt/aaa/request-ingress.grp file
Invalid hexadecimal string for the user <user name> in realm<realm name>. The configured hexadecimal string <string>
Log MessageUnable toauthenticate
length <stringlength> is less than the minimum value. Thehexadecimal string length must not be less than 16 bytes.
The hexadecimal shared secret in the SQL database is less than16 bytes.
Cause
Check that the hexadecimal shared secret in the SQL database ismore than 16 byes.
Resolution
Troubleshooting the HP-UX AAA Server 501
Table 30-5 Common Authentication Failure Problems (continued)
TroubleshootingProblem
Configured hexadecimal string for user <user name> of realm<realm name> has one or more non-hexadecimal characters.Verify the configured hexadecimal string in the token repository.
Log MessageUnable toauthenticate
The configured hexadecimal shared secret has non-hexadecimalcharacters.
Cause
Hexadecimal characters range from 0–9 and a-f. Check that thehexadecimal shared secret does not contain any other characters.
Resolution
Invalid hexadecimal string. Configured hexadecimal string foruser <user name> of realm <realm name> is NULL. Verifythe configured hexadecimal string in the token repository.
Log MessageUnable toauthenticate
The shared secret is not configured.Cause
Check the tokens table in the SQL database to check that theshared secret is configured for that user.
Resolution
Incoming OTP length for user <user name> in realm <realmname> is less than the minimum OTP token length <number>.The incoming OTP length must be <number>.
Log MessageUnable toauthenticate
The password entered by the user is less than the configured OTPlength.
Cause
Verify that the user has sent the correct OTP value.Resolution
EAP ProblemsCompare the error messages recorded in the logfile to those in Table 30-6 and performthe corresponding corrective actions.
502 Troubleshooting Procedures
Table 30-6 EAP Problems
TroubleshootingProblem
Invalid EAP type '<invalid>' specified for the user '<username>' for realm '<realm name>'. Verify the EAP type
Log MessageInvalid EAP typespecified
configured for the realm 'example.com' in the appropriateauthfile in '/etc/opt/aaa'. Or, verify the EAP configurationin the Local Realms screen in Server Manager.
The EAP type specified in the request does not match theEAP type configured for the realm.
Cause
Configure the supplicant to use the EAP type specifiedfor the affected realm.
Solution
You can access the realm configuration using the LocalRealm screen in the Server Manager administration utility.See Chapter 8, Configuring Realms on page 97 for moreinformation.
ProcessHandshake TLS: AAA Server generated TLSalert:'unknown_ca'. The certificate was not accepted. The
Log MessageUnable to authenticate
CA certificate could not be located or matched with aknown trusted CA.
The CA certificate for the client’s certificate is not foundin the HP-UX AAA Server.
Cause
Configure the client to use a certificate whose CA isspecified on the HP-UX AAA Server.
Solution
Or1. Navigate to the Certificates screen under Server
Properties in the Server Manager administration utility.2. Specify a fully qualified filename in the .pem format.
This file must contain one of more CA certificates usedto authenticate client certificates in the Client CertificateAuthority Path field.If the path exists, ensure that it contains the client’s CAcertificate.
Save the configuration to the HP-UX AAA Server andrestart it.
ProcessHandshake TLS: AAA Server generated TLS alert:'certificate_expired'. Verify the validity of the user andCA certificates.
Log Message
The client or supplicant certificate has expired.Cause
Advise the user to acquire a new certificate from theadministrator or ISP, and retry authentication.
Solution
Troubleshooting the HP-UX AAA Server 503
Table 30-6 EAP Problems (continued)
TroubleshootingProblem
ProcessHandshake TLS: AAA Server generated TLS alert:'certificate_revoked'. The certificates used for validationhave been revoked by the CA
Log MessageUnable to authenticate
The client or supplicant certificate has been revoked.Cause
Advise the user to acquire a new certificate from theadministrator or ISP, and retry authentication.
Solution
VerifyIdentity: Field <Field> in the user certificate did notmatch the User-Id '<user-Id>' in the request.
Log Message
The User Name configured in the certificate does notmatch the User Name specified in the request.
Cause
Verify the Client User Name Attribute configured in theCertificates screen under Server Properties in the ServerManager.
Solution
This value identifies the attribute in the digital certificateused to retrieve the user name. The user name in the usercertificate attribute value must match a valid EAP-TLSuser profile.For example, if the the Client User Name Attribute isconfigured as Subject EmailAddress and thecorresponding attribute value in the certificate [email protected]. Then, example.com must be avalid EAP-TLS realm with test as a valid user.If you have modified the configuration, save theconfiguration to the HP-UX AAA Server and restart it.
<EAP type> <field> missing or invalid. Verify <entry> inServer Properties > Certificate Properties in the ServerManager and that the file contains a valid <entry>
Log MessageUnable to authenticate
The Certificate Properties configured on the HP-UX AAAServer are invalid.
Cause
Navigate to the Certificates screen under Server Propertiesof the Server Manager. Specify a fully qualified filenamefor each of the following:
Solution
• Server Certificate Path• Server Private Key Path• Client Certificate Authority Path• Random Seed PathFor more information, see Chapter 13, Securing LANAccess with EAP on page 181.If you have modified the configuration, save theconfiguration to the HP-UX AAA Server and restart it.
504 Troubleshooting Procedures
Table 30-6 EAP Problems (continued)
TroubleshootingProblem
EAP-SIM : FSM does not define all of these events: 'SIM_AUTH_BY_PERMANENT_ID', 'SIM_AUTH_BY_PSEUDON YM', 'SIM_AUTH_BY_FAST_REAUTH_ID' 'SIM_UPDATE'. Disabling EAP-SIM.
Log MessageEAP-SIM functionalityis disabled
If the radius.fsm file is modified prior to upgrading toHP-UX AAA Server A.08.01 from an older version, theFSM does not upgrade.
Cause
You must merge the changes present in the legacy FSMwith the radius.fsm file available in the HP-UX AAAServer A.08.01 release.
Resolution
For more information, see Chapter 2 “Upgrading toVersion A.08.01”
EAP-AKA : FSM does not define all of these events: 'AKA_AUTH_BY_PERMANENT_ID', 'AKA_AUTH_BY_PSEUDON YM',
Log MessageEAP-AKAfunctionality disabled 'AKA_AUTH_BY_FAST_REAUTH_ID', 'AKA_UPDATE'
'AKA_RESYNCHRONIZATION'. Disabling EAP-AKA.
If the radius.fsm file is modified prior to upgrading toHP-UX AAA Server A.08.01 from an older version, theFSM does not upgrade.
Cause
You must merge the changes present in the legacy FSMwith the radius.fsm file available in the HP-UX AAAServer A.08.01 release.
Resolution
For more information, see Chapter 2 “Upgrading toVersion A.08.01”
SIM-TripletCalc: Required attributes missing or malformed
Log MessageUnable to authenticate
Either the Subscriber-Key, A3-Algorithm, orA8-Algorithm attribute is not configured, or does notmeet the required specifications.
Cause
Verify the Subscriber-Key configured for the user inthe user profile and the A3_Algorithm and
Resolution
A8_Algorithm configured for the realm in theEAP.authfile file.For information on how to configure, seeChapter 17 “Configuring EAP-SIM and EAP-AKAAuthentication Methods”
AKA-VectorCalc: Required attributes missing or malformed
Log MessageUnable to authenticate
Troubleshooting the HP-UX AAA Server 505
Table 30-6 EAP Problems (continued)
TroubleshootingProblem
Either theSubscriber-Key, AKA-Sequence-Number,AKA-Mode and AKA-Algorithm attribute is notconfigured, or does not meet the required specifications.
Cause
Verify the Subscriber-Key,AKA-Sequence-Number, AKA-Mode configured for the
Resolution
user in the user profile and the AKA_Algorithmconfigured for the realm in the EAP.authfile file.For information on how to configure, seeChapter 17 “Configuring EAP-SIM and EAP-AKAAuthentication Methods”
Troubleshooting Provisioning ErrorsThe supplicant will not be able to connect to the network service unless the HP-UXAAA Server sends the provisioning attributes (such as session key, tunneling, and filterattributes) expected by the RADIUS client. This occurs even if the HP-UX AAA Serversends an Access-Accept to the RADIUS client.To troubleshoot provisioning errors, perform the following steps:1. Check the provisioning attributes expected by the RADIUS client from the HP-UX
AAA Server (along with the Access-Accept message).2. Verify the Reply items configured for the user in the user profile store.3. Turn debugging on and set the debug output level to 2. For more information on
using debugging, see “The raddbgincUtility: For Setting Debug Output Levels”(page 510). Examine the/var/opt/aaa/logs/radius.debug file for attributessent to the Access-Accept message. Ensure that the client is configured to expectthe reply items sent by the HP-UX AAA Server.
4. If you have modified the user profile through the Server Manager, save the changesto the HP-UX AAA Server.
Troubleshooting the HP-UX AAA Server Admin UtilityThis section describes how to troubleshoot the HP-UX AAA Server Admin Tool.
Table 30-7
SolutionCauseProblem
Configure the required Groupsand Servers using HP-UX AAAServer Manager as follows:
Groups and Servers are notconfigured using the HP-UXAAA Server Manager.
HP-UX AAA Server Admin tool/opt/aaa/bin/rad_admin.shfails to administer HP-UX AAA
506 Troubleshooting Procedures
Table 30-7 (continued)
Servers configured on the hostwith any one of the following
1. Start the Tomcat and HP-UXAAA Server Manager.
errors “File /opt/aaa/ 2. Add the required Groups andServers.remotecontrol/
gui.properties is not found” 3. Click the ‘Server Connections’from the left panel. Select the(OR) “File /opt/aaa/
remotecontrol/groups.config is not found”.
group in which the servers thatneed to be run belong to fromthe ‘Select a group foradministration’ menu.
4. Click the ‘Save Configuration’from the left panel.
5. Select the servers which youlike to administer using theHP-UX AAA Server AdminTool.
6. Click the ‘Save’ button.For more information, see“Administering HP-UX AAAServers Using HP-UX AAA ServerManager”
Save the Server Attributes usingHP-UX AAA Server Manager asfollows:
Server Attributes are not savedon the host where the Servers areconfigured to run
1. Start the Tomcat and HP-UXAAA Server Manager.
2. Click the ‘Server Connections’from the left panel. Select thegroup in which the servers thatneed to be run belong to fromthe ‘Select a group foradministration’ menu.
3. Click the ‘Save Configuration’from the left panel.
4. Select the servers which youlike to administer using theHP-UX AAA Server AdminTool.
5. Select the ‘Server AttributesOnly’ option.
6. Click the ‘Save’ button.
Modify and Save Server Attributesusing HP-UX AAA ServerManager as follows:
Error while loading groupsconfiguration file
HP-UX AAA Server Admin tool/opt/aaa/bin/rad_admin.shfails to administer HP-UX AAA
Troubleshooting the HP-UX AAA Server 507
Table 30-7 (continued)
Server configured on the hostwith the following error “Error
1. Start the Tomcat and HP-UXAAA Server Manager.
while loading groups.configfile”
2. Verify that the RMI object isrunning. If not, start the RMIobject.
3. Modify the configured ServerAttributes which is failing tostart using HP-UX AAA ServerManager.For more information, see“Administering HP-UX AAAServers Using HP-UX AAAServer Manager”
4. Save the Server Attributesusing the HP-UX AAA Serveras follows:a. Click the ‘Server
Connections’ from the leftpanel. Select the group inwhich the servers that needto be run belong to from the‘Select a group foradministration’ menu.
b. Click the ‘SaveConfiguration’ from the leftpanel.
c. Select the servers which youlike to administer using theHP-UX AAA Server AdminTool.
d. Select the ‘Server AttributesOnly’ option.
e. Click the ‘Save’ button.
508 Troubleshooting Procedures
31 Troubleshooting ResourcesThe HP-UX AAA Server includes a set of utility programs that can:• check the status of the HP-UX AAA Server• emulate a RADIUS client• turn debugging on and off• set and modify the debug levelAdditionally, the RADIUS client and EAP supplicant vendors typically providetroubleshooting capabilities for their components. Protocol analyzers can also be usedif more detailed troubleshooting is required.This chapter addresses the following topics:• “HP-UX AAA Server Troubleshooting Utilities” (page 509)• “The HP-UX AAA Server Logfile and Debug File” (page 511)
NOTE: You can also troubleshoot the HP-UX AAA Server from the Server Manageradministration utility. For more information on troubleshooting resources available inthe Server Manager, see Chapter 13, Logging and Monitoring on page 161.
HP-UX AAA Server Troubleshooting UtilitiesThe following utilities enable you to troubleshoot the HP-UX AAA Server from theHP-UX command line:• The radcheck utility - Checks if the AAA Server is active and displays usage
statistics.• The radpwtst utility - Simulates a RADIUS client that sends a user specified
request message to the HP-UX AAA Server and checks the response from theHP-UX AAA Server.
• The raddbginc utility - Turns debugging on and off, and sets the debug logginglevel. It is a wrapper for the radsignal utility.
• The radsignal utility - Turns debugging on and off, sets the debug logging level,and rolls over the debug and session accounting output to new files.
This section describes these troubleshooting utilities.
The radcheck Utility: For Checking the Server StatusThe radcheck utility sends a RADIUS protocol status request to the HP-UX AAAServer and displays the contents of the status reply. The radcheck utility can beinvoked from any host and by any user. However, the HP-UX AAA Server returnsmore information to hosts that are registered in the /etc/opt/aaa/clients file.Following is the syntax for the radcheck command:
HP-UX AAA Server Troubleshooting Utilities 509
radcheck [-p port] [-t timeout] [-r retries] [-x] [-x] [-x] [-x][-v] Server
If radcheck is successful, a message similar to the following is displayed:Server Name (UDP-port) is responding on standard output.
For more information on the radcheck utility, see radcheck (1M).
The radpwtst Utility: For Testing AuthenticationThe radpwtst utility simulates a RADIUS client that sends and receives RADIUSmessages to and from the HP-UX AAA Server. The radpwtst utility forwards theuser specified A-V pairs and other information to the HP-UX AAA Server. The HP-UXAAA Server processes the received requests and returns an ACCEPT or REJECT reply.Following is the syntax for the radpwtst command:radpwtst -s server [-a acks] [-c code] [-f fileprefix] [-g group] [-h][-i clientaddress] [-l asyncport] [-n] [-p port] [-r retries] [-t timeout] [-u type] [-v version] [-w password] [-x|X] [[-:attribute=value]...] [-0] userid[@realm]
If radpwtst is successful, the following message is displayed:authentication OK
If radpwtst fails, the following message is displayed:'[email protected]' authentication failed: <reason>
Following is the syntax for the radpwtst command in Dynamic Authorization Servermode: radpwtst -S [-c code] [-F authorizeonly authport] [-F require_etimestamp interval] [-F send_mesgauth] [-p port] [-x] [[-:attribute=value] ...] [-0]
For more information on the radpwtst utility, see radpwtst (1M).
The raddbginc Utility: For Setting Debug Output LevelsThe raddbginc utility enables you to set debugging on or off, and to specify the debuglevel if the HP-UX AAA Server is running.For a list of debug levels, see Table 31-1 (page 512).Following is the syntax for the raddbginc command:raddbginc [-h] [-v] [-di ipcdir] pid level
The debug output is sent to the /var/opt/aaa/logs/radius.debug file, unlessyou specify a different location using the radiusd command with the -dl option.For more information on the raddbginc utility, see raddbginc (1M).
510 Troubleshooting Resources
The radsignal Utility: For Rolling Over the Debug Output to New FilesThe radsignal utility rolls over the logfile (/var/opt/aaa/logs/logfile) andaccounting stream (/var/opt/aaa/acct/session.yyyy-mm-dd.log) output tonew files. The radsignal utility can also be used to set the log level based on theRADIUS message type. For more information on these files, see “The HP-UX AAAServer Logfile and Debug File” (page 511). The new file can be identified by the "partnumber" appended to the file name.Following is the syntax for the radsignal command:radsignal [-h] [-v] [[-di ipcdir] pid level] [[ ipcdir] pid roll logfile] [[-di ipcdir] pid roll stream [stream-name]] [[-di ipcdir] log level msg_type msg_sub_type log_level ]
For more information on radsignal, see radsignal (1M).
The HP-UX AAA Server Logfile and Debug FileYou can use the following logfile and debug file to troubleshoot the HP-UX AAA Server:• /var/opt/aaa/logs/logfile - The HP-UX AAA Server Logfile• /var/opt/aaa/logs/radius.debug - The HP-UX AAA Server Debug FileThis section discusses the HP-UX AAA Server logfile and debug file.
The HP-UX AAA Server LogfileThe server log file /var/opt/aaa/logs/logfile includes information about startand stop of HP-UX AAA Server, RADIUS requests, success and failure of access andaccounting requests, warnings, and internal events. Following are the other log filesrelated to the HP-UX AAA Server:• /var/opt/aaa/logs/logfile_part<01-09>.yyyymmdd.gz - The
compressed daily HP-UX AAA Server log.• /var/opt/aaa/acct/session.yyyy-mm-dd.log - The default session
accounting log file in the Merit style format.• /var/opt/aaa/radacct/* - The session accounting log files in the Livingston
Call Detail Records (CDR) directory style format.You can also access the HP-UX AAA Server logfile using the Server Manageradministration utility. For more information on using the Server Manager to access theHP-UX AAA Server logfile, see see Using Server Manager to Retrieve LogfileInformation on page 163.
The HP-UX AAA Server Debug FileThe /var/opt/aaa/logs/radius.debug is the HP-UX AAA Server debug file. Itlogs debug messages at the following levels:
The HP-UX AAA Server Logfile and Debug File 511
Table 31-1 Debugging Levels in the HP-UX AAA Server
Level of InformationDebug Level
Minimal information1
2 • Level 1 information• High-level FSM output and limited function tracing
3 • Level 2 information• Full function tracing
4 • Level 3 information• Low-level FSM and configuration file output
At runtime, radiusd logs debugging information that may be useful fortroubleshooting. The debug output can be turned on in the following ways:• At Server startup - Use the radiusd command to turn on the debug output. For
more information on the radiusd command options, see Table 4-2.• At server startup using the Server Manager - Use the Start configuration options
in the Administration screen to set the debug level. The debug output is not setdynamically. Stop and start the HP-UX AAA Server for the debug output to berecorded.
• After server startup - Use the raddbginc utility to turn the debug output on andoff, and to set the debug level while the HP-UX AAA Server is running. Thismethod is dynamic. You need not start and stop the HP-UX AAA Server to logthe debug output.
If the log files do not contain adequate information to isolate or solve a problem, usedebugging to increase the level of tracing and logging.
IMPORTANT: Logging debug information increases the HP-UX AAA Server'sprocessing overhead and can impact performance. Turn debugging off after youtroubleshoot the problem.
512 Troubleshooting Resources
32 Reporting ProblemsIf you are unable to solve the problem, do the following:1. Read the release Notes for [Product/Platform/Component] to see if the problem
is known. If it is, follow the workaround offered to solve the problem.2. Determine whether the product is still under warranty or whether your company
purchased support services for the product. Your operations manager can supplyyou with the necessary information.
3. Access http://www.itrc.hp.com and search the technical knowledge databases todetermine if the problem you are experiencing has already been reported. Thetype of documentation and resources you have access to depend on your level ofentitlement.
NOTE: The ITRC resource forums at http://www.itrc.hp.com offer peer-to-peersupport to solve problems and are free to users after registration.
If this is a new problem or if you need additional help, log your problem with theHP Response Center, either on line through the support case manager athttp://www.itrc.hp.com, or by calling HP Support. If your warranty has expiredor if you do not have a valid support contract for your product, you can still obtainsupport services for a fee, based on the amount of time and material required tosolve your problem.
4. If you are requested to supply any information pertaining to the problem, gatherthe necessary information and submit it. The following sections describe some ofthe information that you might be asked to submit.
