HP-UX AAA Server A.07.
Copyright © 2002–2008 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license required from HP for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document ..................................................................................................................23 Intended Audience.............................................................................................................23 New and Changed Information in This Edition.................................................................23 Document Organization...............................................................................................
To Uninstall the HP-UX AAA Server Software.......................................................50 HP-UX AAA Server File Locations ..............................................................................51 Securing the HP-UX AAA Server..................................................................................55 Changing the Default HP-UX AAA Server Settings ...............................................55 Changing the Default Tomcat User Name and Password..................................
7 Configuring RADIUS Clients Using the Access Devices Screen.................................................84 Navigating the Access Devices Screen..........................................................................84 Adding a RADIUS Client..............................................................................................84 Modifying a RADIUS Client’s Properties......................................................................87 Deleting a RADIUS Client................................
To Delete a User Profile From the Default users File..........................................120 To Delete a User Profile in a Local Realms File......................................................121 11 Modifying Server Properties..............................................................................................122 Navigating the Server Properties Screen.....................................................................122 DHCP Relay Properties...............................................
Securing WLANs with the HP-UX AAA Server.........................................................146 Digital Certificate Administration...............................................................................147 Using the “Self-Signed” Digital Certificates..........................................................147 Installing Your Own Digital Certificates and Keys................................................148 Installing Server Certificates and Keys................................................
Predefined Mapping and Conversion Functions...................................................194 Sample Configuration Files....................................................................................194 The sqlaccess.config Sample File.............................................................194 Sample Policy Files...........................................................................................197 The oath-request-ingress.grp Sample File......................................
DBP Mapping..............................................................................................225 Mapping Functions......................................................................................227 Conversion Functions..................................................................................229 SQL Statement..................................................................................................229 SQL Result Mapping.........................................................
Modifying the Table Structure ....................................................................................254 Supported Attributes ..................................................................................................254 20 Simple Network Management Protocol (SNMP) Support.....................................................256 Setting Up SNMP to Monitor the HP-UX AAA Server...............................................256 21 VPN Tunneling...............................................
The insert Command....................................................................................287 The modify Command....................................................................................289 The exit Command.........................................................................................290 The log Command...........................................................................................290 The if Command...................................................................
SDK Directory Structure..............................................................................................317 SDK Concepts..............................................................................................................317 Overview of AATVs...............................................................................................317 AATV Components................................................................................................318 The init Function.................
EAP Problems........................................................................................................360 Troubleshooting Provisioning Errors.....................................................................363 29 Troubleshooting Resources................................................................................................364 HP-UX AAA Server Troubleshooting Utilities............................................................
The users File ............................................................................................................381 Syntax of a User Entry ...........................................................................................382 Syntax of IPv6 Attributes.......................................................................................382 NAS-IPv6-Address...........................................................................................382 Framed-Interface-Id.....................
Attributes Concerning the NAS.............................................................................404 Policy Attributes.....................................................................................................405 Other Attributes.....................................................................................................406 Reply Items..................................................................................................................406 General Attributes............
int sdk_set_authreq()..............................................................................................442 int sdk_get_client_info().........................................................................................442 int sdk_decrypt_passwd()......................................................................................443 int sdk_encrypt_passwd()......................................................................................
List of Figures 1-1 1-2 1-3 1-4 1-5 1-6 4-1 4-2 4-3 5-1 6-1 6-2 6-3 6-4 6-5 6-6 6-7 7-1 7-2 7-3 8-1 8-2 8-3 8-4 8-5 9-1 9-2 9-3 9-4 10-1 10-2 10-3 10-4 11-1 12-1 12-2 12-3 12-4 12-5 13-1 13-2 Typical AAA Network Topology................................................................................32 Client-Server RADIUS Transaction.............................................................................33 Authentication Process..........................................................................
14-1 14-2 14-3 15-1 15-2 15-3 15-4 16-1 16-2 16-3 18-1 18-2 18-3 18-4 18-5 18-6 18-7 18-8 19-1 19-2 23-1 23-2 24-1 25-1 25-2 25-3 25-4 25-5 26-1 27-1 27-2 28-1 C-1 C-2 18 Sessions Search Filter Screen.....................................................................................152 Example Return for a Sessions Search ......................................................................153 Example of a Session’s Attributes.............................................................................