Server Set Up InformationInclude the following information about your HP-UX AAA Server implementation:• Product number and version• /opt/aaa/bin/radcheck <servername> output• /var/opt/aaa/logs/logfile
• Level 4 debug information• core file and gdb trace in case of a core dump• Output of ps -ef radiusd in case of a memory leak• CPU usage statistics
Server Set Up Information 513
Server Manager Related InformationIf you are facing problems with the GUI based administration, include the followinginformation:• Server Manager version number• HP-UX Java SDK version number• HP-UX Tomcat-based Servlet Engine version number• Contents of the /opt/aaa/remotecontrol/admin.log file• Contents of the /opt/aaa/remotecontrol/file.log file• Contents of the /opt/aaa/remotecontrol/maintenance.log file• Contents of the /opt/aaa/remotecontrol/session.log file• Browser type and version
External ComponentsInclude information on the following external components that interoperate withHP-UX AAA Server:
External Databases• Database type and version number• Configuration details• Log files and debug information
SNMP Servers• Vendor name and version number• Configuration details• Log files and debug information
DHCP Servers• Vendor name and version number• Configuration details• Log files and debug information
OpenSSL• Version number• Configuration details
EAP Related InformationFor EAP implementations, include information on the following components:
514 Reporting Problems
Clients• Client type• Patch type• Tracing logs for EAP log files
Access Points• The make of the access point (such as Cisco or HP)• Version of hardware and firmware
EAP Related Information 515
Part VII ReferenceThis part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 33: “Configuration Files ” (page 519)• Chapter 34: “Attribute-Value Pairs” (page 546)• Chapter 35: “MIB Objects” (page 566)
516
Table of Contents33 Configuration Files ...............................................................................................................519
HUP Processing................................................................................................................519The aaa.config File.......................................................................................................520
Variables in the aaa.config File...............................................................................520The strict_duplicate_check Variable..........................................................520The aatv.ProLDAP Property...............................................................................521The iaaa.SNMP Property......................................................................................521The log_threshold_limit and suppression_interval Variables...........522The list_copy_limit Variable..........................................................................522The localUsersFile.FilterType Property...................................................522The default_users_file_cis_search Property..........................................523The log_forwarding Variable............................................................................523The log_generated_request Variable............................................................523The ourhostname Variable..................................................................................523The packet_log Variable.....................................................................................524The radius_log_fmt Variable............................................................................524The reply_check Variable..................................................................................524
OTP Authentication-Related Configuration Items.....................................................525Dynamic Authorization-Related Configuration Items...............................................525
The clients File.............................................................................................................526Prefixed Users and authfile....................................................................................527Wildcard Support for IPv4 and IPv6...........................................................................527
The users File .................................................................................................................528Syntax of a User Entry ................................................................................................528Syntax of IPv6 Attributes.............................................................................................528
NAS-IPv6-Address.................................................................................................528Framed-Interface-Id...............................................................................................529Framed-IPv6-Prefix................................................................................................529Login-IPv6-Host.....................................................................................................529Framed-IPv6-Route................................................................................................530Framed-IPv6-Pool...................................................................................................530
With Tunneling ...........................................................................................................530The dictionary File ......................................................................................................531
Attribute Entries .........................................................................................................532Pruning Expressions ...................................................................................................533Value Entries ...............................................................................................................534
The las.conf File ..........................................................................................................535LAS Session Timing Parameters .................................................................................535Token Pool Configuration ...........................................................................................536Realm Configuration ..................................................................................................537
Table of Contents 517
The vendors File ............................................................................................................538Syntax of a vendors File............................................................................................538
The log.config File ......................................................................................................539Syntax of a Stream Entry.............................................................................................539Default Entry ..............................................................................................................541End Entry ....................................................................................................................541Logging Multiple Streams ..........................................................................................541
Values Logged by Default......................................................................................541Examples......................................................................................................................542
Livingston Call Detail Record (CDR) Format........................................................542Multiple Logging Streams .....................................................................................542Logging Based on attributes..................................................................................543Accounting Log Based on Attribute Value............................................................544Changing the Accounting Log Rollover Interval...................................................545
34 Attribute-Value Pairs..............................................................................................................546Specifying Attribute-Value Pairs......................................................................................546
Attribute-Value Formats..............................................................................................546Examples......................................................................................................................547Tagged Attributes .......................................................................................................547
Attributes in User Profiles................................................................................................547Configuration Attributes.............................................................................................548
Local Authorization Service (LAS) Configuration.................................................549Simultaneous-Use Attribute.............................................................................550Attributes Concerning OTP Authentication.....................................................550
Check (and Deny) Items...................................................................................................550Attributes Concerning the NAS..................................................................................551Policy Attributes..........................................................................................................552Other Attributes...........................................................................................................552
Reply Items.......................................................................................................................553General Attributes.......................................................................................................554Attributes Concerning Login Users.............................................................................556Attributes for Framed Users........................................................................................556Tunneling Attributes...................................................................................................558Other Attributes...........................................................................................................560
Attributes in Accounting Records....................................................................................561Additional Session Information..................................................................................561
35 MIB Objects.........................................................................................................................566MIB Objects.......................................................................................................................566
518 Table of Contents
33Configuration FilesThe Server Manager interface configures most of the HP-UX AAA Server’s configurationfiles. However, some features of the HP-UX AAA Server cannot be configured throughthe Server Manager interface. If you want to define policy, vendor-specific attributes,or logging behavior, you must manually edit the configuration files. The informationin this chapter is provided as a reference for the configuration files that Server Managercannot configure.Following lists the configuration files that you must manually edit from the commandline:• radius.fsm — see Chapter 26: “Customizing the HP-UX AAA Server Using the
Finite State Machine” (page 396)• “The dictionary File ” (page 531)• “The las.conf File ” (page 535)• “The vendors File ” (page 538)• “The log.config File ” (page 539)The following is a list of the configuration files that you can edit from the commandline after editing them with Server Manager. Some features are not configurable throughServer Manager, therefore additional command line editing is sometimes required:• “The aaa.config File” (page 520)• “The clients File” (page 526)• “The users File ” (page 528)• “sqlaccess.config Sample File” (page 343)
NOTE: If the configuration files in/etc/opt/aaadirectory are incorrectly configuredor deleted during the course of configuring AAA Server, you can get the originalconfiguration files as provided during installation from the /opt/aaa/newconfig/etc/opt/aaa directory.
HUP ProcessingThe HUP signal (kill -HUP) provides the ability to update some of your configurationwhile the AAA server is running. The signal tells the AAA server a process a changeoccurred and to read configuration files again. The HUP signal will read the followingfiles:• users
• clients
• authfile
• aaa.config
HUP Processing 519
• engine.config (all values except the certificate properties, which require aserver stop and start to be refreshed)
• las.conf
• EAP.authfile
• aaa.config.license
• sqlaccess.config
The aaa.config FileThe aaa.config file contains keyword-value entries, one-per-line, which allows theuser to override compiled-in default values in the AAA server. The aaa.config filecan be used for performance tuning, debugging, or overriding built-in defaults.
IMPORTANT: Configuration files have maximum input line length of 255 characters.No checking is done to ensure that a configuration statement has not exceeded thislimit.
You can include configuration data in multiple text files and load them at server startup.For each text file, add a one-line entry to the aaa.config file according to the formatshown below:include “File-name”
If File-name does not specify a path, the server will look for the file in the configurationdirectory.Syntax of a Keyword-Value Entry in the aaa.config file as shown below:variable = value
NOTE: Any space or tab characters before the variable or surrounding the equal signcharacter are ignored. Space and tab characters after the value may be considered partof the value assigned to the variable.
Variables in the aaa.config FileFollowing lists the variables that you can modify in the aaa.config file:
The strict_duplicate_check VariableThis variable is used to change the behavior for detecting duplicate RADIUS packets.To identify a RADIUS packet as duplicate the AAA Server checks the identifier, sourceport, source IP address, and the packet length. This is the default behavior when thestrict_duplicate_checkvariable is “off”. This default behavior allows the AAAServer to support a wider range of NASs.When the strict_duplicate_check variable is enabled to “on” the AAA Serveralso checks if the request authenticator is the same. Setting this variable to “on” resultsin significant performance increase.
520 Configuration Files
The aatv.ProLDAP PropertyThis property controls AAA server connections to an LDAP server.• Retry-Interval sets the number of seconds for the AAA server to wait before trying
to reconnect to a LDAP directory server, when a realm has failover directory serversconfigured. Defaults to 60 seconds.
• Retry-Wait sets the number of seconds that the AAA server will wait beforeattempting to connect to the same failover LDAP server. When all failover directoryservers configured for a realm are down, the AAA server will try to reconnect toone every time an access request is received. In such a situation, this parameterguarantees that the software does not spend too much time in trying to reconnectthose directory servers. Default value is 1 second.
• Timeout sets the number of seconds that an LDAP connection will remain openwhen the AAA server has not been able to successfully perform any successfulLDAP operation. This parameter allows better handling of the situation where theLDAP directory times out client connections.
• TCP-Timeout sets the number of seconds that the AAA server will wait for anLDAP server when trying to establish the TCP connection.
• Debug determines whether OpenLDAP debug messages must be written to theradius.debug file. A value of 0 disables writing these messages; a value of -1enables writing these messages. The syntax of this property follows a block syntaxthat is different than the other aaa.config variables.
For example:aatv.ProLDAP{ Retry-Interval 60 Retry-Wait 1 Timeout 60 TCP-Timeout 3 Debug 0}
The iaaa.SNMP PropertyThe iaaa.SNMP property controls AAA server connections to SNMP master agent.• When the Enabled option is set to yes, the HP-UX AAA Server automatically
checks the local host (and not the network) to communicate with the SNMP masteragent. The HP-UX AAA Server can be monitored by an SNMP workstation. Whenthe Enabled option is set to No, the server does not communicate with an SNMPmaster agent and cannot be monitored by an SNMP workstation. The default valueis No.
• agentxTimeout sets the time (in seconds) for which the AAA server waits for aresponse from the master agent.
• agentxRetries sets the number of times a request is resent when a timeout occurs.
The aaa.config File 521
For example:iaaa.SNMP{ Enabled yes agentxTimeout 1 agentxRetries 2}
The log_threshold_limit and suppression_interval VariablesThese variables can be used to suppress a message from being repeatedly recorded inthe log file. For example:log_threshold_limit=150 supression_interval=20
Where:log_threshold_limit The number of times that the same message can be
recorded to the log file within two seconds, before it issuppressed. Default: 100.
supression_interval The time in seconds for which the logging of a messageis suppressed. Default: 30 seconds.
In the above example, a message will be suppressed for 20 seconds, if it is logged morethan 150 times within 2 seconds.
The list_copy_limit VariableThis variable can be used for customized server configurations that accumulate A-Vpairs or generate large responses. The default (and maximum) value is 512. Followingis the syntax of the list_copy_limit variable:list_copy_limit=256
The localUsersFile.FilterType PropertyThis property can be used to specify the case matching for each users file. Followingis the syntax of the localUsersFile.FilterType property:localUserFile.FilterType{ fred CIS bill bIN}
where the user files are fred.users and bill.users. The above configurationenables case insensitive search for fred.users and case sensitive search forbill.users. The default behavior is case sensitive search.
522 Configuration Files
The default_users_file_cis_search PropertyThis property can be used to specify the case matching while searching the defaultusers file. If this property is set to yes, case insensitive search is enabled. If thisproperty is set to no, case sensitive search is enabled. The default behavior is casesensitive search.
The log_forwarding VariableThis variable turns logging in the logfile on (or off) when packets are forwarded throughthe server to another RADIUS server. In addition, it also controls the logging of theforwarding vector, reply vector, or dumping of the packet being forwarded on (or off).This allows finer detail when tracking problems, at the expense of increased log filesize. Following is the syntax of the log_forwarding variable:log_forwarding=on log_forwarding=off log_forwarding=+vector log_forwarding=+digest log_forwarding=+dump log_forwarding=-vector log_forwarding=-digest log_forwarding=-dump log_forwarding=clear
The log_generated_request VariableThis variable turns the logging of internally generated packets on (or off) when theyare created, and when they reach their end-state. It is useful for a customized serverconfiguration that produces accounting requests based on internal state transitionsrather than on an externally delivered requests. Following is the syntax of thelog_generated_request variable:log_generated_request=on log_generated_request=off
The ourhostname VariableThis variable sets the interface (DNS name or IP address) that a multihomed serverwould use. By default, the AAA server determines hostname by calling gethostname.For multihomed hosts this call may not return the correct name for the interface thatthe AAA server should use to send and listen for messages. Following is the syntax forthe ourhostname variable:DNS host name: ourhostname=interface1.radius.server.netTraditional IP (IPv4) address: ourhostname=192.0.2.0IPv6 Address: ourhostname=fedc:ba98:7654:3210:fedc:ba98:7654:3210
The aaa.config File 523
CAUTION: If you configure an IPv6 address in the ourhostname variable, thentraditional IP (IPv4) hosts will not be able to send or receive messages. Similarly, if youconfigure an IPv4 address here, then IPv6 hosts will not be able to send or receivemessages. If you configure a DNS name, then the first address returned by the DNSserver is used.
The packet_log VariableThis variable controls checks to match a current request with an original request, whichcan occur when logging certain attributes in a request log (NAS-Identifier, NAS-Port,User-Name, and so on). This check can cause an abort and core-dump if the +abortoption is given. This check is useful for tracking situations where a remote RADIUSserver is responding with incorrect values. In addition, it can also be used to investigateif an AATV is corrupting the current request. Following is the syntax for thepacket_log variable:packet_log=default packet_log=clear (or none) packet_log=+abort packet_log=+both (or +comp) packet_log=+current (or +cur) packet_log=+original (or +orig) packet_log=-abort packet_log=-both (or -comp) packet_log=-current (or -cur) packet_log=-original (or -orig)
The value of defserver connection means to report only from the original request. Thevalue of +abort means to abort and core-dump if there is a mismatch.
The radius_log_fmt VariableThis variable overrides the logfile format string used.
The reply_check VariableThis variable specifies which attributes to check on a reply from a forwarded requestto ensure that they are the same as the forwarded request. Besides specifying whichattributes to check, you can specify the action to take when a mismatch occurs. Listedbelow are the actions you can choose to take:• Ignore the reply• Ignore the mismatch• Abort and core dumpUseful attributes to check are NAS-Identifier, Acct-Session-Id, Class, User-Name. Forexample:reply_check=first reply_check=all
524 Configuration Files
reply_check=+abort reply_check=+dump reply_check=+ignore reply_check=+verbose reply_check=clear reply_check=none reply_check=Attribute
The value of first (default) means to check only the first match. The value of allmeans to check all the attributes for matches. The value of +abort means to abort andcoredump if a check fails. The value of +dump means to dump the offending packet(in hexadecimal). You can specify a specific attribute to check with the syntaxreply_check=Attribute.
NOTE: This feature may not work well in situations where the HP-UX AAA Serveris communicating with non-HP servers.
OTP Authentication-Related Configuration ItemsThe following OTP authentication related configuration items can be set in theaaa.config file:• otp_token_length <6–8>
• otp_lookup_window <0 -any positive integer>
• otp_token_lock_counter <1-any positive integer>
• otp_add_checksum <yes or no>
For more information on these configuration items, see “System-Wide OTPConfiguration Items” (page 195).
Dynamic Authorization-Related Configuration ItemsThe following Dynamic Authorization-related configuration items can be set in theaaa.config file:
Table 33-1 Dynamic Authorization-Related Configuration Items
DescriptionConfiguration Items
The maximum number of client requests allowed in the clientqueue.
global_client_q.limit
The size of the hash table used for performing retransmissions ofclient requests.
client_retry_tbl_size
The time interval for which an incoming Event-Timestamp isvalid.
event_timestamp_window
Enforces the HP-UX AAA server to perform Reverse PathForwarding (RPF) checks on the incoming Disconnect and CoArequests. This is disabled by default.
enable_rpf_check
The aaa.config File 525
Table 33-1 Dynamic Authorization-Related Configuration Items (continued)
DescriptionConfiguration Items
The maximum number of retries for client requests. This is a globalvalue.
default_client_retries
The retransmission interval for client requests. This is a globalvalue.
default_client_retry_interval
The CLIENT AATV is a generic AATV, which you can use to perform the requiredclient functions. You must configure the CLIENT AATV in the aatv.CLIENT blockwithin the aaa.config file. The syntax of the aatv.CLIENT block parameters is asfollows:aatv.CLIENT{ <action name>.client_timer_value <time interval> <action name>.client_max_requests <value>}
Following is an example of the aatv.CLIENT block within the aaa.config file:aatv.CLIENT{ Disconnect.client_timer_value 1 Disconnect.client_max_requests 10}
The clients FileThe server configuration must include all the clients (NASs, RADIUS proxy servers,and other network devices) that can communicate with the AAA server. If a client isnot included in the configuration, the server discards its messages.The /etc/opt/aaa/clients file contains the identifying information for these clients.
IMPORTANT: Configuration files have a maximum input line length of 255 characters.No checking is done to ensure that a configuration statement has not exceeded thislimit.
Syntax of a Client EntryName:authport:acctport:dynport Shared-Secret Type=vendor:{NAS|PROXY}optionsVersion PrefixAn IPv4 example of a client that is a NAS:192.0.2.0 secret type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1
An IPv4 example of a client that is a proxy:192.0.2.0:3400 secret type=Ascend+USR:PROXY+RAD_RFC+ACCT_RFC v1
An IPv6 example of a client that is a NAS:
526 Configuration Files
fedc:ba98:7654:3210 secret type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1
An IPv6 example of a client that is a proxy:[fedc:ba98:7654:3210]:3400 secret type=Ascend+USR:PROXY+RAD_RFC+ACCT_RFC v1
NOTE: In case of a Proxy, if the Name field is an IPv6 literal address then you mustseparate the address from the port by enclosing the address in square brackets.
A DNS name example of a client that is a NAS:danish secret type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1
A DNS name example of a client that is a proxy:danish:3400 secret type=Ascend+USR:PROXY+RAD_RFC+ACCT_RFC v1
Prefixed Users and authfileIn the clients file, it is possible to specify a prefix for a client. When an Access-Requestis matched to a client, the AAA server will search for the users profile in theprefix.users file. Likewise, if the user profile indicates the Realm authenticationtype, the server will search for an entry that matches the users realm in theprefix.authfile file.
Wildcard Support for IPv4 and IPv6To allow access from any IP address or from any IP address of a particular subnet,specify a wildcard pattern in the etc/opt/aaa/clients file. Wildcard IP addressesare specified by using the high order components followed by the asterisk wildcard.Following are some examples of valid IPv4 wildcard patterns:* 192.* 192.0.* 192.0.2.*
Following are some examples of invalid IPv4 wildcard patterns:*.0 192.0*
To allow access from any IPv6 address or from a group of IPv6 addresses, specify anIPv6 wildcard pattern. The allowed IPv6 wildcard patterns are constructed by appendingan ‘*’ to a partial IPv6 address or by specifying a single ‘*’. Following are some examplesof valid IPv6 wildcard patterns:* fedc:ba98:7654:3210:fe* fedc:ba98:7654:3210*
The special IPv6 syntax of compressing zeroes using "::" is not allowed in IPv6 Wildcardpatterns. Following example is incorrect:
The clients File 527
fedc::ba98:fe*
The users FileUser profiles associate information, like check and reply items, with a user name. Theserver configuration must include profiles for all the users that can access servicesthrough the AAA server. Profiles can be stored in flat text files, or in an externaldatabase. If a user profile is not included in the configuration, the server will reject theuser's access request.The default users, realm, or prefix.users files may contain user profiles forauthentication. Each user entry in one of these files can be one or more lines ofinformation. You do not have to edit the default users file when mapping realms toauthentication types in the authfile, since the user information for each definedrealm will be stored in a realm file or external database. Unless the default installationof the configuration files has been changed, the users file can be found in the /etc/opt/aaa directory.
IMPORTANT: Configuration files have a maximum input line length of 255 characters.No checking is done to insure that a configuration statement has not exceeded thislimit.
NOTE: The order of the entries is important; the first entry that matches the requestwill be used to authenticate the user. The server will ignore the remaining entries;therefore, you should list the most specific entries first and the default entry should belast.
Syntax of a User EntryThe first line of each entry consists of one or more fields:Users-Name configuration-items check-items reply-item, reply-item . . .
Syntax of IPv6 AttributesThis section briefly describes the syntax of the IPv6 attributes that the users filecontains. For more information on IPv6 Attributes, refer to RFC 3162.
NAS-IPv6-AddressThis attribute indicates the identifying IPv6 address of the NAS which is requestingauthentication of the user, and it must be unique to the NAS within the scope of theRADIUS server.
528 Configuration Files
Example 33-1 Examples of NAS-IPv6-Address Attribute Syntax
fedc:ba98:7654:3210:fedc:ba98:7654:3210 12ab::4871 2222::4
Framed-Interface-IdThis attribute indicates the IPv6 interface identifier to be configured for the user.
Example 33-2 Examples of Framed-Interface-Id Attribute Syntax
fedc:ba98:7654:3210 a:b:c:d
IMPORTANT: Do not use “::” in the Framed-Interface-Id syntax.
Framed-IPv6-PrefixThis attribute indicates an IPv6 prefix to be configured for the user.
Example 33-3 Examples of Framed-IPv6-Prefix Attribute Syntax
0/64/12ab::cd30:0:0:0:0 0/28/fedc:ba98:7654:3210
The first field in the above examples is the Reserved field. If you do not list this field,the default value 0 will be used. However, HP recommends using 0 in the Reservedfield to comply with RFC 3162.The second field in the above example is the Prefix-Length field. This field can takeany value from 0 to 128. If nothing is specified in the Prefix-Length field, the defaultvalue 64 is used.The last field in the above example is the Prefix field. In this field, the complete IPv6address must be listed.
Login-IPv6-HostThis attribute indicates the system that the user will connect to when Service-Type isdefined as Login. You can also specify a valid hostname to this attribute, if that hostnameis configured in the clients file.
The users File 529
Example 33-4 Examples of Login-IPv6-Host Attribute Syntax
fedc:ba98:7654:3210 12ab::4871 2222::4 hostname.domain.com
CAUTION: A value of 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF in theLogin-IPv6-Host indicates that the radius clients (NAS) must allow the user to selectan address or name of the server to be connected to.A value of 0x0 in the Login-IPv6-Host indicates that the Radius clients (NAS) mustselect an address or the name of the server the user has to be connected to.HP recommends that you set the value of Login-IPv6-Host keeping the aboveconsiderations in mind.
Framed-IPv6-RouteThis attribute provides routing information to be configured for the user on the NAS.
Example 33-5 Example of a Framed-IPv6-Route Attribute Syntax
12ab::cd30:0:0:0:0/64 fedc:ba98:7654:3210:fedc:ba98:7654:3210 1
NOTE: The format of the Framed-IPv6-Route attribute must contain a destinationprefix optionally followed by a slash and a decimal length that specifies how manyhigh order bits of the prefix to use. This is followed by a space, a gateway address, aspace, and one or more metrics (encoded in decimal) separated by spaces.
Framed-IPv6-PoolThis attribute is sent by the AAA server to the NAS and contains the name of an assignedpool that must be used to assign an IPv6 address for the user. The pool is a stringattribute sent to the NAS. This value is returned to the NAS. The NAS then handlesthe IPv6 prefix allocation based on the value returned. If a NAS does not supportmultiple address pools, the NAS must ignore this attribute.
Example 33-6 Example of a Framed-IPv6-Pool Attribute Syntax
Pool1 UserPool
With TunnelingWhen the AAA server receives an Access-Request from a client that matches the user,fred-eng, it will first attempt to match the password to the User-Password attribute
530 Configuration Files
value in the request and then will check the request for a tunnel hint. If the passworddoes not match, or there is no hint for medium type or the hint does not specify the IPaddress type, the server will respond with an Access-Reject; otherwise, the server willreturn the listed tunneling attribute values to the client.fred-eng Password = "laser", Tunnel-Medium-Type = IPv4 Tunnel-Type = PPTP, Tunnel-Medium-Type = IPv4, Tunnel-Client-Endpoint = 192.168.127.1, Tunnel-Server-Endpoint = 192.155.111.1, Tunnel-Password = Michigan, Tunnel-Private-Group-ID = engineering, Tunnel-Assignment-ID = management, Tunnel-Preference = first, Tunnel-Client-Auth-ID = NET, Tunnel-Server-Auth-ID = Michigan, Tunnel-Type = L2TP
Attribute tags are used in the next example. If the password does not match, or thereis no hint for medium type or the hint does not specify the IP address type, the serverwill respond with an Access-Reject; otherwise, the server will return the listed tunnelingattribute values to the client. Because the tunnels tagged with 1 are defined first, theclient will establish a tunnel according to those attributes, unless the client cannot usethe PPTP protocol—then the attributes tagged with 2 will be used instead.fred-eng Password="laser", Tunnel-Medium-Type = IPv4 Tunnel-Type =:1:PPTP, Tunnel-Medium-Type =:1:IPv4, Tunnel-Client-Endpoint =:1:192.168.127.1, Tunnel-Server-Endpoint =:1:192.155.111.1, Tunnel-Password =:1:Michigan, Tunnel-Private-Group-ID =:1:engineering, Tunnel-Assignment-ID =:1:management, Tunnel-Preference =:1:first, Tunnel-Client-Auth-ID =:1:NET, Tunnel-Server-Auth-ID =:1:Michigan, Tunnel-Type =:2:L2TP, Tunnel-Medium-Type =:2:IPv4, Tunnel-Client-Endpoint =:2:192.168.127.1, Tunnel-Server-Endpoint =:2:192.170.130.1, Tunnel-Password =:2:California, Tunnel-Private-Group-ID =:2:engineering, Tunnel-Assignment-ID =:2:management, Tunnel-Preference =:2:second, Tunnel-Client-Auth-ID =:2:NET, Tunnel-Server-Auth-ID =:2:California
The dictionary FileThe dictionary file lists dictionary translations that the server uses to parse incomingrequests and generate outgoing responses. All transactions are composed of
The dictionary File 531
Attribute-Value (A-V) pairs. See Chapter 34: “Attribute-Value Pairs” (page 546) forinformation about the data format of A-V pairs in RADIUS messages.
IMPORTANT: Configuration files have a maximum input line length of 255 characters.No checking is done to insure that a configuration statement has not exceeded thislimit. All configuration files must end with a new line.
You can track different versions of the dictionary file by adding the following line tothe file:%DICTID Version-String
Version-String is the version information. This string will appear in radcheckoutput.
Attribute EntriesBelow is the syntax of Dictionary Attribute entries:ATTRIBUTE attribute-name integer-encoding type pruning
NOTE: Vendor-specific attribute identifier strings are defined in the vendors fileand can be used in place of the default string ATTRIBUTE. For more information, see“Syntax of a vendors File” (page 538).
attribute-name Replaced with the unique name of an attribute.integer-encoding Replaced with the actual attribute number code used in the
A-V pair data format.type Replaced with one of the following data types for the
attribute:• octet: 8-bit unsigned integer value• short: 16-bit unsigned integer value• integer: 32 bit value in big endian order (high byte first)• date: 32 bit value in big endian order (seconds since
00:00:00 GMT, Jan. 1, 1970)• octets: 0-253 undistinguished octets• a binary: 0-253 Ascend binary filter octets• string: 0-253 octets• vendor: 0-253 octets with octets 0-3 representing the
IANA number• ipaddr: 4 octets in network byte order• ipv6addr: 16 octets in network byte order (used for IPv6
attributes)• ipv6prefix: 4-20 octets (used for IPv6 attributes)• ifid: 8 undistinguished octets (used for IPv6 attributes)
532 Configuration Files
• tag-int: single octet followed by three octets of integervalue (used for tunneling attribute)
• tag-string: single octet followed by 0-252 octets (usedfor tunneling attribute)
pruning May be replaced with an optional expression that controlsthree server features• whether the attribute is ever sent to the NAS• whether or not the attribute may be logged• encapsulation, if used, for vendor-specific attributes
Pruning ExpressionsPruning is a feature that allows the server to remove A-V pairs from an Access-Accept,Access-Reject, or Access-Challenge message before sending the message to a client thathas been configured for pruning in the clients file, see “The clients File” (page 526).The pruning to apply is defined by pruning expressions in the dictionary's attributeentries.These optional expressions are defined in an attribute entry as follows:(ack, nak, chall, {NOLOG | ENCAPS | NOENCAPS | CONFIG | INTERNAL})
NOTE: If any value is omitted, but the comma is present for that value, that valuewill use its default. If the expression is omitted, all values use their defaults.
ack, nak, chall, determine how many instances of the attribute may be addedto an Access-Accept (ack), an Access-Reject (nak), or anAccess-Challenge (chall) reply. They can be specified as oneof the following values:
• 0: no attributes of this kind are part of the final reply. This is the default value.• 1: at most, one attribute of this kind can be part of the final reply.• *: any number of attributes of this kind can be part of the final reply.
NOTE: Since the default values for ack, nak, and chall are 0, added vendor-specificattributes will not be returned to the NAS in any replies if you do not include a pruningexpression.
{NOLOG | ENCAPS | NOENCAPS} define how the server reacts to the attribute:• NOLOG: the attribute will not be added to the logfile or session logs.• ENCAPS (orENCAPSULATE): the attribute will be encapsulated in the vendor-specific
attribute, regardless of the vendor. This is a default value.• NOENCAPS: the attribute will not be encapsulated within the vendor-specific
attribute.
The dictionary File 533
• CONFIG: the attribute is a configuration item.• INTERNAL: the attribute is internal to the server and will be removed from incoming
and outgoing RADIUS messages.
NOTE: ENCAPS andNOENCAPS keywords are mutually exclusive. If you specify both,only the last one will apply. CONFIG is mutually exclusive from NOLOG, ENCAPS,NOENCAPS, and INTERNAL.
Examples:ATTRIBUTE Framed-Protocol 7 integer (1, 0, 0) ATTRIBUTE User-Realm 223 string (*, 0, 0, NOENCAPS)
# # Interlink Networks Vendor Specific Extensions # Interlink.Attr Address-Pool 1 string (0,0,0,INTERNAL) Interlink.Attr Date-Time 2 string (0,0,0,INTERNAL)
Value EntriesSyntax of Dictionary Value entries is shown below:VALUE attribute-name value-name integer-encoding
NOTE: Vendor-specific value identifier strings are defined in the vendors file andmay be used in place of the default strings VALUE. For more information, see “Syntaxof a vendors File” (page 538).
attribute-name is replaced by the name of the attribute that this value isassociated with.
value-name is replaced by the name of the value.integer-encoding is replaced with the actual value code used in the A-V pair
data format.Examples# Framed Protocol ValuesVALUE Framed-Protocol PPP 1 VALUE Framed-Protocol SLIP 2 VALUE Framed-Protocol ARA 3 VALUE Framed-Protocol Gandalf 4 VALUE Framed-Protocol Xylogics 5
# LAS Session Termination Code Values Merit.VALUE LAS-Code LAS-Normal 0 Merit.VALUE LAS-Code LAS-Reject 1 Merit.VALUE LAS-Code LAS-Cancel 2 Merit.VALUE LAS-Code LAS-Noconfirm 3 Merit.VALUE LAS-Code LAS-Overtime 4 Merit.VALUE LAS-Code LAS-Unknown 5
534 Configuration Files
Merit.VALUE LAS-Code LAS-Notoken 6 Merit.VALUE LAS-Code LAS-Notlocal 7 Merit.VALUE LAS-Code LAS-Suspend 8 Merit.VALUE LAS-Code LAS-Failed 9 Merit.VALUE LAS-Code LAS-Authorized 10 Merit.VALUE LAS-Code LAS-NASreboot 11 Merit.VALUE LAS-Code LAS-Remote 12 Merit.VALUE LAS-Code LAS-Duplicate 13 Merit.VALUE LAS-Code LAS-Collision 14 Merit.VALUE LAS-Code LAS-Stop 15
The las.conf FileThe las.conf file contains a list of configuration items for the Local AuthorizationServer (LAS) that controls realm-based authentication. These items are organized intoseveral sections. There are configuration sections for realms, token pools, and genericLAS configuration items. These sections do not have to maintain a particular order;however, you must define an item (a token pool, for example) before it can be referenced.
CAUTION: You need to edit the las.conf file by adding a realm entry only if youwish to include token pools, or define session timing parameters. Token pools andsession timing parameters are not configurable through the Server Manager graphicinterface. When defining realm attributes in the Server Manager graphic interface, theSession Tracking radio buttons automatically add or remove a realm las.conf entry.If you add a realm entry by editing this file directly, and then select the No SessionTracking radio button in the Server Manager, and save the change, the las.confrealm entry will be deleted.
IMPORTANT: Configuration files have maximum input line length of 255 characters.No checking is done to insure that a configuration statement has not exceeded thislimit. In addition, all configuration files must end with a new line character.
LAS Session Timing ParametersYou can override the default times for built-in parameters related to session timing.Table 33-2 lists the default LAS session timing parameters.
The las.conf File 535
Table 33-2 Default LAS Session Timing Parameters
DescriptionDefaultParameter
Tells LAS how long to wait for an Accounting-Startmessage from the NAS. After the specified number
45 secondsSession-Hold-Time
of seconds, a session is moved into not-confirmedstate, in which it is not counted as a simultaneoussession. This parameter us only used forHunt-groups.
Tells LAS when to remove a session when it is in theNot-Confirmed, Disconnected, Rejected, Collided,or Rebooted state.
300 seconds (5minutes)
Session-Kill-Time
States the time interval to check the session table.300 seconds (5minutes)
Session-Check-Time
Tells when to remove a session when it is in asuspended state.
172800 seconds(48 hours)
Session-Clear-Time
Tells LASCP Authentication/Authorization TravelVector (AATV) how long to wait for checkpointmessages before suspending a session.
915 seconds (15minutes and 15seconds)
Session-Idle-Time
States the maximum number of sessions that can beheld in the Session Table. When this number is met,
2147483647number of
Session-Table-Limit
authentication requests that would normally resultin a new session are ignored.
sessions(maximumallowed)
Specifies how often status of sessions are to beupdated.
5 secondsSession-Update-Time
Specifies how long a token may be held after asession is accepted yet no confirmation is received
5 secondsToken-Hold-Adjustment
after the request is released by the engine. A tokenmay be held up to hold time (<30 seconds) plusToken-Hold-Adjustment.
Specifies the interval for the LAS to save the sessiontable if there’s any change.
300 seconds (5minutes)
Auto-Save
Token Pool ConfigurationThis section the token pools, and the number of tokens for each token pool. Token poolsare used for limiting the total number of simultaneous sessions for a given realm.Below is the syntax of a token pool configurationTokenpool token-pool-Name number-of-tokens . . . End-Tokenpool
token-pool Name of the token pool
536 Configuration Files
number-of-tokens Number of tokens in the token pool.ExampleTokenpool Sample-pool 4End-Tokenpool
Realm ConfigurationThis section lists realms by name and, optionally, any services, token pools or anycustom AATV support for a realm. A realm entry las.conf is required to performsession tracking. The default server behavior is to log accounting messages locally,whether the server processes Access-Request messages locally or sends them to a proxyserver. If a realm entry exists in the las.conf file, the server will send accountingmessages to the remote server that processed the authentication for the correspondinguser. Thelas.conf realm entries must have corresponding realm entries in the ServerManager’s Define Realm screen, which can be accessed through the Local Realms linkon the Server Manager.Syntax of Realm configurationRealm realm-name Authorization LAS-authorization-AATV Accounting LAS-accounting-AATV
Service number-of-services service-name service-name . . . End-Service
Tokenpool number-of-tokenpools Token-pool-name max-number-of-tokens Token-pool-name max-number-of-tokens . . . End-Tokenpool End-Realm
Realm defines a name for the realm.Authorization specifies the AATV for performing authorization. The default is
LASGEN.Accounting specifies the AATV to use for user accounting. The default is
GENACCT.Service specifies the number of services supported by the realm and lists
the names of the defined services to support.Tokenpool specifies the token pools supported by the realm and lists the
token pools by following the syntax: Token-pool-name max-number-of-tokens
The las.conf File 537
• A Token-pool-name is the name of a defined token pool.• max-number-of-tokens specifies how many tokens a realm
may use.
The vendors FileThe vendors file contains a list of vendor entries. Each vendor entry contains a vendorname and vendor number. The vendor numbers are SMI Network Management PrivateEnterprise Code numbers, as managed by Internet Assigned Numbers Authority(IANA). Each entry optionally contains an interim way of mapping external (withrespect to the RADIUS server) attribute numbers to internal (with respect to the RADIUSserver) vendor-specific attributes. This optional mapping is used on RADIUS requestsand responses.
IMPORTANT: Configuration files have a maximum input line length of 255 characters.No checking is done to insure that a configuration statement has not exceeded thislimit. All configuration files must end with a new line character.
You can track different versions of the vendors file by adding the following line to thefile:%VENDORSID Version-String
Version-String is the version information. This string will appear in radcheckoutput.
Syntax of a vendors FileBelow is the syntax of a vendors file:attribute-string value-string vendor-code vendor-name (standard-value vendor-specific-value ...)
attribute-string An optional string that defaults to Attribute whennot specified. Non-default strings can be used tospecify vendor specific attributes in the dictionaryfile.
value-string An optional string that defaults to Value when notspecified. Non-default strings can be used to specifyvendor specific values in the dictionary file.
vendor-code The private enterprise number assigned by IANA.vendor-name The vendor name that can appear in the clients
file as a type=vendor:nas entry, or in thedictionary and users files in vendor specificattribute names.
standard-value The external or common attribute number in RADIUSrequests on the network.
538 Configuration Files
vendor-specific-value The internal attribute number.The standard-value and vendor-specific-value fields are optional and canbe repeated any number of times. When used, the list of standard and vendor valuesis enclosed in parenthesis. These values are used to map attributes from the commonattribute space defined in the RADIUS RFC to internal nonconflicting vendor-specificattributes. These fields address the issue that occurs when a vendor has assignedvendor-specific attributes in the standard attribute address space. Listed below is thesyntax:61 Merit ( 211 211 213 213 )
The log.config FileThe log.config file specifies configuration information for session logging in theserver. Session logging configuration allows users to define multiple logging streams,which can be used with sophisticated FSM tables. For most applications, you need toconfigure only the default stream. Configuration of any stream (including the defaultstream) allows some control over the following:• Format• Frequency of switching a stream from one file to another• Location of the session log file• Name of the file
Syntax of a Stream EntryThe stream is configured through one or more sub-commands that follow the first lineof the entry. Listed below is the syntax of a stream entry in the log.config file:stream name { aatv AATV_NAME aatv-value integer alias alternate_stream filename string buffer integer chmod {octal|{ugo}{+-}{rw}} close {on| off} dont attribute attribute . . . {gmt|local} join joined_stream header {none|type|full} on-endfile command path pathname update seconds wrap integer } end
name Identifies the stream.
The log.config File 539
aatv Specifies one of the following AATVs to use for logging.• LOG_ACCT (Livingston/Lucent/RABU style call detail format,
default)• LOG_ALL (logs all streams defined in log.config)• LOG_BRIEF (simple session format)• LOG_BY_ATTRIBUTE (logging based on user specified attribute
in radius.fsm file)• LOG_BY_NAS (logging based on NAS-Identifier attribute)• LOG_BY_REALM (logging based on User-Realm attribute)• LOG_TACACS+Cisco Terminal Access Controller Access Control
System + (TACACS+) accounting record format)• LOG_V1_1 (previous version of Merit logging)• LOG_V2_0 (Merit logging)
alias Specifies another stream name to record when this stream is logged.filename Defines the naming convention for accounting log files and the
frequency that a new time-stamped file is generated. This parameterfollows the same format as the strftime command. A newtime-stamped file will be generated according to the shortest unitof time indicated by the parameter. For example,file.%Y--%m-%d.extension will generate a new file each day.file.%Y-%m-%d-%h.extension will generate a new file eachhour.
buffer Indicates how many records must be buffered before they are writtento the log file.
chmod Defines permissions for the file.close Determines whether the log file must be closed after records are
written to it.dont A list of attributes that must not be recorded.{gmt|local} These keywords determines what time to use for time stamps.join Merges this stream with the specified stream.header Determines the information that must appear in the beginning of
the log file before the list of log records.on-endfile Shells the specified command or program when a new log file is
generated.path Specifies an alternate location for log files.update Determines how often the log file must be updated.wrap Determines how many attributes will appear on each line of the
session record.
540 Configuration Files
Default EntryThe stream entry identified with the name, *default*, will be used when LOG isinvoked by the FSM without an Xstring parameter.
End EntryThe one-keyword end entry tells the session logging subsystem to stop reading theconfiguration file, allowing subsequent text to be ignored.
Logging Multiple StreamsTo log multiple streams you must define a default stream with the AATV sub-commandset toLOG_ALL. When you specify alog.configdefault entry with this sub-command,all other streams defined in the log.config file will also generate session logs.
Values Logged by DefaultThe default LOG_v2_0value used for session logs records the information listed inTable 33-3.
Table 33-3 Information Recorded by LOG_V2_o
DescriptionValueTypeField
Start of session, as calculated bythe LAS.
LAS_start_timeseconds since midnight Jan.1, 1970.
1
LAS termination code.LAS_codeinteger2
Duration, as best calculated bythe directly connected NASserver
local_durationduration in seconds3
Time when record is logged bythis system
nowseconds, relative toLAS_start_time
4
Duration, as best calculated bythe LAS
LAS_durationduration in seconds5
The (corrected) access ID,user@realm
accessIDstring6
reservedreservedstring7
Session ID, found in Classattribute
sessionIDquoted_string8
Token Pool name, found inattribute Token
token_poolstring9
Session time (duration) limitsession_timeoutduration in seconds10
NAS-Identifier or NAS-Portattribute value
NAS_ID or NAS_portstring / integer11
The log.config File 541
Table 33-3 Information Recorded by LOG_V2_o (continued)
DescriptionValueTypeField
Service-Class attribute valueservice_classstring12
filterstring13
Service-Type followed byadditional fields separated by a
service_typestring[/string[/string]]14
‘/’, depending on Service-Type.If framed, the other fields (ifpresent) are:• Framed-Protocol• Framed-IP-Address• Framed-IPv6-Prefix• Framed-Interface-IdIf Login, the other fields (ifpresent) are:• Login-Service-Type• Login-IP-Host or Login-
IPv6-Host• Login-TCP-Port
For a complete description of the session log format and recorded values, see Chapter 12:“Logging and Monitoring ” (page 142).
ExamplesThe following examples illustrate some basic session log configurations.
Livingston Call Detail Record (CDR) FormatBy specifying log_acct for aatv, LOGwill generate CDRs in a single flat file. Followingis the syntax:stream *default* { aatv log_acct buffer 1 close on filename session.%Y-%m-%d.log update 900 wrap 3 } end
Multiple Logging StreamsBy specifying log_all for aatv, LOG will generate a record for each stream defined inthe log.config file (before the end keyword). Following is the syntax:stream *default* aatv log_all stream old {
542 Configuration Files
aatv log_v1_1 buffer 1 close on filename record.%y%m%d.las }
stream new { aatv log_v2_0 aatv-value 7 buffer 1 close on filename recordv2.%y%m%d.las } end
Logging Based on attributesThis sample aatv logs all accounting request logs for yourorg.com in theyourorg.%Y%M.log file and the rest of the accounting request in therealm.%Y%M.logfile. This stream configuration for logging is based on log_by_realm. Thelog_by_realm AATV searches for the User-Realm attribute. Following is the syntax:Stream *default* { aatv LOG_BY_REALM buffer 1 close on filename session.%Y-%m-%d.log update 900 wrap 3 }
stream User-Realm::*default* { aatv log_acct buffer 1 close on filename realm.%Y%M.log update 900 wrap 3 }
stream User-Realm::yourorg.com { aatv log_acct buffer 1 close on filename yourorg.%Y%M.log update 1 wrap 3 } end
The log.config File 543
Accounting Log Based on Attribute ValueYou can write accounting log to different log files, based on the RADIUS attribute valuein the RADIUS accounting-request. To write accounting log to a different log file, youmust modify the /etc/opt/aaa/log.config and /etc/opt/aaa/radius.fsmfiles.To write accounting log to different log files, complete the following steps:1. Modify the /etc/opt/aaa/log.config file by replacing the following code:
stream *default* { aatv log_v2_0 buffer 1 close on filename session.%Y-%m-%d.log update 900 wrap 3 } end
with the code shown below:# log_by_attribute logging configuration# stream *default* { aatv LOG_BY_ATTRIBUTE } stream Called-Station-Id::*default* { aatv log_acct buffer 1 close on filename logotherattr.%Y-%m-%d.log update 900 wrap 3 } stream Called-Station-Id::12345 { aatv log_acct buffer 1 close on filename logbyattr.%Y-%m-%d.log update 900 wrap 3 } end
2. Modify the radius.fsm file by changing all the lines in Acctlog that referencethe LOG AATV as in the following.*.*.ACCT_START LOG_BY_ATTRIBUTE ReplyHold xstring="Called-Station-Id" *.*.ACCT_STOP LOG_BY_ATTRIBUTE ReplyHold xstring="Called-Station-Id"
3. HUP or stop and start the server.4. Send accounting Start and/or Stop request with Called-Station-Id attribute.
You can now see the following file: /var/opt/aaa/acct/logbyattr.2005-05-16.log
544 Configuration Files
5. Send accounting Start and/or Stop request withoutCalled-Station-Id attribute.Example of an accounting start message:radpwtst -c 4 -s localhost -u ppp -i 1.1.1.1 -l 4 -:Acct-Status- Type=Start-:Called-Station-Id=12345 -w password test_user
Example of an accounting stop message:radpwtst -c 4 -s localhost -u ppp -i 1.1.1.1 -l 4 -:Acct-Status- Type=Stop-:Called-Station-Id=12345 -w password test_user
You can now see the following file: /var/opt/aaa/acct/logotherattr.2005-05-16.log
Changing the Accounting Log Rollover IntervalThe log rollover interval (how often a new log file is created to store accounting records)is determined by the timestamp portion of the filename. To change the interval followthe steps described in “Changing the Accounting Log Filename” (page 150). The logginginterval will change to the finest unit of time in the timestamp portion of the filename.For example, %Y-%m-%d-%H, will change the rollover interval to hourly.
The log.config File 545
34Attribute-Value PairsThe RADIUS protocol defines things in terms of attributes. Each attribute may take onone of a set of values. When a RADIUS packet is exchanged among clients and servers,one or more attributes and values are sent pairwise as an Attribute-Value pair (A-Vpair). For the HP-UX AAA Server software, all valid attributes and values are listed inthe dictionary file.This chapter organizes the attributes by the information and data that they contain andthe functions they perform, including the following:• Check and deny items to define simple policy for authorization• Reply items to configure the user’s session for authorization• Accounting attributes that stores usage information in logged accounting records• Configuration attributes that are used in a user profile to implement built-in HP-UX
AAA Server features.• Session attributes that appear in the HP-UX AAA Server binary session files.
Specifying Attribute-Value PairsAttribute names and their enumerated value names are defined in the dictionary file.When specifying attribute values in configuration files, you must have a space beforethe equal to (=) or not equal to (!=) operator. A list of A-V pairs may be delimited bycommas, white space, or both.
Attribute-Value FormatsThe attribute values (to the right of the equal sign) can take on any of the supported,legal values described in the dictionary file. The attributes and their correspondingvalues are defined to be one of the following types: IP address, ipv6prefix, ipv6addr,ifid, string, vendor, tag string, tag integer, date, integer, string, octet, and short values.• The string values must be surrounded by the double quote ('"') character if they
contain spaces; otherwise, the quotation marks are optional. These values arelimited to a maximum of 253 characters.
• LDAP policy and decision files cannot handle tag string and tag integer values• The IPv4 address values can use the common dotted-quad notation.• The IPv6 address values can use the colon or double-colon (::) notation.• The date values follow the format of three character month abbreviation (e.g., Jan,
Feb, Mar, etc.), followed by the day, followed the year expressed as four digits(e.g., 1998). Each field must be delimited by a space or hyphen (e.g., Jan 8 2002,Jan-21-2002, etc.)
• A-V pair lists must be delimited by white space. For readability you may use botha comma and white space as a delimiter.
546 Attribute-Value Pairs
ExamplesThe following examples are syntactically valid A-V pair lists:Password = "rock", Service-Type = "Framed", Comment = "This is OK" Password =rock Service-Type =Framed Comment ="This is OK"
The following examples are not syntactically valid A-V pair lists:Password="rock"Service-Type="Framed"Comment="This is not OK" Password= rock Service-Type= Framed Comment= This is not OK
Tagged AttributesA RADIUS message can include multiple values for one or more attributes that aretagged to organize the attributes into defined groups. Depending on its capabilities, aclient or server can selectively use one set of tagged attributes. For example, anAccess-Accept can contain several different tunnel definitions. If it supports taggedattributes, the client can select the definition to use. Tagged attributes can be used ascheck or reply items.Tagged attributes follow the syntax:Attribute=:Tag:Value Attribute: The attribute to tag. Tag: A unique integer (less than 32) that identifies what set this attribute belongs to. Value: The attribute value.
For example, Tunnel-Type =:1:PPTP indicates an attribute value of PPTP thatbelongs to a larger set of attributes, all tagged with 1, that collectively define one typeof tunnel that might be established for a user.
IMPORTANT: Some NASs do not support tagged attributes. HP recommends thatwhen you return multiple tunnel definitions to a client, you have at least one set ofattributes that is untagged or tagged with a 0 value, so that there is a tunnel definitionavailable to a client that does not support tags.
Attributes in User ProfilesThe following attributes can be used to establish the authorization rules for a userprofile. Authorization determines the following:• The services and network resources that the user can access• The services that the user can access• The time duration that the user can access the networkThe attributes in a user profile may act a configuration, check (and deny), or reply item.Some attributes may act as both a check and reply items.
Attributes in User Profiles 547
Configuration AttributesYou can add configuration attributes that are not directly supported by the ServerManager graphic interface. You can add configuration attributes through the ServerManager as a check item under the Free tab on the User Creation screen. For moreinformation, see “Tabs on the Add Users Screen” (page 130).Authentication-Type The authentication type is applied to a user just as it
would be applied to a user belonging to a realm. Checkand reply items in the user entry will be appended toany items used later in the authentication process.
Comment This attribute does not perform any server function. Itallows you to provide any necessary explanation for theentry.
Deny-Message This attribute specifies a string that would be returnedas a Reply-Message value to the user in the Access-Rejectif any deny item for this user caused a rejection. You canconfigure a denial message (using the Free tab in theCheck Item list box in the Server Manager) as follows:Deny-Message = "You can't do that." NAS-Port != 3160
You can also use an asterisk wildcard:Deny-Message = "*" NAS-Port != 3160
This wildcard string sends the following messageindicating what deny item triggered the rejection:Access denied, NAS-Port != 3160
IMPORTANT: The Deny-Message will only be returnedif a deny item (Attribute!= Value) comparison fails. Itwill not be returned if a check item fails.
Expiration In date format, specifies when an entry expires. Afterthe date, the user will receive an Access-Reject with themessage, “Password has expired,” in response to allAccess-Requests. The correct syntax is as follows:Expiration = mth day year
mth is the first three letters of the month. day is thetwo-digit date. year is the four-digit year. The followingis an example of an Expiration check item:Expiration = Jan 31 2004
548 Attribute-Value Pairs
Group-Name Can be any string value. Unlike other configuration-onlyattributes, Group-Name initially appears in a user entryas a reply item and would be used as a check item in apolicy definition by LDAP or a customizedauthentication method.
Password Specifies the value to compare to the User-Passwordattribute value in the Access-Request or the user's inputin response to an Access-Challenge. The\ character mustnot be used.
NOTE: The RADIUS protocol does not send clear textpasswords. Passwords are encrypted with the client andserver’s shared secret according to RFC 2865.
To specify an encrypted password you must follow thesyntax {Encrypt-type} Encryptd-password, whereEncrypt-type is the method used to encrypt thepassword and Encryptd-password is the encryptedpassword. Encrypt-type can be specified as:• crypt• md5• x-nthash• x-lmhash
Server-Name The additional parameter, usually a DNS name or IPaddress, required to perform the specified authenticationtype.
User-Category Can be any string value. Unlike other configuration-onlyattributes, User-Category initially appears in a user entryas a reply item and would be used as a check item in apolicy definition by LDAP or a customizedauthentication method.
Xvalue This attribute provides a means to pass an integer valueto an action.
Xstring This attribute provides a means to pass a string value toan action.
Local Authorization Service (LAS) ConfigurationSome configuration-only attributes define information for authorization through theservers LAS. To activate the features related to these attributes for users in a givenrealm, you must enable session tracking for the user’s realm. A NULL realm entry will
Attributes in User Profiles 549
still be required if the user does not belong to a realm. The Simultaneous-Useattribute can be used in a user entry for LAS functions.
Simultaneous-Use Attribute
This attribute’s value determines the maximum number of active sessions the user canhave. The default is 1 (if the LAS is enabled for the user’s realm, but noSimultaneous-Use attribute value is specified for the user or the user’s realm). Avalue of -1 disables the feature—providing no limit to number of simultaneous sessionsfor a user in a realm enabled to use the LAS.
NOTE: Simultaneous session control is based on the inner identity (realm) fortunneled-EAP authentications.
Attributes Concerning OTP Authentication
These attributes are used for configuring OTP authentication and customizing thefeature to suit various deployments. For information on these attributes, see “Attributesfor Configuring OTP Authentication” (page 192).
Check (and Deny) ItemsA user entry can include check, configuration-only, and reply items to implementsimple policy decisions. Check items are A-V pairs that are compared to pairs in aRADIUS Access-Request data packet. Reply items are A-V pairs that are included inan Access-Accept, Access-Challenge, or Access-Reject messages to provide instructionto the NAS for authorizing the user.There are two types of check items:• Regular check items• Deny itemsA check item is used to authenticate a user by matching the attribute value in a requestto the attribute value specified as a check item. A deny item is a regular attribute,identical to a check item, except the value is not matched to the attribute as being equalto a value but by being not equal (indicated by !=). In other words, a deny item causesan Access-Request to be rejected if the deny item's value matches the correspondingattribute value in the request.
550 Attribute-Value Pairs
IMPORTANT: The HP-UX AAA Server only compares a check item with the first valuethat appears for an attribute in an Access-Request. The server will disregard anyadditional instances of the same attribute in the request. This limitation also applies totagged attributes, like those used to establish VPN tunnels.
Attributes Concerning the NASNAS-IP-Address This attribute indicates the identifying IPv4 address of the
NAS which is requesting authentication of the user. Eitherthe NAS IP address, NAS-IPv6-Address, or theNAS-Identifier must be present in an Access-Request.
NAS-IPv6-Address This attribute indicates the identifying IPv6 address of theNAS which is requesting authentication of the user. Thisattribute must be unique to the NAS within the scope of theRADIUS server. Either the NAS-IP-Address,NAS-IPv6-Address, or NAS-Identifier must be present in anAccess-Request.
NAS-Identifier This attribute contains a string identifying the NASoriginating the Access-Request. Either the NAS -IP-Address,NAS-IPv6-Address, or the NAS-Identifier must be presentin an Access-Request.
NAS-Port This attribute indicates the physical port number of the NASwhich is authenticating the user.
NOTE: NAS port refers to a physical connection on theNAS, not a TCP or UDP port number. If the NASdifferentiates among its ports, either NAS-Port orNAS-Port-Type or both should be present in anAccess-Request packet.
NAS-Port-Type This attribute indicates the type of the physical port of theNAS that is authenticating the user. It may appear in anAccess-Request instead of or in addition to the NAS portattribute value. NAS-Port, NAS-Port-Type, or NAS-Port-Idshould be present in an Access-Request packet if the NASdifferentiates among its ports. Valid values for this attributeare:• Async• Sync• ISDN-Sync• ISDN-Async-V120
Check (and Deny) Items 551
• ISDN-Async-V110• Virtual
NAS-Port-Id This attribute is similar to the NAS-Port Attribute in that itindicates the physical port number of the NAS that isauthenticating the user. NAS-Port-ID contains a text stringthat identifies the port of the NAS that is authenticating theuser. The text string is intended for use by NASs that cannotconveniently number their ports.
Policy AttributesThese attributes are useful while specifying policy group conditions or replies. Forinformation on these attributes, see “Useful Attributes for Policy Conditions” (page 440)
Other AttributesCalled-Station-ID This attribute indicates where the user called to, using
Dialed Number Identification Service (DNIS), or similartechnology. Note that this may be different from the phonenumber the call comes in on.
Calling-Station-ID This attribute indicates where the user called from, usingAutomatic Number Identification (ANI) or similartechnology.
Connect-Info This attribute is sent from the NAS to indicate the natureof the user's connection. The Connect-Info text fieldconsists of UTF-8 encoded 10646 characters. Theconnection speed should be included at the beginning ofthe first Connect-Info Attribute in the packet. If thetransmit and receive connection speeds differ, they mayboth be included in the first attribute with the transmitspeed first, a slash (/), then the receive speed. Optionallyother modem information may also be included. See thefollowing examples:28800 V42BIS/LAPM 52000/31200 V90
Day-Of-Week A string, representing the day of the week (spelled out orthree letter abbreviation), or a number from 0 to 6, where0 represents Sunday and 6 represents Saturday. Thisattribute is compared to the current system clock of themachine hosting the AAA server that is making thecomparison.
Auth-Grace-Period The server will terminate a session after theSession-Timeout or the combined Authorization-Lifetimeand Auth-Grace-Period value expires.
552 Attribute-Value Pairs
Reply ItemsTable 34-1 identifies which reply item attributes may appear as a hint that could bechecked by the server, and those that would not appear as a hint that could be checked.
Table 34-1 Reply Item Attributes
Reply ItemCheck Item (HInt)Attribute
YesNoAcct-Interim-Interval
YesNoCallback-ID
YesYesCallback-Number
YesNoConfiguration-Token
YesNoFilter-Id
YesYesFramed-Compression
YesYesFramed-IP-Address
YesYesFramed-IPv6-Prefix
YesYesFramed-Interface-Id
YesYesFramed-IP-Network
YesNoFramed-IPX-Network
YesNoFramed-MTU
YesNoFramed-Pool
YesNoFramed-IPv6-Pool
YesYesFramed-Protocol
YesNoFramed-Route
YesNoFramed-IPv6-Route
YesNoFramed-Routing
YesNoIdle-Timeout
YesNoLogin-IP-Host
YesYesLogin-IPv6-Host
YesYesLogin-LAT-Group
YesYesLogin-LAT-Node
YesYesLogin-LAT-Port
YesYesLogin-LAT-Service
Reply Items 553
Table 34-1 Reply Item Attributes (continued)
Reply ItemCheck Item (HInt)Attribute
YesYesLogin-Service
YesNoLogin-TCP-Port
YesYesPort-Limit
YesNoPrompt
YesNoReply-If-Ack-Message
YesNoReply-Message
YesYesService-Type
YesNoSession-Timeout
YesNoTunnel-Assignment-ID
YesYesTunnel-Client-Auth-ID
YesYesTunnel-Client-Endpoint
YesYesTunnel-Medium-Type
YesYesTunnel-Password
YesYesTunnel-Preference
YesYesTunnel-Private-Group-ID
YesYesTunnel-Server-Auth-ID
YesYesTunnel-Server-Endpoint
YesYesTunnel-Type
General AttributesService-Type This attribute indicates a type of provided service. When used
as a reply item, the server returns the value to the NAS as aninstruction to determine the service to provide. When used asa check item, the server will reject an Access-Request that doesnot include a hint for the specified Service-Type.Valid values for this attribute are:• Login: The user should be connected to a host.• Framed : A Framed Protocol should be started for the
user, such as PPP or SLIP.• Callback-Login: The user should be disconnected and
called back and then connected to a host.
554 Attribute-Value Pairs
• Callback-Framed: The user should be disconnected andcalled back and then a Framed Protocol should be startedfor the user, such as PPP or SLIP.
• Outbound: The user should be granted access to outgoingdevices.
• Administrative: The user should be granted access to theadministrative interface to the NAS from which privilegedcommands can be executed.
• NAS-Prompt: The user should be provided a commandprompt on the NAS from which non-privileged commandscan be executed.
• Authenticate-Only: Only Authentication is requested, andno authorization information needs to be returned in theAccess-Accept (typically used by proxy servers ratherthan the NAS itself).
• Callback-NAS-Prompt: The user should be disconnectedand called back and then provided a command prompton the NAS from which non-privileged commands canbe executed.
Session-Timeout This attribute sets the maximum number of seconds of serviceto be provided to the user before termination of the session orprompt.
Idle-Timeout This attribute sets the maximum number of consecutiveseconds of idle connection allowed to the user beforetermination of the session or prompt.
Filter-ID This attribute indicates the name of the filter list for this user.Different attribute values may be used to add more than oneFilter-ID reply item to an entry. Identifying a filter list by nameallows the filter to be used on different NAS(s) without regardto filter-list implementation details.
IMPORTANT: When using the Server Manager interface, youcan define only one Filter-ID.
Callback-Number This attribute indicates a dialing string to be used for callback.Callback-ID This attribute indicates the name of a place to be called, to be
interpreted by the NAS.
Reply Items 555
Attributes Concerning Login UsersLogin-IP-Host This attribute indicates the system that the user will connect
to when Service-Type is defined as Login. This attribute isused in an IPv4 environment.
Login-IPv6-Host This attribute indicates the system that the user will connectto when Service-Type is defined as Login. This attribute isused in an IPv6 environment.
Login-Service This attribute indicates the service that should be used toconnect to the login host. Valid values are:• Telnet• Rlogin• TCP-Clear• PortMaster (proprietary)• LAT
Login-TCP-Port This attribute indicates the TCP port that the user is to beconnected to when Service-Type is defined as Login.
Login-LAT-Service This attribute indicates the system that the user is to beconnected to when Login-Service is defined as LAT.
Login-LAT-Node This attribute indicates the node that the user is to beconnected to when Login-Service is defined as LAT.
Login-LAT-Group This attribute contains a string that identifies the groupsthat the user is authorized to use when Login-Service isdefined as LAT.
Login-LAT-Port This attribute indicates the port that the user is to beconnected to when Login-Service is defined as LAT.
Attributes for Framed UsersFramed-Protocol This attribute indicates the framing to be used for framed
access. Valid values for this attribute are:• PPP• SLIP• ARA (AppleTalk Remote Access Protocol, ARAP)• Gandalf (proprietary SingleLink/MultiLink protocol)• Xylogics (proprietary IPX/SLIP)
Framed-IP-Address This attribute indicates the IP address to be configuredfor the user.
Framed-IPv6-Prefix This attribute indicates an IPv6 prefix to be configuredfor the user.
556 Attribute-Value Pairs
Framed-Interface-Id This attribute indicates the IPv6 interface identifier tobe configured for the user.
Framed-IP-Netmask This attribute indicates the IP netmask to be configuredfor the user when the user is a router on a network.
Framed-Routing This attribute indicates the routing method for the userwhen the user is a router to a network. Valid values forthis attribute are:• None• Broadcast (routing packets)• Listen (for routing packets)• Broadcast-Listen
Framed-MTU This attribute indicates the Maximum Transmission Unitto be configured for the user when it is not negotiatedby some other means (such as PPP).
Framed-Compression This attribute indicates a compression protocol to beused for the link. Valid values for this attribute are:• None• Van-Jacobsen-TCP-IP• IPX-Header-Compression
Framed-Route This attribute provides routing information to beconfigured for the user on the NAS. This attribute is usedin an IPv4 environment.
Framed-IPv6-Route This attribute provides routing information to beconfigured for the user on the NAS. This attribute is usedin an IPv6 environment.
Framed-Pool This attribute is sent by the AAA Server to the NAS andcontains the name of an assigned pool that must be usedto assign an IPv4 address for the users. If a NAS doesnot support multiple address pools, the NAS must ignorethis attribute. Address pools are usually used for IPaddresses, but can be used for other protocols if the NASsupports pools for those protocols.
Framed-IPv6-Pool This attribute is sent by the AAA Server to the NAS andcontains the name of an assigned pool that must be usedto assign an IPv6 address for the user. If a NAS does notsupport multiple address pools, the NAS must ignorethis attribute. Address pools are usually used for IPaddresses, but can be used for other protocols if the NASsupports pools for those protocols.
Reply Items 557
Framed-IPX-Network This attribute indicates the IPX Network number to beconfigured for the user.
Tunneling AttributesWhen a tunneling attribute is used as a reply item, the AAA server will return the A-Vpair, which the NAS will use as instruction for establishing the tunnel. The server mayrecognize hints in an Access-Request. If hints appear in an Access-Request for a userwith tunneling attributes as reply items, the server will use the tunneling keyword inthe aaa.config file to determine what information will be used to establish the tunnel.When you use a tunneling attribute as a check item, you are controlling access to thetunnel server based on what the user is requesting.Tunnel-Type Indicates the tunneling protocol to use when
establishing the tunnel. Valid values for thisattribute are:• PPTP (Point-to-Point Tunneling Protocol)• L2F (Layer Two Forwarding)• L2TP (Layer Two Tunneling Protocol)• ATMP (Ascend Tunnel Management Protocol)• VTP (Virtual Tunneling Protocol)• AH (IP Authentication Header in the
Tunnel-mode)• IP-IP-Encap (IP-in-IP Encapsulation)• MIN-IP-IP (Minimal IP-in-IP Encapsulation)• ESP (IP Encapsulating Security Payload in the
Tunnel-mode)• GRE (Generic Route Encapsulation)• DVS (Bay Dial Virtual Services)• IP-IP (IP-in-IP Tunneling)
Tunnel-Medium-Type Transport medium to use when creating a tunnelfor those protocols (e.g., L2TP) that can operateover multiple transports. Valid values for thisattribute are:• IPv4 (IP version 4)• IPv6 (IP version 6)• NSAP• HDLC (8-bit multidrop)• BBN-1822 (1822)• IEEE-802 (All 802 media plus Ethernet
“canonical format”)• E-163 (POTS)
558 Attribute-Value Pairs
• E-164 (SMDS, Frame Relay, ATM)• F-69 (Telex)• X-121 (X.25, Frame Relay)• IPX• Appletalk• DecnetIV• Banyan-Vines• E-164-NSAP
Tunnel-Client-Endpoint Address of the client that initiated the tunnel.Tunnel-Server-Endpoint Address of the server that provides the tunnel to
the user.Tunnel-Password This password is not used for authentication by
the AAA server but is a separate check made foraccess to the machine specified byTunnel-Server-Endpoint.
Tunnel-Private-Group-ID A group identifier for a private session. Privategroups may be used to associate a tunneled sessionwith a particular group of users. For example, itmay be used to facilitate routing of unregisteredIP addresses through a particular interface.
Tunnel-Assignment-ID This attribute indicates what tunnel will be usedto provide an appropriate level of service for theuser. Data transfer for users that share the sameassignment will be multiplexed over a sharedtunnel. A client that supports this attribute willhandle it as follows:• If this attribute is present and a tunnel exists
between the specified endpoints with thespecified ID, then the session should beassigned to that tunnel.
• If this attribute is present and no tunnel existsbetween the specified endpoints with thespecified ID, then a new tunnel should beestablished for the session and the specifiedID should be associated with the new tunnel.
• If this attribute is not present, then the sessionis assigned to an unnamed tunnel. If anunnamed tunnel does not yet exist betweenthe specified endpoints then it is establishedand used for this and subsequent sessions
Reply Items 559
established without theTunnel-Assignment-ID attribute.
NOTE: The same ID may be used to namedifferent tunnels if the tunnels are betweendifferent endpoints.
Tunnel-Preference When returning more than one tagged tunneldescription, this attribute indicates each tunnel’srelative level of preference. Values for this attributeare specified as an ordinal number (e.g., first,second, etc.).
Tunnel-Client-Auth-ID Name used by the client during the authenticationthat occurs between the Tunnel-Client-Endpointand Tunnel-Server-Endpoint based onTunnel-Password and any other checks that maybe configured for Tunnel-Server-Endpoint.
Tunnel-Server-Auth-ID Name used by the server during the authenticationthat occurs between the Tunnel-Client-Endpointand Tunnel-Server-Endpoint based onTunnel-Password and any other checks that maybe configured for Tunnel-Server-Endpoint.
Other AttributesAcct-Interim-Interval This attribute indicates the number of seconds
between each interim update for a specific session. Ifthe server wishes to receive interim accountingmessages for a given user, it must include thisRADIUS attribute in the message which indicates theinterval in seconds between interim messages.
NOTE: TheAcct-Interim-Interval value fieldcontains the number of seconds between each interimupdate to be sent from the NAS for a session. Thevalue must not be smaller than 60 seconds and shouldnot be smaller than 600. Careful consideration shouldbe given to its impact on network traffic.
Configuration-Token The Configuration-Token Attribute is supported bythe AAA Server as a reply item and is animplementation specific attribute that is based upona lookup table configured outside of the AAA server.It is used in large distributed authentication networks
560 Attribute-Value Pairs
and is sent from a RADIUS Proxy Server to a RADIUSProxy Client in an Access-Accept message thatindicates a type of user profile to be used.
Port-Limit This attribute sets the maximum number of ports tobe provided to the user by the NAS. It is intended foruse in conjunction with Multilink PPP or similar uses.
Prompt This attribute is used only in Access-Challengepackets and indicates to the NAS whether it shouldecho the user's response as it is entered.
Reply-If-Ack-Message This is a Merit-specific attribute, similar toReply-Message, that is only sent in an Access-Acceptmessage.
Reply-Message This attribute indicates text that may be displayed tothe user when the server responds to a request withany RADIUS message. Different attribute values maybe used to add more than one Reply-Message replyitem to an entry.
IMPORTANT: When using the Server Managerinterface, you can define only one Reply-Messagevalue.
NOTE: When using complex policy, it is possibleto use the Reply-Message attribute to send onemessage when the authentication succeeds and adifferent message if the authentication fails.
Attributes in Accounting RecordsThis section describes the attributes that may appear in an accounting record. Anaccounting record is stored in the HP-UX AAA Server session logs. These attributesmay appear in a record in addition to the basic session information.
Additional Session InformationThe following attributes, supported by the HP-UX AAA Server software, may appearin a session record.Acct-Status-Type An integer that indicates whether this
Accounting-Request marks the beginning of the user
Attributes in Accounting Records 561
service (Start), the end (Stop), or some other state. Thisattribute appears in all accounting messages as follows:• 1 (Start)• 2 (Stop)• 3 (Interim-Update)• 7 (Accounting-On)• 8 (Accounting-Off)• 9 (Tunnel-Start)• 10 (Tunnel-Stop)• 11 (Tunnel-Reject)• 12 (Tunnel-Link-Start)• 13 (Tunnel-Link-Stop)• 14 (Tunnel-Link-Reject)• 15 (Reserved for Failed)
Acct-Delay-Time How many seconds the client has been trying to sendthis record, and can be subtracted from the time ofarrival on the server to find the approximate time ofthe event generating this Accounting-Request.(Network transit time is ignored.)
Acct-Input-Octets How many octets have been received from the portover the course of this service being provided. Onlyappears in a stop message.
Acct-Output-Octets How many octets have been sent to the port in thecourse of delivering this service. Only appears in a stopmessage.
Acct-Session-Id Unique Accounting ID to make it easy to match startand stop records in a log file. The start and stop recordsfor a given session will have the same Acct-Session-Id.This attribute appears in all accounting messages.
Acct-Authentic An integer that indicates how the user wasauthenticated, whether by RADIUS, the NAS itself, oranother remote authentication protocol:• 1 (RADIUS)• 2 (Local)• 3 (Remote)
Acct-Session-Time How many seconds the user has received a service.Only appears in a stop message.
562 Attribute-Value Pairs
Acct-Input-Packets How many packets have been received from the portover the course of this service being provided to aframed user. Only appears in a stop message.
Acct-Output-Packets How many packets have been sent to the port in thecourse of delivering this service to a framed user. Onlyappears in a stop message.
Acct-Terminate-Cause How the session was terminated. The terminationcauses are listed in Table 34-2.
Table 34-2 Session Termination Causes
DescriptionCause
User requested termination of service, for example with LCP Terminateor by logging out.
User Request
DCD was dropped on the port.Lost Carrier
Service can no longer be provided; for example, user's connection to ahost was interrupted.
Lost Service
Idle timer expired.Idle Timeout
Maximum session length timer expired.Session Timeout
Administrator reset the port or session.Admin Reset
Administrator is ending service on the client, for example prior torebooting the client.
Admin Reboot
Client detected an error on the port that required ending the session.Port Error
NAS detected some error (other than on the port) which required endingthe session.
NAS Error
NAS ended session for a non-error reason not otherwise listed here.NAS Request
The NAS ended the session in order to reboot.NAS Reboot
Client ended session because resource usage fell below low-water mark(for example, if a bandwidth-on-demand algorithm decided that theport was no longer needed).
Port Unneeded
Client ended session in order to allocate the port to a higher priorityuse.
Port Preempted
Client ended session to suspend a virtual session.Port Suspended
Client was unable to provide requested service.Service Unavailable
NAS is terminating current session in order to perform callback for anew session.
Callback
Attributes in Accounting Records 563
Table 34-2 Session Termination Causes (continued)
DescriptionCause
Input from user is in error, causing termination of session.User Error
Login Host terminated session normally.Host Request
Acct-Multi-Session-Id A unique Accounting ID to make it easy to linktogether multiple related sessions in a log file.Each session linked together would have aunique Acct-Session-Id but the sameAcct-Multi-Session-Id.
Acct-Link-Count The count of links which are known to have beenin a given multilink session at the time theaccounting record is generated.
Acct-Input-Gigawords This attribute indicates how many times theAcct-Input-Octets counter has wrapped around232 (4,294,967,295) over the course of the servicebeing provided. Working in concurrence withthe Acct-Input-Octets attribute, this attributeallows for the continuous accounting of datainput beyond the limit of the Acct-Output-Octetsattribute and can only be present inAccounting-Request records where theAcct-Status-Type is set to Stop or Interim-Update.
Acct-Output-Gigawords This attribute indicates how many times theAcct-Output-Octets counter has wrapped around232 (4,294,967,295) over the course of the servicebeing provided. Working in concurrence withthe Acct-Output-Octets attribute, this attributeallows for the continuous accounting of dataoutput beyond the limit of theAcct-Output-Octets attribute and can only bepresent in Accounting-Request records wherethe Acct-Status-Type is set to Stop orInterim-Update.
Acct-Interim-Interval This attribute indicates the number of secondsbetween each interim update for a specificsession. If the server wishes to receive interimaccounting messages for a given user, it mustinclude this RADIUS attribute in the messagewhich indicates the interval in seconds between
564 Attribute-Value Pairs
interim messages. This value can only appear inthe Access-Accept message.
NOTE: The Acct-Interim-Interval valuefield contains the number of seconds betweeneach interim update to be sent from the NAS fora session. The value must not be smaller than 60seconds or greater than 600. Carefulconsideration must be given to impact onnetwork traffic.
Event-Timestamp This attribute is included in anAccounting-Request packet to record the timethat an event had stopped on the NAS, and isrecorded in seconds since January 1, 1970 00:00UTC.
Acct-Tunnel-Connection Identifier assigned to the tunnel session.Acct-Tunnel-Packets-Lost Number of packets lost on a given link.
Attributes in Accounting Records 565
35MIB ObjectsRFCs 2619, 2621, and 4672 describe the MIB objects for HP-UX AAA Server. All of theRADIUS MIB objects that are sent to the management workstation by the server inresponse to SNMP requests are read-only, except radiusAuthServConfigResetand radiusAcctServConfigReset.
Notes:• When you check the server status, the server increases the
radiusAuthServTotalAccessRequests count but does not increaseradiusAuthServAccessRequests for any client. This behavior results in atotal authentication request count that does not equal the sum of requests receivedby individual clients.
• The MIB objects do not support IPv6 addresses.
MIB ObjectsTable 35-1 describes the various MIB objects.
Table 35-1 MIB Objects and Definitions
DefinitionMIB Object
SnmpAdminString containing name andversion of the server.
radiusAuthServIdent, radiusAccServIdent
TimeTicks, in hundredths of a second, sincethe server was started.
radiusAuthServUptime, radiusAccServUptime
TimeTicks, in hundredths of a second, sincethe server’s configuration files werereloaded.
radiusAuthServResetTime,radiusAccServResetTime
The only RADIUS MIB objects for SNMPrequests that allows a write operation.
radiusAuthServConfigReset,radiusAccServConfigReset
Sending an integer value of 2 from theSNMP workstation to the HP-UX AAAServer will reload the server’s configurationfiles but only if the server was started withthe -H option.A read operation will return one of thefollowing integer values:• 1 (server in some unknown state)• 3 (server initializing)• 4 (server currently running)
The number of messages of any typereceived through the authentication port.
radiusAuthServTotalAccessRequests
566 MIB Objects
Table 35-1 MIB Objects and Definitions (continued)
DefinitionMIB Object
The number of messages of any typereceived through the accounting port.
radiusAccServTotalRequests
Total number of authentication requestsreceived from an unknown address.
radiusAuthServTotalInvalidRequests
Total number of accounting requestsreceived from an unknown address.
radiusAccServTotalInvalidRequests
Total number of duplicate authenticationrequests received.
radiusAuthServTotalDupAccessRequests
Total number of duplicate accountingrequests received.
radiusAccServTotalDupRequests
Total number of successful authentications(Access-Accept messages sent).
radiusAuthServTotalAccessAccepts
Total number of accounting responses sentto clients.
radiusAccServTotalResponses
Total number of failed authentications(Access-Reject messages sent).
radiusAuthServTotalAccessRejects
Total number of challenges sent to clients.radiusAuthServTotalAccessChallenges
Total number of malformed Access-Requestmessages. Some causes of malformedrequests:
radiusAuthServTotalMalformedAccessRequests
• invalid message length• message contains non A-V pairs• message not RFC compliant• user password too long• RADIUS message contains an EAP
message that does not contain aMessage-Authenticator attribute.
Total number of malformed accountingmessages received from clients. Somecauses of malformed requests:
radiusAccServTotalMalformedRequests
• invalid message length• message contains non A-V pairs• message not RFC compliant• user password too long• RADIUS message contains an EAP
message that does not contain aMessage-Authenticator attribute.
MIB Objects 567
Table 35-1 MIB Objects and Definitions (continued)
DefinitionMIB Object
Total number of Access-Request messageswith invalid Message-Authenticatorattributes.
radiusAuthServTotalBadAuthenticators
Total number of accounting messages withinvalid Message-Authenticator attributesreceived from clients.
radiusAccServTotalBadAuthenticators
Total number of incoming messagessilently discarded for some reason other
radiusAuthServTotalPacketsDropped,radiusAccServTotalPacketsDropped
than malformed, bad authenticators, orunknown types.
Total number of unknown RADIUSmessages received.
radiusAuthServTotalUnknownTypes,radiusAuthServTotalUnknownTypes
Table listing the RADIUS clients andservers that share a secret with the HP-UX
radiusAuthClientTable, radiusAccClientTable
AAA Server. The table will containmultiple radiusAuthClientEntryobjects.
A row in the radiusAuthClientTable thatrepresents the data for a single client or
radiusAuthClientEntry, radiusAccClientEntry
proxy server that shares a secret with theHP-UX AAA Server. Each row will containthe following objects:• radiusAuthClientIndex
• radiusAuthClientAddress
• radiusAuthClientClientID
• radiusAuthServAccessRequests
• radiusAuthServDupAccessRequests
• radiusAuthServAccessAccepts
• radiusAuthServAccessRejects
• radiusAuthServAccessChallenges
• radiusAuthServMalformedAccessRequests
• radiusAuthServBadAuthenticators
• radiusAuthServPacketsDropped
• radiusAuthServUnknownTypes
A number that identifies aradiusAuthClientEntry or
radiusAuthClientIndex, radiusAccClientIndex
radiusAccClientEntry object thatrepresents a client. The client-specific datais differentiated by the index appended tothe name of the MIB object that containsthe data.
568 MIB Objects
Table 35-1 MIB Objects and Definitions (continued)
DefinitionMIB Object
The IP-Address of the corresponding client.radiusAuthClientAddress,radiusAccClientAddress
The NAS-Identifier of the correspondingclient.
radiusAuthClientClientID,radiusAccClientClientID
Number of messages of any type receivedthrough the authentication port from thecorresponding client.
radiusAuthServAccessRequests
Number of messages of any type receivedthrough the accounting port from thecorresponding client.
radiusAccServRequests
Number of duplicate authenticationrequests received from the correspondingclient.
radiusAuthServDupAccessRequests
Number of duplicate accounting requestsreceived from the corresponding client.
radiusAccServDupRequests
Number of successful authentications(Access-Accept messages sent to thecorresponding client).
radiusAuthServAccessAccepts
Number of accounting responses sent tothe corresponding client.
radiusAccServResponses
Number of failed authentications(Access-Reject messages sent to thecorresponding client).
radiusAuthServAccessRejects
Number of challenges sent to thecorresponding client.
radiusAuthServAccessChallenges
Number of malformed Access-Requestmessages (bad authenticators, unknown
radiusAuthServMalformedAccessRequests
types) received from the correspondingclient.
Number of malformed accountingmessages (bad authenticators, unknown
radiusAccServMalformedRequests
types) received from the correspondingclient.
Number of Access-Request messages withinvalid Message-Authenticator attributesreceived from the corresponding client.
radiusAuthServBadAuthenticators
Number of accounting messages withinvalid Message-Authenticator attributesreceived from the corresponding client.
radiusAccServBadAuthenticators
MIB Objects 569
Table 35-1 MIB Objects and Definitions (continued)
DefinitionMIB Object
Number of incoming packets from the thecorresponding client entry that were
radiusAuthServPacketsDropped,radiusAccServPacketsDropped
silently discarded for some reason otherthan malformed, bad authenticators, orunknown types.
Number of unknown RADIUS messagesreceived from the corresponding client.
radiusAuthServUnknownTypes,radiusAccServUnknownTypes
These counts are always 0, because theHP-UX AAA Server discards accountingmessages it cannot respond to.
radiusAccServTotalNoRecords,radiusAccServNoRecords MIB objects
The total number of RADIUSDisconnect-Ack/Nak received fromunknown address.
radiusDynAuthClientDisconInvalidServerAddresses
The total number of RADIUSCoA-Ack/Nak received from unknownaddress.
radiusDynAuthClientCoAInvalidServerAddresses
The table listing the RADIUS DynamicAuthorization Server (DAS) with whichthe AAA Server shares a secret.
radiusDynAuthServerTable
A row in theradiusDynAuthServerTable that
radiusDynAuthServerEntry
represents data for one server with whichthe AAA server shares a secret. Each rowwill contain the following objects:• radiusDynAuthServerIndex
• radiusDynAuthServerAddressType
• radiusDynAuthServerAddress
• radiusDynAuthServerClientPortNumber
• radiusDynAuthServerID
• radiusDynAuthClientRoundTripTime
• radiusDynAuthClientDisconRequests
• radiusDynAuthClientDisconRetransmissions
• radiusDynAuthClientDisconAcks
• radiusDynAuthClientDisconNaks
• radiusDynAuthClientMalformedDisconResponses
• radiusDynAuthClientDisconBadAuthenticators
• radiusDynAuthClientDisconPendingRequests
• radiusDynAuthClientDisconTimeouts
• radiusDynAuthClientDisconPacketsDropped
• radiusDynAuthClientCoARequests
• radiusDynAuthClientCoAAuthOnlyRequest
570 MIB Objects
Table 35-1 MIB Objects and Definitions (continued)
DefinitionMIB Object
• radiusDynAuthClientCoARetransmissions
• radiusDynAuthClientCoAAcks
• radiusDynAuthClientCoANaks
• radiusDynAuthClientMalformedCoAResponses
• radiusDynAuthClientCoABadAuthenticators
• radiusDynAuthClientCoAPendingRequests
• radiusDynAuthClientCoATimeouts
• radiusDynAuthClientCoAPacketsDropped
• radiusDynAuthClientUnknownTypes
• radiusDynAuthClientCounterDiscontinuity
A unique number identifying the DynamicAuthorization server (DAS).
radiusDynAuthServerIndex
The type of IP address of the DAS.radiusDynAuthServerAddressType
IP address of the DAS.radiusDynAuthServerAddress
The UDP port that is used by AAA Serverto send request to the DAS.
radiusDynAuthServerClientPortNumber
The NAS-Identifier of the DAS.radiusDynAuthServerID
The time interval (in hundredth of thesecond) between the most recent
radiusDynAuthClientRoundTripTime
Disconnect or CoA request and thecorresponding reply.
The number ofDisconnect/CoA-Request messages
radiusDynAuthClientDisconRequests,radiusDynAuthClientCoARequests
sent to this DAS. This includes requestcontainingService-Type=Authorize-Only.
The number of RADIUSDisconnect/CoA-Request that areretransmitted for this DAS.
radiusDynAuthClientDisconRetransmissions,radiusDynAuthClientCoARetransmissions
The number of RADIUSDisconnect/CoA-Acks received fromthis DAS.
radiusDynAuthClientDisconAcks,radiusDynAuthClientCoAAcks
The number of RADIUSDisconnect/CoA-Naks received from
radiusDynAuthClientDisconNaks,radiusDynAuthClientCoANaks
this DAS. This includes packets withService-Type=Authorize-Only andthose messages received because no sessioncontext was found.
MIB Objects 571
Table 35-1 MIB Objects and Definitions (continued)
DefinitionMIB Object
The number of RADIUSDisconnect/CoA-Naks received from
radiusDynAuthClientDisconNakAuthOnlyRequest,radiusDynAuthClientCoANakAuthOnlyRequest
this DAS that have packets withService-Type=Authorize-Only.
The number of RADIUSDisconnect/CoA-Naks received from
radiusDynAuthClientDisconNakSessNoContext,radiusDynAuthClientCoANakSessNoContext
this DAS because no session context wasfound.
The number of RADIUSDisconnect/CoA-Acks and RADIUS
radiusDynAuthClientMalformedDisconResponses,radiusDynAuthClientMalformedCoAResponses
Disconnect/CoA-Naks received fromthis DAS that were malformed. Thisexcludes RADIUS packet of same typewhich had bad authenticator or unknowntype.
The number of RADIUSDisconnect/CoA-Acks and RADIUS
radiusDynAuthClientDisconBadAuthenticators,radiusDynAuthClientCoABadAuthenticators
Disconnect/CoA-Naks that containedinvalid Authenticator field from this DAS.
The number of RADIUSDisconnect/CoA-Requests for which
radiusDynAuthClientDisconPendingRequests,radiusDynAuthClientCoAPendingRequests
the AAA Server is waiting for response.This count is incremented whenDisconnect-Request is sent anddecremented when theDisconnect-Ack,Disconnect-Nak, a timeout, or aretransmission.
The number of RADIUSDisconnect/CoA-Request timeouts forthis DAS.
radiusDynAuthClientDisconTimeouts,radiusDynAuthClientCoATimeouts
The number of incoming RADIUSDisconnect/CoA Ack and
radiusDynAuthClientDisconPacketsDropped,radiusDynAuthClientCoAPacketsDropped
Disconnect/CoA Nak from this DAS thatwere dropped. This excludes the packetthat was malformed, or had badauthenticator, or unknown types.
The time (in hundredths of a second) sincethe last counter discontinuity (AAA Server
radiusDynAuthClientCounterDiscontinuity
restart or re-initialization). Note that all theentry in radiusDynAuthServerEntryis re-initialized.
572 MIB Objects
A Supported IETF RFCsTable A-1 lists the key IETF RFCs the HP-UX AAA Server supports. Refer to the IETFWebsite for more information on these RFCs at http://www.ietf.org.
Table A-1 Supported IETF RFCs
RFC TitleRFC #
PPP Extensible Authentication Protocol (EAP)2284
RADIUS Authentication Server MIB2619
RADIUS Accounting Server MIB2621
PPP EAP-TLS Authentication Protocol2716
Remote Authentication Dial In User Service (RADIUS)2865
RADIUS Accounting2866
RADIUS Accounting Modifications for Tunnel Protocol Support2867
RADIUS Attributes for Tunnel Protocol Support2868
RADIUS Extensions2869
Table A-2 lists additional IETF RFCs supported by HP-UX AAA Server
Table A-2 Additional IETF RFCs Supported by HP-UX AAA Server
RFC TitleRFC #
Implementation of L2TP Compulsory Tunneling via RADIUS2289
Microsoft Vendor-specific RADIUS Attributes2548
RADIUS Authentication Client MIB2618
RADIUS Accounting Client MIB2620
Implementation of L2TP Compulsory Tunneling via RADIUS2809
RADIUS Extensions (Message-Authenticator)2869
Network Access Servers Requirements: Extended RADIUS Practices2882
Introduction to Accounting Management2975
Accounting Attributes and Record Formats2984
Criteria for Evaluating AAA Protocols for Network Access2989
Authentication, Authorization, and Accounting: Protocol Evaluation3127
RADIUS and IPv63162
573
Table A-2 Additional IETF RFCs Supported by HP-UX AAA Server (continued)
RFC TitleRFC #
Authentication, Authorization and Accounting (AAA) Transport Profile3539
IANA Considerations for RADIUS3575
Dynamic Authorization Extensions to Remote Authentication Dial In User Service(RADIUS)
3576
RADIUS (Remote Authentication Dial In User Service) Support For ExtensibleAuthentication Protocol
3579
IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines3580
EAP Method for Global System for Mobile Communications (GSM) SubscriberIdentity Modules (EAP-SIM)
4186
EAP Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)4187
HOTP: An HMAC-Based One-Time Password Algorithm4226
RADIUS Dynamic Authorization Client MIB4672
Dynamic Authorization Extensions to Remote Authentication Dial In User Service(RADIUS)
5176
Table A-3 lists the IETF AAA RFCs supported by HP-UX AAA Server.
Table A-3 AAA RFCs Supported by HP-UX AAA Server
RFC TitleRFC #
Generic AAA Architecture2903
AAA Authorization Framework2904
AAA Authorization Application Examples2905
AAA Authorization Requirements2906
Criteria for Evaluating AAA Protocols for Network Access 3141 CDMA2000Wireless Data Requirements for AAA 3539 Authentication, Authorization andAccounting (AAA) Transport Profile
2989
574 Supported IETF RFCs
B Supported Authentication MethodsThe following list describes the authentication methods the HP-UX AAA Serversupports:
Password Authentication Protocol (PAP)This authentication method is most appropriately used where a plaintext passwordmust be used to simulate a login at a remote host. In such use, this method provides asimilar level of security to the usual user login at the remote host. This protocol providesthe user with a great deal of flexibility because this password can be decrypted at theRADIUS server site.
OTP AuthenticationThis authentication method is based on the HOTP algorithm developed by the OATHconsortium. Can be used to provide OTP and two-factor authentication in a variety ofdeployment scenarios. For more information on OTP authentication, see Chapter 16(page 179)
Challenge Handshake Authentication Protocol (CHAP)CHAP is a one way hashing algorithm that is used to periodically identify the identityof a user. The challenge occurs between the user and NAS before the NAS sends anAccess-Request. The user must respond by encrypting the challenge (usually a randomnumber) and returning the result. The NAS will then forward the challenge and theresponse in the Access-Request, which the AAA server will use to authenticate theuser.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)MS-CHAP is an implementation of the CHAP protocol created by Microsoft toauthenticate remote Windows workstations. In most respects, MS-CHAP is identicalto CHAP, but there are some differences. MS-CHAP is based on the encryption andhashing algorithms used by Windows networks, and the MS-CHAP response to achallenge is in a format optimized for compatibility with Windows operating systems.
Extensible Authentication Protocol (EAP)EAP is a secure authentication protocol to establish a connection. It offers more flexibilityto handle authentication requests with different encryption algorithms. It allowsauthentication by encapsulating various types of authentication exchanges, such asMD5. These EAP messages can be encapsulated in the packets of other protocols, suchas RADIUS, for compatibility with a wide range of authentication mechanisms. Thisflexibility also allows EAP to be implemented in a way that is more suitable for wirelessand mobile environments than other authentication protocols. EAP allows authenticationto take place directly between the user and server without the intervention by the accessdevice that occurs with CHAP.
575
The following is a list of the EAP supported authentication methods you can use withthis version of the HP-UX AAA Server:• Transport Layer Security (TLS): Uses TLS (also known as SSL) to authenticate the
client using its digital certificate.
NOTE: Some wireless supplicants require specific extensions to supportcertificates for EAP.
TLS features include Dynamic Key Exchange; Mutual Authentication; DigitalCertificate/Token Card-based Authentication; and, Encrypted Tunnelling.
• Tunneled TLS (TTLS): Can carry additional EAP or legacy authentication methodslike PAP and CHAP. Integrates with the widest variety of password storage formatsand existing password-based authentication systems. Supplicants are availablefor a large number of clients. TTLS features include Dynamic Key Exchange; MutualAuthentication; Password-based Authentication; and, Encrypted Tunnelling.
• Protected EAP (PEAP): Functionally very similar to TTLS, but does not encapsulatelegacy authentication methods. PEAP features include: Dynamic Key Exchange;Mutual Authentication; and, Encrypted Tunnelling.
• Message Digest 5 (MD5): Passwords are hashed using the MD5 algorithm. Can bedeployed for protecting access to LAN switches where the authentication trafficwill not be transmitted over airwaves. Can also be safely deployed for wirelessauthentication inside EAP tunnel methods. The main feature in MD5 isPassword-based Authentication.
• Generic Token Card (GTC): Carries user specific token cards for authentication.The main feature in GTC is Digital Certificate/Token Card-based Authentication.
• EAP MS-CHAP: Passwords are hashed using a Microsoft algorithm. Can bedeployed for protecting access to LAN switches where the authentication trafficwill not be transmitted over airwaves. Can also be safely deployed for wirelessauthentication inside EAP tunnel methods. EAP-MS-CHAP features include MutualAuthentication and Password-based Authentication.
• EAP-SIM: Capable of operating in wireless networks. EAP-SIM is used forauthentication and session key distribution using the GSM SIM.
• EAP-AKA: Based on the challenge-response mechanism and symmetriccryptography. An authentication and session key distribution mechanism used inthe third generation mobile networks: UMTS and CDMA2000.
576 Supported Authentication Methods
C RADIUS Data PacketsThe Access-Request and other RADIUS data packets contain a header and a set ofattribute-value (A-V) pairs, which are used by the server during the AAA transaction.The RADIUS RFC 2865 defines how vendors can extend the protocol. Encapsulationis the RFC defined way of extending RADIUS. Conflicts can occur when the RFC is notfollowed. In those cases, the server can map the attributes to unique internal valuesfor processing. For a full description of RADIUS attribute-value pairs, see Chapter 34:“Attribute-Value Pairs” (page 546).
Data Packet FormatRADIUS requests and replies share a common format, see Figure C-1). These messagesare transported by UDP. By default, the server listens on UDP port 1812 forAccess-Requests and port 1813 for Accounting-Requests.
Figure C-1 RADIUS Request/Reply Message Format
Table C-1 RADIUS Request/Reply Message Format Description
DescriptionData
8-bit request/reply type1=Access-Request
Code
2=Access-Accept 3=Access-Reject 4=Accounting-Request 5=Accounting-Response 11=Access-Challenge40=Disconnect-Request41=Disconnect-ACK42=Disconnect-NAK43=CoA-Request44=CoA-ACK45=CoA-NAK
8-bit message sequence number: value in reply = value in request.Id
16-bit message length, including the header beginning at Code.Length
16 octet binary vector: For Access requests, value in request is randomlygenerated. Value in reply is MD5 digest of reply message data appended withsecret, using authenticator value from request.
Authenticator
For Accounting, Disconnect and CoA requests, value in request is MD5digest of request message data appended with secret, using 16 zero octets as
Data Packet Format 577
Table C-1 RADIUS Request/Reply Message Format Description (continued)
DescriptionData
authenticator value. Value in reply is MD5 digest of reply message dataappended with secret, using authenticator value from request.
Arbitrary numbers of information pairs with format shown in Figure C-2.Attributes
Attribute-Value Pair FormatAn attribute-value (A-V) pair represents a variable and one of the possible values thatthe variable can hold. The A-V pair data format is depicted in Figure C-2. In the HP-UXAAA server, A-V pairs may be added to configuration files to compare values whentrying to authenticate an Access-Request (check items) or to add authorizationinstructions or other messages to an Access-Accept data packet (reply items). TheseA-V pair’s values will also appear in server session logs. The A-V pairs usually appearas AttributeName=Value in the configuration files and AttributeName=:Type:Value inthe log files.
Figure C-2 Attribute-Value Pair Format
Table C-2 Attribute Value Pair Format Description
DescriptionData
8-bit value-pair code, listed in the dictionary fileattribute
8-bit integer from 2-255length
0 - 253 octet information item. (The data type of value is determined by thedata type associated with the attribute code.)
value
As shown in Figure C-2, the Access-Request contains a set of attribute-value pairs. TheA-V pairs typically placed in these requests are the User-Name and User-Password,along with the NAS-IP-Address, NAS-Port, Service-Type, and Framed-Protocol A-Vpairs-Framed-Protocol being present only if the user is making a PPP or SLIP connection.Only a few attributes, such as User-Password and CHAP-Password, are encrypted.(For a full description of RADIUS attribute-value pairs, see Chapter 34: “Attribute-ValuePairs” (page 546).
578 RADIUS Data Packets
D Header Files, Data Structures, and APIs in the HP-UXAAA Server SDK
This appendix discusses the header files, data structures, and APIs that the HP-UXAAA Server SDK includes. This chapter addresses the following topics:• “Header Files and Data Structures in the SDK.”• “APIs in the HP-UX AAA Server SDK” (page 579)
Header Files and Data Structures in the SDKThis section lists the header files and the predefined data structures that the SDKincludes.The HP-UX AAA Server SDK includes the sdk.h header file. This file containsdefinitions of all the data structures and APIs that are included in the SDK.You must use the aatv_info_v2_t data structure to register the AATV with theHP-UX AAA Server. The aatv_info_v2_t data structure includes the followingfields:char name[MAX_NAME_LENGTH + 1]; /*AATV Name */aatvInit_v2_t init; /* AATV init function */ aatvTimer_v2_t timer; /* AATV Timer function */ aatvAction_v2_t act_func; /* AATV action function */ aatvCleanup_v2_t cleanup; /* AATV clean up function */
The following additional data structures are used to represent the HP-UX AAA Serverattribute-value and HP-UX AAA Server request:• typedef void sdk_avp_t;• typedef void sdk_authreq_t;
NOTE: These data structures are documented here for your reference. Customers arenot expected to modify the data structures. APIs are provided to modify or read thedata elements in the data structure.
APIs in the HP-UX AAA Server SDKYou can use the following API types to create AATVs:• A-V pair APIs — These APIs can be used to modify, add, delete, or display attribute
values.• Authreq APIs — These APIs provide an interface to modify the HP-UX AAA
Server request by adding or deleting A-V pairs in radius queues, and retrievinginformation about the request.
• Logging APIs — These APIs are used for logging messages in the log file.
Header Files and Data Structures in the SDK 579
• Asynchronous APIs — These APIs enable you to write AATVs that are requiredfor making asynchronous calls to external servers.
• Secondary APIs — These additional APIs enable you to further customize theHP-UX AAA Server.
The following sections describe these APIs in detail.
A-V Pair APIsThis section discusses the A-V pair APIs.
sdk_avp_t *sdk_avp_allocate()Allocates an A-V pair, initializes all fields as 0, and returns a pointer to it.ReturnReturns a pointer to the allocated A-V pair, or NULL if the A-V pair is not allocated.
void sdk_avp_free()void sdk_avp_free (sdk_avp_t *avp)
UsageFrees the memory and any allocated string storage associated with an A-V pair. Thestring storage must not be shared with other objects.Inputavp A pointer to the A-V pair that must be freed.
int sdk_get_avp_info()int sdk_get_avp_info (sdk_avp_t *avp, uint32_t *vendid, uint32_t*attrid, uint32_t *attrlen, void ** attrval, u_char *tag)
UsageObtains information from an A-V pair.Inputavp A pointer to an A-V pair.vendid The address of an unsigned integer variable to store the vendor ID of the
A-V pair. This value is NULL if the vendor ID is not applicable.attrid The address of an unsigned integer to store the attribute ID of the A-V
pair.attrlen The address of an unsigned integer to store the length of the A-V pair
attribute.attrval The address of a pointer intended to point to the attribute value.tag The address of an unsigned character variable to store the tag for the tagged
attribute. This value is NULL if the tag is not applicable.Outputvendid The input variable that stores the vendor ID of the A-V pair.
580 Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK
attrid The input variable that stores the attribute ID of the A-V pair. For vendorspecific attributes, the attribute ID is the vendor type or sub-attribute.
attrlen The input variable that stores the length of the attribute (in bytes) of theA-V pair. For vendor-specific attributes, this value is the vendor length.
attrval The input pointer that points to the attribute value of the A-V pair. Forvendor-specific attributes, the attribute value is the sub-attribute value.You must copy the contents of the attribute value. Ensure that you do notfree the memory for the attribute value after copying the contents of theattribute value.
tag The input variable that stores the value of the tag for tagged attributes. Ifthe attribute is untagged, the value is 0.
ReturnThis API returns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid• SDK_FAILURE if the operation fails
int sdk_set_avp()int sdk_set_avp (sdk_avp_t *avp, uint32_t attrid, uint32_tattrlen, void *attrval, u_char tag)
UsageSets or modifies a standard RADIUS A-V pair.Inputavp A pointer to an A-V pair to be set or modified.attrid The attribute ID to be set or modified.attrlen The length of the attribute (in bytes) to be set or modified.attrval The attribute value to be set or modified.tag The tag for the tagged attribute. This value is 0 if the attribute is untagged.ReturnThis API returns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid• SDK_FAILURE if the operation fails
int sdk_set_vend_avp()int sdk_set_vend_avp(sdk_avp_t *avp,uint32_t vendid, uint32_tattrid, uint32_t attrlen, void *attrval, u_char tag)
UsageSets or modifies an A-V pair (including vendor specific A-V pairs).
APIs in the HP-UX AAA Server SDK 581
Inputavp A pointer to an A-V pair to be set or modified.vendid The vendor ID of the attribute to be set or modified. For a standard RADIUS
attribute, use VC_RADIUS which is 0attrid The attribute ID to be set or modified. For a vendor-specific attribute, the
attribute ID is the vendor type or sub-attribute.attrlen The length of the attribute (in bytes) to be set or modified. For a
vendor-specific attribute, the length is the vendor length.attrval The attribute value to be set or modified. For a vendor-specific attribute,
the attribute value is the sub-attribute value.tag The tag for a tagged attribute; 0 for untagged attribute.ReturnThis API returns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid• SDK_FAILURE if the operation fails
Authreq APIsThis section discusses the authreq APIs.
NOTE: The following constants are defined for different queue types that are usedin authreq:• AUTHREQ_REQUEST_QUEUE for the inbound request attributes queue• AUTHREQ_REPLY QUEUE for the reply attributes queue• AUTHREQ_CHECK_QUEUE for the check items queue• AUTHREQ_DENY_QUEUE for the deny items queueThe check items and deny items are A-V pairs configured in the user profile for thecorresponding user request.
sdk_avp_t *sdk_find_avp()sdk_avp_t *sdk_find_avp (sdk_authreq_t *authreq, u_char qtype,uint32_t attrid, uint32_t attrlen, void *attrvalue, void*position, u_char tag)
UsageDiscovers the next standard RADIUS A-V pair with the specified attribute ID, attributelength, attribute value, and the tag for a tagged attribute, after the specified positionin the authreq’s A-V pair list of qtype. For example, if position points to one A-Vpair in the list, this API starts searching from the next A-V pair after position. Ifposition is NULL, this API searches from the beginning of the list.Input
582 Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK
authreq A pointer to an authreqqtype The type of list to be accessed. It can be one of the following types:
• AUTHREQ_REQUEST_QUEUE• AUTHREQ_REPLY QUEUE• AUTHREQ_CHECK_QUEUE• AUTHREQ_DENY_QUEUE
attrid The attribute to be discoveredattrlen The attribute length to be matched. If the length is 0, the attribute length
and value are not considered in the match.attrvalue The attribute value to be matched. If the value is NULL, the attribute
length and value are not considered in the match.position A pointer to an A-V pair that is already found from the list. If this value
is NULL, then the search starts from the beginning of the list.tag The tag value for a tagged attribute. This value is 0 for an untagged
attribute, or if the tag is not a search parameter.ReturnReturns a pointer to the A-V pair found. If no A-V pair is found, it returns a NULL value.
sdk_avp_t *sdk_find_vend_avp()sdk_avp_t *sdk_find_vend_avp(sdk_authreq_t *authreq, u_charqtype, uint32_t vendid, uint32_t attrid, uint32_t attrlen, void*attrvalue, void *position, u_char tag)
UsageDiscovers the next A-V pair with the specified vendor ID, attribute ID, attribute length,attribute value, and the tag for a tagged attribute, after position in the authreq’s A-Vpair list of qtype. If position points to one A-V pair in the list, this API startssearching from the next A-V pair after position. If the value of position is NULL,this API starts the search from the beginning of the list.Inputauthreq A pointer to an Authreqqtype The type of list to be accessed. It can be one of the following types:
• AUTHREQ_REQUEST_QUEUE• AUTHREQ_REPLY QUEUE• AUTHREQ_CHECK_QUEUE• AUTHREQ_DENY_QUEUE
vendid Vendor ID of the attribute to be discovered. For a standard RADIUSattribute, use VC_RADIUS that is 0.
attrid Attribute to be discovered. For a vendor-specific attribute, the attributeID is the vendor type.
APIs in the HP-UX AAA Server SDK 583
attrlen The attribute length to be matched. If the attrlen value is 0, theattribute length and value are not considered in the match. Forvendor-specific attributes, the attribute length (attrlen) is the vendorlength.
attrvalue The attribute value to be matched. If the attrvalue value is NULL,the attribute length and value are not considered in the match. For avendor-specific attribute, the attribute value (attrvalue) is thesub-attribute value.
position Pointer to an A-V pair already found in the list. If this value is NULL,then the search starts from the beginning of the list.
tag The tag value for a tagged attribute. This value is 0 for an untaggedattribute, or if the tag is not a search parameter.
ReturnReturns a pointer to the A-V pair found. If no A-V pair is found, it returns a NULL value.
int sdk_del_avp()int sdk_del_avp ( sdk_authreq_t *authreq, u_char qtype, sdk_avp_t*avp)
UsageDeletes the A-V pair from authreq’s list of qtype.
NOTE: Even if the A-V pair is deleted, the memory is not freed. You must free thememory for the deleted A-V pair.
Inputauthreq A pointer to an authreqqtype The type of list to be accessed. It can be one of the following types:
• AUTHREQ_REQUEST_QUEUE• AUTHREQ_REPLY QUEUE• AUTHREQ_CHECK_QUEUE• AUTHREQ_DENY_QUEUE
avp The pointer to the A-V pair to be deleted.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid
int sdk_insert_avp()int sdk_insert_avp (sdk_authreq_t *authreq, u_char qtype,sdk_avp_t *loc_avp, u_char position, sdk_avp_t *new_avp)
Usage
584 Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK
Inserts an A-V pair into the A-V pair list of type qtype in authreq. Table D-1 liststhe different insertions that this API performs, based on the values of the loc_avpA-V pair.
Table D-1 Actions Performed as a Result of the loc_avp A-V Pair
ActionParameter Value
The new_avpA-V pair is inserted before loc_avp.The loc_avp A-V pair in the list is valid and thevalue of the position parameter is INSERT_BEFORE.
The new_avp A-V pair is inserted after loc_avp.The loc_avp A-V pair in the list is valid and thevalue of the position parameter is INSERT_AFTER.
The new_avp A-V pair is prepended to the list.The value of the loc_avpA-V pair is null and thevalue of the position parameter is INSERT_BEFORE.
The new_avp A-V pair is appended to the list.The value of the loc_avpA-V pair is null and thevalue of the position parameter is INSERT_AFTER.
Inputauthreq A pointer to an authreqqtype The type of list to insert the A-V pair into. It can be one of the following
types:• AUTHREQ_REQUEST_QUEUE• AUTHREQ_REPLY QUEUE• AUTHREQ_CHECK_QUEUE• AUTHREQ_DENY_QUEUE
loc_avp A pointer to one A-V pair that is already in the list or NULL.position An integer to specify the insertion location. The insertion location can
be INSERT_BEFORE or INSERT_AFTER.new_avp A pointer to the A-V pair that must be inserted.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid
int sdk_get_authreq_info()int sdk_get_authreq_info (sdk_authreq_t *authreq, u_charinfotype, uint32_t *len, void **value)
UsageObtains information from an authreq.Inputauthreq A pointer to an authreq.
APIs in the HP-UX AAA Server SDK 585
infotype The information type interested. Table D-2 lists the various informationtypes.
Table D-2 Information Types
DescriptionInformation Type
Code: The packet type, one ofAccess-Request, Access-Accept as defined
AUTHREQ_CODE
in RFC 2865. The code has a type ofunsigned short.
Forward ID: A locally generated sequencenumber for a request to be forwarded. Theforward ID has a type of unsigned short.
AUTHREQ_FWD_ID
Request ID: A unique number used by theHP-UX AAA Server to identify an
AUTHREQ_REQ_ID
authentication request. This ID is differentfrom the identifier in a RADIUS packet.The request ID has a type of unsigned64–bit integer.
The authentication vector in the RADIUSpacket. Its 16 byte and used for passwordhiding algorithm.
AUTHREQ_AUTHENTICATOR
The time to live (in seconds) of anauthentication request. The request is
AUTHREQ_EXPIRE_TIME
removed from the authentication requestqueue when the specified time elapses. Thetime to live has a type of unsignedcharacter.
The client UDP port where the requestcame from. The port has a type of unsignedshort.
AUTHREQ_CLIENT_PORT
IPv4 address: The IPv4 address of thenetwork device where the request came
AUTHREQ_CLIENT_IPADDRV4
from. The address is a 4 byte numeric valuein network-byte order.
IPv6 address: The IPv6 address of thenetwork device where the request came
AUTHREQ_CLIENT_IPADDRV6
from. The address is a 16 byte numericvalue in network-byte order.
len The address of a variable to store the length of the concerned value.value The address of a pointer that points to the content of the valueOutputlen The input integer stores the length of the value (in bytes).
586 Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK
value The input pointer points to the content of the value for non-scalar types ofdata. You must copy the contents that are of value. The memory for the valuemust not be freed after you copy the contents. The input pointer points toNULL if the client uses an IPv4 address and the user input argument isAUTH_CLIENT_IPADDRV6. The input pointer also points to NULL if the clientuses an IPv6 address and the user input argument isSDK_AUTH_CLIENT_IPADDRV4.
ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.
Logging APIsThis section discusses the APIs that can be used to customize the logging functionalityof the HP-UX AAA Server.
NOTE: The HP-UX AAA Server supports two logging subsystems that are usedsimultaneously. There is a standard logging subsystem that can be directed to a AAAlog file, stdout, or syslog, and a debug log file that can be used for troubleshootingand debugging.
int sdk_logit()int sdk_logit ( int level, const char *format, /* [arg,], */...)
UsageLogs the provided log message to the logging facility specified while starting the HP-UXAAA Server. It can be one of the HP-UX AAA log files, syslog or stdout. By default,log messages are logged in the HP-UX AAA log files (the /var/opt/aaa/logs/directory is the default location).Inputlevel Log level from syslog.h. You can use one of the following log levels from
/usr/include/syslog.h:• Use LOG_EMERG if the system is unusable• Use LOG_ALERT if action must be taken immediately• Use LOG_CRIT for critical conditions• Use LOG_ERR for error conditions• Use LOG_WARNING for warning conditions• Use LOG_NOTICE for normal but signification conditions• Use LOG_INFO for informational conditions
APIs in the HP-UX AAA Server SDK 587
NOTE: To use the above log levels, you must include syslog.h in yourprogram.
format A printf-style format string.arg Arguments to replace values in the format string. For more information,
see the printf(3) manpage.
NOTE: If the arguments are insufficient for the format, the behavior canbe unexpected.
ReturnThis API returns one of the following values:0 If the message is logged.1 If the message is queued.-1 If the message is not logged or queued.
int sdk_log_debug()int sdk_log_debug (int level, const char *format, /* [arg,], */...)
UsageLogs the provided debug log message in the HP-UX AAA Server debug log file locatedat /var/opt/aaa/logs/radius.debug.Inputlevel It can be one of the HP-UX AAA Server debug levels. Table D-3 lists the
HP-UX AAA Server debug levels.
588 Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK
Table D-3 HP-UX AAA Server Debug Levels
Level of InformationDebug Level
Minimal information1
2 • Level 1 informationand
• High-level FSM output and limitedfunction tracing
3 • Level 2 informationand
• Full function tracing
4 • Level 3 informationand
• Low-level FSM and configuration fileoutput
format A printf-style format string.arg Arguments to replace values in the format string. For more information,
see the printf(3) manpage.
NOTE: If the arguments are insufficient for the format, the behavior canbe unexpected.
ReturnReturns one of the following values:0 If the message is logged.1 If the message is queued.-1 If the message is not logged or queued.
Asynchronous Event and I/O APIsThe HP-UX AAA Server maintains a global list of file descriptors and calls systemfunctions, to monitor file descriptors for inbound messages. Programmers writing asocket based AATV, or any file descriptor-based AATV, can use the APIs discussed inthis section, to register or unregister the socket (or file descriptor) with the HP-UX AAAServer and schedule an event. This set of APIs can also be used in a scenario whereuser profiles are stored in a repository that the HP-UX AAA Server software does notrecognize. You can write your action to communicate with the data store or anintermediary application through a socket.
APIs in the HP-UX AAA Server SDK 589
int sdk_pollfd_register()int sdk_pollfd_register (int fd, callback_f callback)
UsageRegisters a file descriptor with the HP-UX AAA Server and supplies a callback functionto the HP-UX AAA Server. The socket descriptor and associated callback function areadded to the global list of file descriptors monitored by the server for inbound messages.The callback function is called when data is received on the file descriptor.Inputfd The file descriptor that must be registered.callback The callback function that is called when data is received by the file
descriptor. The callback function takes the file descriptor as the argumentand returns an event code.
ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.• SDK_FAILURE if the operation fails.
int sdk_pollfd_unregister()int sdk_pollfd_unregister (int fd)
UsageUnregisters a file descriptor with the HP-UX AAA Server. The HP-UX AAA Serverdoes not monitor the file descriptor for inbound messages once the file is unregistered.Inputfd The file descriptor that needs to be unregistered.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.• SDK_FAILURE if the operation fails.
int sdk_schedule_event()int sdk_schedule_event (sdk_authreq_t *authreq, char *aatv_name,int event_code)
UsageAdds an authentication request and an event to the AAA global authentication requestlist to schedule an event.Inputauthreq A pointer to an authentication request.
590 Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK
aatv_name The name of the AATV supplied for processing the request.event_code The event code to resume processing the request from where it was
left off on the FSM.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.• SDK_FAILURE if the operation fails.
Secondary APIsThis section discusses additional APIs that you can use to customize the HP-UX AAAServer.
sdk_authreq_t *sdk_get_authreq_by_id()sdk_authreq_t *sdk_get_authreq_by_id(uint64_t authreq_id)
UsageObtains the authentication request through the request identifier and returns a pointerto the authreq structure.Inputauthreq_id A number used by the HP-UX AAA Server to uniquely identify an
authentication request.ReturnReturns a pointer to the authreq found or NULL if the operation fails.
char *sdk_get_config_dir()Obtains the AAA configuration directory and returns the name of the configurationdirectory. The default configuration directory is /etc/opt/aaa/.ReturnReturns the name of the configuration directory if the operation succeeds, or NULL ifthe operation fails.
int sdk_set_authreq_infoint sdk_set_authreq_info(sdk_authreq_t *authreq, u_char infotype,uint32_t len, void *value)
UsageSets fields for a request. In the current version of the HP-UX AAA Server, the onlysupported fields are the expiration time for a request, the message type (code) of arequest and the target host to which the request must be sent.Inputauthreq A pointer to an authreq.
APIs in the HP-UX AAA Server SDK 591
infotype The information type. It can be set to one of the following:• AUTHREQ_TTL — the time to live of an authentication request. The
time to live has a type of unsigned character.• AUTHREQ_CODE — the message type or (code) of a request. The
message type (code) has a type of unsigned short.• AUTHREQ_TARGET_HOST — the target host to which the request
must be sent. It has a type of string.len The length of the value to be set in bytes.value A pointer pointing to the value to be set.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.• SDK_FAILURE if the operation fails.
int sdk_get_client_info()int sdk_get_client_info(char *client, u_char infotype, uint32_t*len, void **value)
UsageObtains the configuration information from a client entry with matching host_nameor IP addressInputclient String representation of client IPv4 or IPv6 address, or the fully qualified
domain name of the client.infotype The information type. Table D-4 lists the valid values of the infotype
parameter.
Table D-4 Possible Values of the infotype Parameter
DescriptionInformation Type Value
The shared secret between the client andthe HP-UX AAA Server. The shared secretis a character string.
CLIENT_SHARED_SECRET
The UDP port to which authentication orauthorization messages must be sent. Theport has a type of unsigned short.
CLIENT_AUTHEN_PORT
The UDP port to which accountingmessages must be sent. The port has a typeof unsigned short.
CLIENT_ACCT_PORT
Client types, such asCE_DAS,CE_NAS, andCE_PROXY. For more information on these
CLIENT_TYPE
592 Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK
Table D-4 Possible Values of the infotype Parameter (continued)
DescriptionInformation Type Value
client types, see thesdk.h header file. Theclient type field has a type of uint32_t.
len The address of a variable to store the length of the value interested.value The address of a pointer intended to point to the content of the value
interested.Outputlen The input variable that stores the length of the value (in bytes).value The input pointer that points to the content of the value. You must copy the
contents that are of value. The memory for the value must not be freed onceyou copy the contents.
ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds.• SDK_INVALID_ARG if the arguments are invalid.• SDK_FAILURE if the operation fails.
int sdk_decrypt_passwd()int sdk_decrypt_passwd(sdk_authreq_t *authreq, char *enpasswd,uint32_t enpwlen, char *clpasswd, uint32_t *clpwlen)
UsageDecrypts the passwordInputauthreq A pointer to an authentication request.enpasswd A pointer to the encrypted password string.enpwlen Length of encrypted password.clpasswd A pointer to the buffer where the clear text password is to be stored.clpwlen A pointer to an integer, where the size of the clear text password is to be
stored.Outputclpasswd A pointer to the clear text password.clpwlen A pointer to the length of the clear text password.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid
APIs in the HP-UX AAA Server SDK 593
int sdk_encrypt_passwd()int sdk_encrypt_passwd (sdk_authreq_t *authreq, char *clpasswd,uint32_t clpwlen, char *enpasswd, uint32_t *enpwlen)
UsageEncrypts the passwordInputauthreq A pointer to an authentication request.clpasswd A pointer to the password string that is in clear text.clpwlen The length of the clear text password.enpasswd A pointer to the buffer where the encrypted password is to be stored.enpwlen A pointer to an integer, where the encrypted password is to be stored.Outputenpasswd A pointer to the encrypted password string.enpwlen A pointer to the length of the encrypted password string.ReturnReturns one of the following values:• SDK_SUCCESS if the operation succeeds• SDK_INVALID_ARG if the arguments are invalid
sdk_authreq_t * sdk_authreq_allocatesdk_authreq_t * sdk_authreq_allocate()
UsageAllocates memory for a request.ReturnReturns a pointer to the allocated authreq structure or NULL if there is not enoughmemory.
void sdk_authreq_freevoid sdk_authreq_free(sdk_authreq_t * authreq)
UsageFrees the memory allocated for a request.Inputauthreq A pointer to an authreq.
int sdk_enqueue_authreqint sdk_enqueue_authreq( sdk_authreq_t * authreq)
Usage
594 Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK
Enqueues the request to a request queue.Inputauthreq A pointer to an authreq.Returns one of the following values:• SDK_SUCCESS — if the operation succeeds.• SDK_INVALID_ARG — if the arguments are invalid.• SDK_FAILURE — if the operation fails.
APIs in the HP-UX AAA Server SDK 595
E Syntax of the Decision Files in Earlier Versions of theHP-UX AAA Server
This appendix describes the syntax of the decision files that are present in earlierversions of the HP-UX AAA Server. While decision files created using this syntax aresupported in this version of the HP-UX AAA Server, HP encourages customers to usethe syntax described in Chapter 27 (page 411) to create new decision files. This is becausethe new syntax offers more advanced customization options (such as configuring OTPauthentication).Following is the syntax of a decision file in earlier versions of the HP-UX AAA Server:Group Name { Condition { expression } Reply { reply-items . . . }}
where:Group Name Begins the group entry by specifying a name for the group.Condition Block that contains an expression of A-V pairs. They will evaluate to
true or false to determine if the user belongs to the group. If thecondition is not defined in the group entry, the group matches all therequests.
Reply Block that contains a list of one or more reply items that are added tothe request if the condition evaluates to true.
ExpressionsThe simplest expression is a comparison of two A-V pairs with one relative operator.You can use relative and Boolean operators to create an expression with variouscombinations of A-V pairs. Table E-1 lists the operators that you can use.
Table E-1 A-V Pair Expression Operators
DescriptionOperator
Equal to=
Not equal to!=
Greater than>
Less than<
Greater than or equal to>=
596 Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server
Table E-1 A-V Pair Expression Operators (continued)
DescriptionOperator
Less than or equal to<=
Logical AND&&
Logical OR||
Logical NOT!
You can also use parentheses to nest expressions. Line breaks are not significant.Table E-2 illustrates some possible expressions that you can use to control accessdepending on the dial-in phone number and time of the call.
Table E-2 A-V Pair Expression Examples
DescriptionExpression Example
Allows access if either the calling number or thecalled number match the specified values.
Calling-Station-Id = 123456789||Called-Station-Id = 8005551212
Allows access if the day of the week is betweenMonday and Friday.
Day-Of-Week => Monday &&Day-Of-Week<= Friday
Allows access when one of the following is true:((Calling-Station-Id = 123456789||Calling-Station-Id = 987654321) • The calling number matches either specified
value, and the called number matches thespecified number.
&&Called-Station-Id = 8005551212)||!(Day-Of-Week => Monday&&Day-Of-Week <= Friday) • The day of the week is not between Monday and
Friday.
Your expressions can be as short or as long as you like. Only one group match can bemade for each request. You can use short expressions, and manage each distinct decision(DNIS routing, dynamic access control, membership in groups, and so on) in a separatefile. Alternatively, you can also create a single file with longer expressions that covera wide range of decision criteria.
Specifying Attributes in Group EntriesYou can create decision groups for provisioning with the A-V pairs that may be usedin a user profile for session logging with accounting attributes. For more information,see Chapter 12: “Logging and Monitoring ” (page 142). In addition, you can use thefollowing attributes to define a group condition or reply.
Dynamic Access ControlDay-Of-Week A string representing the day of the week (spelled out or three letterabbreviation), or a number from 0 to 6, where 0 represents Sunday and 6 representsSaturday. This attribute is compared to the current system clock of the system hostingthe HP-UX AAA Server that is making the comparison.
Specifying Attributes in Group Entries 597
Date-Time 24 hour clock in yyyy:mm:dd:hh:mm format. This attribute is comparedto the current system clock of the system hosting the HP-UX AAA Server that is makingthe comparison.Time-of-Day 24 hour clock in hh:mm format. This attribute is compared to the currentsystem clock of the machine hosting the AAA server that is making the comparison.Hours must be two digits, for example, 08:00, not 8:00.
Internal ValuesDecision Assign a value to this attribute that corresponds to a predefined, or customevent is returned to the FSM when the group entry's condition is evaluated to true.Interlink-Packet-Code An integer value that indicates what type of RADIUSmessage has been received: either 1 (Access-Request) or 4 (Accounting-Request).Interlink-Proxy-ActionA string determined by information in an Access-Requestor Accounting-Request. This indicates the name of the starting event in the FSM whenthe HP-UX AAA Server receives a RADIUS message. You can preempt this value bybeginning radius.fsm with an *.*.ACK event that invokes the POLICY action, whichcan then determine the start event based on a policy decision.User-Id After the HP-UX AAA Server parses the NAI, it assigns the user name tothis attribute.User-RealmAfter the AAA server parses the NAI, it assigns the realm to this attribute.
Using IndirectionYou can also use indirection to compare or assign attribute values to each other. Followa Test Operator $Value$Pos$Len syntax, where Test is the attribute to check or assigna value to, and Value is the attribute with the value to check against or assign to theTest attribute; Operator is the relative or Boolean operator to use. $Pos and $Len areoptional parameters that allow you to test or assign a substring of the specified Valueattribute. Pos indicates the index position in the attribute's value to begin the substringand if specified Len determines the length.When used in the condition section of a group entry, indirection checks values. Whenused in the reply section, it assigns a value.For example, in an expression Port-Id <= $Port-Limit would only allow accessto users who access the server through ports that don't exceed the limit set in theirprofile. As a reply item Decision = $Interlink-Proxy-Action would assignthe current FSM event to the Decision attribute.
598 Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server
Notes:• Test = $Value$Pos$Len will add a new A-V pair to the request. It will not
update an existing pair. For example, when the request includes a Test = “String”A-V pair, the expression Test = $Test$2$3 will append Test = “rin” tothe request, which results in both Test = “String” and Test = “rin” in therequest.
• Because the left-side attribute is handled differently than the right-side attributevalue, multiple attributes in a request can cause some unexpected indirectionresults. Each instance of the left-side attribute is AND'd, but only the value of theright-side attribute's last instance is used. For example, the expression Test <$Test would evaluate to FALSE as (Test1 < 1) && (Test2 < 1) when therequest contains the A-V pairs Test1 = 1 and Test2 = 2.
Example Group EntriesThis section discusses the syntax of sample decision files that are included in earlierversions of the HP-UX AAA Server. For information on using the sample DNIS andDAC decision files present in the current version of the HP-UX AAA Server, see“Modifying the FSM for Specific Customizations ” (page 441)• /opt/aaa/examples/config/DNIS.grp for DNIS routing• /opt/aaa/examples/config/DAC.grp for dynamic access control
DNIS.grp for DNIS RoutingThe following example shows a simple DNIS routing scheme. Refer to For an exampleof a modified radius.fsm file that works with this decision file, see Chapter 12:“Logging and Monitoring ” (page 142).1 Group Controlled-Access { 2 Condition { 3 (Calling-Station-Id = 1234567890) || 4 (Called-Station-Id = 8005551212) 5 } 6 Reply { 7 Authentication-Type = radius 8 Server-Name = flatland.com 9 Server-Port = 1812 10 Decision = Forward 11 } 12 } 13 Group Denied-Access { 14 Condition { 15 Called-Station-Id = 8001234567 16 } 17 Reply { 18 Authentication-Type = blackhole 19 Decision = Abandon 20 }
Example Group Entries 599
21 } 22 Group NORMAL { 23 Reply { 24 Decision = $Interlink-Proxy-Action 25 } 26 }
Line 1 Names the first group entry Controlled-Access.Lines 2 to 5 If the user calls from 1234567890, or calls into 8005551212, the
user belongs to this group.Lines 7 to 9 The Authentication-Type attribute indicates that requests from
members of this group must be proxied. The Server-Name andServer-Port attributes specify flatland.com:1812 as the remoteserver that must receive the proxied request.
Line 10 The Decision attribute returns the Forward value to the FSM asan event. The radius.fsm file must be modified to recognizethis event and to call the RADIUS module when it occurs. Formore information, see Chapter 12: “Logging and Monitoring ”(page 142).
Line 13 Names the second group entry Denied-Access.Lines 14 to 16 If the user calls into 8001234567, the user belongs to this group.Lines 18 The Authentication-Type attribute indicates that the request
must be ignored.Line 19 The Decision attribute returns the Abandon value to the FSM
as an event. Theradius.fsm file must be modified to recognizethis event to end the request when it occurs. For moreinformation, see Chapter 12: “Logging and Monitoring ”(page 142).
Line 22 Names the third group Normal. Requests that do not matchwith the previous two groups are matched to this group, becausethis group entry does not include a condition section.
Line 24 This line uses indirection to pass the current event($Interlink-Proxy-Action) to the FSM. As a result, the HP-UXAAA Server handles the request as if DNIS routing did notoccur.
DAC.grp for Dynamic Access ControlThe example discussed in this section shows a simple DAC decision scheme based onthe value of an Access-Group attribute.• Allow access to users in the weekday group during a weekday• Allow access to users in the daytime group during the day• Allow access to users in the nighttime group during the night• Otherwise, deny access to users
600 Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server
For an example of a modified radius.fsm file that works with this decision file, seeChapter 12: “Logging and Monitoring ” (page 142). This decision file works only if theAccess-Group attribute is added to the dictionary file and user profiles as aconfiguration item. For more information, see “The dictionary File ” (page 531).1 Group Weekday-Access { 2 Condition { 3 (Access-Group = weekday) && 4 ((Day-Of-Week >= Monday) && (Day-Of-Week <= Friday)) 5 } 6 Reply { 7 Decision = ACK 8 Reply-Message = "Weekday access allowed" 9 } 10 } 11 Group Daytime-Access { 12 Condition { 13 (Access-Group = daytime) && 14 ((Time-Of-Day >= 06:00) && (Time-Of-Day <= 20:00)) 15 } 16 Reply { 17 Decision = ACK 18 Reply-Message = "Daytime access allowed" 19 } 20 } 21 Group Nighttime-Access { 22 Condition { 23 (Access-Group = nighttime) && 24 ((Time-Of-Day < 06:00) || (Time-Of-Day > 20:00)) 25 } 26 Reply { 27 Decision = ACK 28 Reply-Message = "Nighttime access allowed" 29 } 30 } 31 Group Denied-by-timed-access { 32 Reply { 33 Decision = NAK 34 Reply-Message = "Time-Based access denied" 35 } 36 }
Line 1 Names the first group entry Weekday-Access.Lines 2 to 5 If the user belongs to the weekday access group and calls on a
weekday, they belong to this group.Line 7 The Decision attribute returns the ACK value to the FSM as an
event, which accepts the request.Line 8 Specifies a message that is sent back to the user.Lines 11 to 30 Define the second and third groups with a structure similar to
the first group entry.
Example Group Entries 601
Line 31 Names the fourth group Denied-by-time-access. Requests thatdo not match with the previous two groups are matched to thisgroup, because this group entry does not include a conditionsection.
Line 33 The Decision attribute returns the NAK value to the FSM as anevent, which rejects the request.
Line 34 Specifies a message that is sent back to the user.
602 Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server
Glossary of TermsA - B
A-V Pair Attribute-value pair.AAA Abbreviation for Authentication, Authorization, and Accounting.AAA Server A software application that performs authentication, authorization, and accounting functions.Access-Accept AAA Server returns an Access-Accept to the client when an Access-Request is valid. The
Access-Accept will containA-V pairs that specify what services the authenticated user is authorizedto use.
Access-ChallengeThe AAA Server returns an Access-Challenge to the client when it is necessary to issue a challengethat the user must respond to. The client will resubmit the request with the user-suppliedinformation to the AAA Server.
Access-Reject The AAA Server returns an Access-Reject to the client when an Access-Request is invalid.Access-Request
Created by the client, the Access-Request contains A-V Pairs, such as the user’s name, password,and ID of the client. The client submits the Access-Request to an AAA Server. If the server canvalidate the client, the server will attempt to match a user entry in its database with informationin the Access-Request to authenticate the user.
Accounting Logging session and usage information for session control and billing purposes.Administrator Special user, known by the system on which the AAA Server is running. The administrator is able
to configure and to manage the AAA Server.ApplicationServiceProvider
Third-party entities that manage and distribute software-based services and solutions to customersacross a wide area network from a central data center, abbreviated as ASP.
ASP Application Service Provider.Attribute-Value Pair
The RADIUS protocol defines things in terms of attributes. Each attribute may take on one of aset of values. When a RADIUS packet is exchanged among clients and servers, one or moreattributes and values are sent pairwise from the client to the server. For the AAA Server software,all valid attributes and values are listed in the dictionary file, abbreviated as A-V pair.
AuthenticationThe process of identifying and proving the identity of an entity, for example, a user, a networkclient, or a network server.
Authorization The process of determining what types of activities is permitted. Usually, authorization is in thecontext of authentication; once users are authenticated, they may be authorized different typesof access or activity.
Bit mask A method for storing settings. A bit mask makes use of the fact that binary numbers are madeup of 1's and 0's. Each digit in a binary number is equivalent to one bit. In the HP-UX AAA Server,bit masks are used to set different configurations while setting up OTP authentication.
603
C - D
Challenge Handshake Authentication ProtocolLog-in security procedure for dial-in access. Rather than send an unencrypted password, a randomnumber is sent to the client as a challenge. The challenge is one-way hashed with the password,and the result is sent back to the server. The server does the same with its copy of the passwordand verifies that it gets the same result to authenticate the user, abbreviated as CHAP.
CHAP Challenge Handshake Authentication Protocol.Client NAS, proxy server, or other networking device that uses the AAA Server services to authenticate
and authorize users.CommonOpen PolicyService
A query and response protocol that can be used to exchange policy information between a policyserver (Policy Decision Point or PDP) and its clients (Policy Enforcement Points or PEPs, such asa router), abbreviated as COPS.
COPS Common Open Policy Service.DHCP(DynamicHostConfigurationProtocol)
Protocol that automatically and dynamically assigns IP addressees.
Dialed Number Identification ServiceEach request is authenticated locally or forwarded to a remote server according to the numbercalled to access a network service.
DNIS Dialed Number Identification Service.DynamicAuthorization
A capability of the HP-UX AAA Server that enables RADIUS-server initiated requests to be sentto the authenticator.
E - F - G
EAP Extensible Authentication Protocol.EAP-AKA EAP Authentication and Key Agreement (AKA) authentication method. EAP-AKA is an
authentication and session key distribution mechanism used in the third generation mobilenetworks: UMTS and CDMA 2000.
EAP-SIM EAP Subscriber Identity Module (SIM) authentication method. An authentication method capableof operating in wireless networks.
Extensible Authentication ProtocolDescribed in RFC 2284, abbreviated as EAP.
Finite StateMachine
The Finite State Machine is the component of the AAA Server software that controls the flow ofaccess request authentication and accounting request handling, abbreviated as FSM.
ForwardingServer
The AAA Server that receives an Access-Request from a client and forwards that request to anotherAAA server for authentication.
FSM Finite State Machine.GTC (GenericToken Card)
Carries user specific token cards for authentication. The main feature in GTC is DigitalCertificate/Token Card-based Authentication.
604 Glossary of Terms
H - I - J - K
Hard token Also called token devices. A physical authentication device such as a SmartCard that displaysthe OTP.
Hint When a user requests access to a service of a specific configuration, a client may provide thisinformation in an Access-Request as a hint to the AAA Server. The server may reject the requestbased on the hints or supply the service as specified by the hints, by the server’s configuration,or by a combination of the hints and the server’s configuration.
IETF Internet Engineering Task Force.IntegratedServicesDigitalNetwork
A digital access line, abbreviated as ISDN.
Interlink Used to connect multiple AAA servers in a fabric with SLAs and to establish policies among them.InternetEngineeringTask Force
Internet standards setting organization, abbreviated as IETF.
InternetProtocol
A Layer 3 (network layer) protocol that contains addressing information and some controlinformation that allows packets to be routed, abbreviated as IP.
InternetResearchTaskForce
A group associated with IETF focusing on research rather than standards, abbreviated as IRTF.
InternetServiceProvider
Communications service company that provides Internet access and services to its customers.ISPs range in size from small independents serving a local calling area to large, establishedtelecommunications companies, abbreviated as ISP.
IP Internet Protocol.IPv6 IPv6 is the new version of the Internet Protocol (IP) that builds on the current version of IP (IPv4).
IPv6 provides improvements in addressing, configuration, and security.IRTF Internet Research Task Force.ISDN Integrated Services Digital Network.ISP Internet service provider.
L - M - N
LAS Local Authorization Server.LDAP Lightweight Directory Access Protocol.LightweightDirectoryAccessProtocol
Used for directories providing naming, location, management, security, and other services forInternet networking, abbreviated as LDAP.
LocalAuthorizationServer
A Local authorization server is the HP-UX AAA code that authorizes, accounts, and bill usersbased on realms, abbreviated as LAS.
MS-CHAP Microsoft Challenge-Handshake Authentication Protocol is an implementation of the CHAPprotocol that Microsoft created to authenticate remote Windows workstations. In most respects,MS-CHAP is identical to CHAP, but there are a few differences. MS-CHAP is based on the
605
encryption and hashing algorithms used by Windows networks, and the MS-CHAP response toa challenge is in a format optimized for compatibility with Windows operating systems.
NAI Network Access IdentifierNAS Network Access Servernavigationtree
Refers to the navigation links on the left side of the Server Manager GUI.
NetworkAccess Server
A device that interfaces telephony circuits to the network, abbreviated as NAS.
Numbers and Symbols
Secure LANAdvisor
The Secure LAN Advisor is an HTML tutorial/help system in the Server Manager GUI that walksyou through the tasks and Server Manager screens for securing WLANs with the HP-UX AAAServer.
O - P - Q
OATH An industry-wide collaboration to develop an open-reference architecture for two-factor and OTPauthentication
OTP One-Time Password. This password is valid for one-time use only. Using an OTP reduces therisk of an unauthorized intruder gaining access to the network.
PAP Password Authentication Protocol.Password Authentication Protocol
A simple password protocol that transmits a user name and password across the network,unencrypted, abbreviated as PAP.
PEAP(ProtectedEAP)
Functionally very similar to TTLS, but does not encapsulate legacy authentication methods. PEAPfeatures include: Dynamic Key Exchange; Mutual Authentication; and, Encrypted Tunnelling.
Point-to-Point ProtocolThe standard protocol for dial-up networking. The family of standards covers many aspectsincluding authentication, encryption, compression, addressing, multi-protocols, etc., abbreviatedas PPP.
Policy Policy is a very broadly used term. To the AAA server, it means the conditionally applicable setof attribute-value pairs that an AAA protocol, such as RADIUS, may support. HP-UX AAApolicies are simple or complex decisions that control the authentication, authorization, andaccounting process for a user's access request.
PPP Point-to-Point Protocol.Protocol A set of rules established between two devices to allow communications to occur.Proxy The mechanism that allows one system to mediate between two other systems in response to
protocol requests. A RADIUS server can act as a proxy client and forward an Access-Request toanother AAA server for authentication. As a proxy client, the server would mediate the requestsand replies between the client where the Access-Request originated from and the server that therequest was forwarded to.
R - S
RADIUS Remote Access Dial In User Service.
606 Glossary of Terms
RADIUSClient
A NAS or other device that sends requests to an AAA server.
RAS Remote Access Server.Realm A realm is a logical group of users, who usually can be authenticated using one particular method.
Grouping users into realms simplifies the management of those users in a distributed environment.For example, an ISP’s users may be from different organizations located in different cities. Eachorganization already has one way or another to authenticate its users and each corresponds to arealm. Each realm would be responsible for managing its users, providing authentication andauthorization for their access requests. A realm has a name that looks very much like a domainname, but they bear different meanings. Realms are only used by the AAA Server to determinewhere an authentication request should be sent and what kind of authentication to request, etc.Naming a realm with its domain name simplifies things for the users, since their access ids willthen look the same as their e-mail addresses. A realm may also have multiple aliases, providinga way to shorten long realm names.
RemoteAccessDial InUser Service
An authentication and accounting protocol defined by the IETF in a series of RFCs, abbreviatedas RADIUS.
RemoteAccess Server
A service that allows remote clients running Microsoft Windows or Windows NT to dial in to anetwork, abbreviated as RAS.
RemoteServer In the context of a proxied Access-Request, the remote server is the AAA server that receives therequest from the forwarding server. The remote server authenticates the request and sends a replyto the forwarding server.
Request ForComment
The basis for an IETF standard, abbreviated as RFC.
RFC Request For Comment.SAT Simultaneous access token.ServerManager
A Web-based graphical user interface which provides an interface between an administrator andthe AAA servers. In addition to creating, modifying, and deleting entries in many of the server’sconfiguration files, an administrator may start and stop the AAA server, access the server’s statusand system time, retrieve information from accounting and session logs, and terminate sessions.
Service The RADIUS client provides a service to the dial-in user, such as PPP or Telnet.Session Each service provided by the client to a dial-in user constitutes a session, with the beginning of
the session defined as the point where service is first provided and the end of the session definedas the point where service is ended. A user may have multiple sessions in parallel or series if theRADIUS client supports that feature.
SimpleNetworkManagementProtocol(SNMP)
SNMP provides a mechanism for a centrally located management workstation to monitor theactivity of remote computers and network services.
SimultaneousAccess Token
The concept of token helps define and enforce policies in regard to modem pool sharing amongvarious participating institutions. A simultaneous access token is required when a user accessesa non-priority modem. Tokens are allocated to realms and are grouped into pools. The totalnumber of tokens a realm has is defined by the HP-UX AAA server so that the LAS may controlsimultaneous use, abbreviated as SAT.
SLA Service Level Agreement.
607
SLS Service Level Specification.Soft Token Software that enables an existing smart phone or PDA to act as a one-time password tokenSQL Access A feature that allows AAA Server to interact with an SQL compliant database.
T - U - V - W - X - Y - Z
TLS(TransportLayerSecurity)
Uses TLS (also known as SSL) to authenticate the client using its digital certificate. Note: somewireless supplicants require specific extensions to support certificates for EAP. TLS featuresinclude: Dynamic Key Exchange; Mutual Authentication; Digital Certificate/Token Card-basedAuthentication; and, Encrypted Tunnelling.
Token See Simultaneous Access Token.Token Pool A token pool contains a number of tokens belonging to some organization and having a given
name. These tokens may be shared among one or more realms.TTLS (Tunnelled-Transport Layer Security)
Can carry additional EAP or legacy authentication methods like PAP and CHAP. Integrates withthe widest variety of password storage formats and existing password-based authenticationsystems. Wireless supplicants available for a large number of clients. TTLS features include:Dynamic Key Exchange; Mutual Authentication; Password-based Authentication; and, EncryptedTunnelling.
Tunneling A secure connection between a client workstation and an intranet or other network, that providesaVPN to a user. This connection may be a voluntary tunnel initiated by the client or a compulsorytunnel initiated during authentication by a server or other dedicated network equipment.
Users Individuals whom the AAA server must authenticate and authorize before by they can access anorganization’s service, such as Internet access through an ISP.
VirtualPrivateNetwork
A network service offered by public carriers in which the user is provided a network that in manyways appears as if it is a private network (user-unique addressing, network managementcapabilities, dynamic reconfiguration, etc.) but which, in fact, is provided over the carrier's publicnetwork facilities, abbreviated as VPN.
VPN Virtual Private Network.
608 Glossary of Terms
Index
Symbols3GPP Milenage, 269
AA-V pair
pruning, 533removing, 533
A-V pair, configuration attributes, 548A-V pair, specifying, 546A3, 227A8 , 227AAA proxy, 319AAA Server As A Client Properties, 140AAA Server upgrade, 49aaa.config, 235, 247aaa.config - general information, 520AATV components, 449
action function, 449cleanup function, 450init function, 449timer or callback function, 450
access device screen, Server Manager, 100access device, deleting, 93, 104account logging, Server Manager, 149accounting
log file, 145session record format, 150
acquiring HP-UX AAA Server software, 54action
Check and Reply, 598Action-n - FSM, 398actions, 403adding AAA servers, 82alternate FSM file - specifying, 79attribute
dictionary file, 532attribute functions, 424
count, 424length, 424substr, 426tolower, 429toupper, 430
attribute instance specifications, 422keyword instance, 423no instance, 423numeric instance, 423
authenticationaccess request steps, 42
authentication stages, 43authfile, 229
alternate, 399
auto-starting the server, 80
BBoolean operator precedence and association rules, 433
CCertificate properties, 137Change-Of-Authorization (CoA), 297changing defaults, 63changing defaults, RMI Objects, 64changing defaults, secrets, 64changing defaults, tomcat UID/password, 63Check and Reply Items
decision file attributesgroup entries - action, 598group entries - Date-Time, 598group entries - decision, 598group entries - finite state machine, 598group entries - Interlink-Packet-Code, 598group entries - Interlink-Proxy-Action, 598group entries - User-Realm, 598
clientgeneral information, 526syntax, 526
CLIENT AATV, 292Client Action Properties, 140client functionality, 291configuration
dictionary, 531tokenpool, 536
configuration, loading, 95configuration, saving, 96Conversion Functions, 341
DDate-Time - Check and Reply, 598decision - Check and Reply, 598decision file
expression, 596new syntax, 412old syntax, 596
default realm, 110DHCP, 390DHCP address pools, 390DHCP properties, 133dictionary file
attribute entry, 532general information, 531syntax, 532
digital certificates, 164digital certificates, defining on AAA servers, 167digital certificates, installing, 166
609
digital certificates, self-signed, 165Disconnect, 297DNIS routing, 444DNS properties, 134dynamic access control, 442Dynamic Authorization, 297Dynamic Authorization proxy functionality, 320
EEAP
action, 404EAP AKA, 236EAP, choosing a method, 161EAP, key-exchange, 162EAP, tunneling, 162EAP-AKA user credentials, 239EAP-SIM, 224EAP.authfile, 229, 240event
Check and Reply, 598names - general information, 399
event name - custom, 403event names, 400Event-n - FSM, 398Expiration
event name, 402expression - decision file, 596
FFast re-authentication, 248File size properties, 138Finite State Machine, 396finite state machine
accounting logs, 145Check and Reply, 598general information, 396multiple streams, 539
FMS - Event-n, 398Framed-Protocol
example, 534FSM
Action-n, 398State-name, 398version tracking, 406
GGSM triplet, 229GTC, features, 163GUI icons, 144
Hhardening programs
Bastille, 67HTTPS, configuring, 64HUP processing, 519
IiaaaFile, 230inetd
timeout, 79installing, 54installing, defaults, 56installing, testing, 72Interlink-Packet-Code - Check and Reply, 598Interlink-Proxy-Action - Check and Reply, 598IP addresses, address pools, 390, 391IP addresses, DHCP, 390IPv6 addresses
assigning, 175, 178IPv6 attributes, 528
Kkeyword-value entries, 520
LLAS
codeexample, 534
general information, 535session timing, 535
las.conf - file, 535LDAP, 335
definition, 605LDAP, tunning, 116Livingston style logs, 149Local Authorization Server - authorization, 46Local user file properties, 139log file, 142
accounting, 145log.config - general information, 539logging streams - general information, 539
Mmanaging multiple AAA servers, 93Mapping, 340, 353
Input, 354Output, 354
Mapping Functions, 341Mapping types
DBC, 354DBP, 354DBR, 354RAD, 354target, 354
Maximum logfile size properties, 138MD5, features, 163Merit style logs, 147message handling properties, 135, 136Message-Authenticator, 324MIB objects, 566migrating plug-ins, 448Miscellaneous properties, 138
610 Index
MS-CHAP v2, 182MS-CHAP, features, 163multiple streams
finite state machine, 539logging, 541
Nnon-root processes, 68
OOTP authentication, 162
components, 182flowchart, 183inner and outer realms, 197mapping and conversion functions, 217precedence rules, 195process flow, 181realm-level configuration, 196system-wide configuration items, 195user-level configuration, 198
OTP authentication attributes, 192HOtp-Seq-Counter, 193Otp-ActionId, 194Otp-Add-Checksum, 195Otp-Lookup-Window, 192Otp-Retrieve-TokenInfo-Action Id, 195Otp-Shared-Secret, 193Otp-Token-Length, 193Otp-Token-Lock-Counter, 193Otp-Token-Serial-Number, 193Reply-Egress-ActionId, 195
OTP authentication conceptsusing bit masks, 188
OTP authentication configuration concepts, 187override AAA server defaults, 520
PPEAP (Protected EAP), 576PEAP, features, 163policy
proxy-egress, 45, 438proxy-ingress, 45, 439reply-egress, 437request-ingress, 45, 435user policy, 46, 436Xstring, 399
policy action commandsdelete, 414exit, 418if, 420insert, 415log, 419modify, 417
policy attributes, 440product architecture, 39product structure, 38
PROLDAP, 231ProLDAP properties, 139pruning
example, 534expressions - general information, 533
pseudonyms, 256
RRADIUS overview, 34, 464RADIUS sessions, 36radius.fsm
accounting logs, 146alternate fsm file, 79FSM, 396
radiusd, 77starting, 77
realmadd, 105configuration - LAS, 537configuration example, 537modify, 108
realms screen, Server Manager, 105reload, 76remove A-V pair, 533Replay Protection, 321reply item
authorization, 47Reverse Path Forwarding, 324RMI Objects, 72
Ssample AATV
ACE, 451checkCSI, 451
sample configuration files, 326sample OTP configuration files, 217
oath-prexy-egress.grp, 222oath-reply-egress.grp, 221oath-request-ingress.grp, 221
SDKAPIs, 579
A-V pair APIs, 580Asynchronous event and I/O APIs, 589Authreq APIs, 582Logging APIs, 587secondary APIs, 591
compiling and loading plug-ins, 452concepts, 448creating plug-ins, 451directory structure, 448header files and data structures, 579prerequisites, 448testing and debugging plug-ins, 453
Secure Copy Protocol, 96server
log files, 142
611
starting, 77server connections, 90Server Manager, introduction, 38server properties, 133server properties screen, Server Manager, 133server properties, modifying, 133Server Status Screen, Server Manager, 93session
records - accounting format, 150session limits, 170session logs, Server Manager, 169SNMP properties, 136SNMP, introduction, 386SNMP, setting-up, 386SQL Access, 338
benefits, 338Configuration, 349Conversion Functions, 361Database Client, 347Database Connection, 350Database Server, 346Finite State Machine, 346Global definition, 369Implementation, 342, 348Interaction, 339Mapping functions, 359Mappings
RAD, 355Pre-requisites, 346README, 342Sample Implementing, 342shared library path, 348SQL Actions, 342SQL statement, 362sqlaccess.config, 349
SQL Access AATV, 339SQL Access. See also Mapping, 340SQL Actions, 352sqlaccess.config, 349SSL, 64start
radius server, 77server - general information, 77
starting AAA servers, options, 75starting after reboot, 80state
general information, 396modification tables - example, 406table - custom, 406
state - FSM, 398supported operators, 432
Ttimeout
inactivity, 79option inetd, 80
TLS, features, 163
token administrationchanging token status, 383enrolling tokens (for users), 380validating tokens (for users), 382
tokenpoolconfiguration, 536example, 536
Tomcat, 72Tomcat, AAA server identity, 66Tomcat, starting and stopping, 72troubleshooting
access-reject messages, 494EAP problems, 502flowchart, 469provisioning errors, 506Server Manager, 472server startup problems, 478unresponsive servers, 483
troubleshooting utilities, 509radcheck, 509raddbginc, 510radpwtst, 510radsignal, 511
TTLS, features, 163Tunneling properties, 136
UUser Credential Lookup, 228User Database Administration tool, 374
customizing, 374modifying users, 377viewing user and token information, 383
User database Administration tooladding users, 375
user profiles, deleting, 131User-Realm
Check and Reply, 598users file
default location, 528general information, 528line limit, 528syntax, 528
users screen, Server Manager, 127
Vvalue types, 430
date values, 431integer values, 430named integer values, 430string values, 430
values typesIP address values, 431
vendorfile - example, 538general information, 538specific attributes and pruning, 533
612 Index
VPN, 388VPN tunneling, 388
WWireless LAN planning, 160Wireless LAN preparation, 160Wireless LAN security, 159Wireless LAN, digital certificates, 164Wireless LAN, EAP, 161Wireless LAN, steps to configure, 164WLAN, configuring, 164WLAN, EAP methods, 161WLAN, planning, 160
XXstring - policy, 399
613