List of Tables 1 2 1-1 1-2 3-1 3-2 3-3 4-1 4-2 4-3 6-1 6-2 7-1 8-1 8-2 8-3 8-4 9-1 9-2 9-3 10-1 11-1 11-2 11-3 11-4 11-5 12-1 12-2 12-3 12-4 13-1 13-2 16-1 16-2 16-3 16-4 16-5 17-1 18-1 18-2 18-3 HP-UX AAA Server Administrator’s Guide Printing History...................................25 HP-UX 11i Releases.....................................................................................................26 Commands, Utilities, and Daemons....................................................................
18-4 18-5 18-6 18-7 18-8 18-9 18-10 18-11 18-12 18-13 19-1 19-2 24-1 24-2 24-3 25-1 25-2 25-3 25-4 25-5 25-6 25-7 25-8 28-1 28-2 28-3 28-4 28-5 28-6 29-1 31-1 31-2 32-1 32-2 33-1 A-1 A-2 A-3 C-1 C-2 D-1 D-2 D-3 D-4 20 Output Mapping Data Types and Syntax.................................................................223 RAD Mapping Parameters........................................................................................223 DBC Mapping Parameters....................................................
E-1 E-2 A-V Pair Expression Operators.................................................................................445 A-V Pair Expression Examples..................................................................................
List of Examples 18-1 18-2 18-3 18-4 18-5 18-6 18-7 18-8 18-9 25-1 25-2 25-3 25-4 25-5 25-6 26-1 31-1 31-2 31-3 31-4 31-5 31-6 22 Define the Oracle Database Connection Parameters................................................221 Define the MySQL Database Connection Parameters...............................................221 User and Password Input and Output Mappings.....................................................227 SQL Statement to Delete a Row....................................................
About This Document This document provides an overview of the HP-UX AAA Server and describes how to configure, administer, and troubleshoot the product. This document does not cover installing the product. The document printing date and part number on the cover indicate the document’s current edition. The printing date and part number changes when a new edition is printed. Minor changes can be made at reprint without changing the printing date.
Document Organization The HP-UX AAA Server A.07.01 Administrator's Guide is organized as follows: • Part I — Introduction provides general information about the HP-UX AAA Server product and the RADIUS protocol. It also describes how to secure your HP-UX AAA Server installation. • Part II — Configuring the HP-UX AAA Server Manager Using the Server Manager GUI describes how to use the Server Manager to administer your AAA environment.
Table 1 HP-UX AAA Server Administrator’s Guide Printing History Document Part Number Document Release Date (month/year) Supports Software Version Supported OS T1428-90066 03/08 A.07.01 HP-UX 11i v1, 11i v2, 11i v3 T1428–90064 09/07 A.07.00 HP-UX 11i v1, 11i v2, 11i v3 5991-6434 09/06 A.07.00 HP-UX 11i v1, 11i v2 T1428-90061 11/05 A.06.02 HP-UX 11i v1, 11i v2 T1428-90050 01/04 A.06.01.x HP-UX 11.00, 11i v1, 11i v2 T1428-90042 10/03 A.06.01.x HP-UX 11.
{} ... | The contents are required in formats and command descriptions. If the contents are a list separated by |, you can choose one of the items. The preceding element can be repeated an arbitrary number of times. Separates items in a list of choices. HP-UX Release Name and Release Identifier Each HP-UX 11i release has an associated release name and release identifier. The uname(1) command with the -r option returns the release identifier. The following table lists the releases available for HP-UX 11i.
Part I Introduction This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 1: “Overview: The HP-UX AAA Server ” (page 30) • Chapter 2: “Upgrading to Version A.07.
Table of Contents 1 Overview: The HP-UX AAA Server .............................................................................................30 RADIUS Topology .............................................................................................................31 Establishing a RADIUS Session..........................................................................................32 Product Structure.................................................................................................
Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration.........................................................................................................56 Creating a Tomcat Identity Specifically for the HP-UX AAA Server .....................58 Running the HP-UX AAA Server on Hosts with System Hardening Software......59 Running the HP-UX AAA Server as a Non-Root User............................................
1 Overview: The HP-UX AAA Server The Remote Authentication Dial In User Service (RADIUS) protocol defines a standard for information exchange between a network device or software application and an authentication, authorization, and accounting (AAA) server to manage and track user access to network services.
RADIUS Topology The RADIUS protocol follows the client-server architecture. The client sends user information to the AAA server using Access-Request or accounting-Request messages. The AAA server processes the request locally, or, if acting as a proxy server, forwards (proxies) the request to a secondary RADIUS Server. When processing a RADIUS request locally, the AAA server can utilize additional external services (LDAP, external database access, DHCP, and so on.) to service the request.
Figure 1-1 Typical AAA Network Topology Establishing a RADIUS Session A RADIUS session tracks the life of a user session through a series of message exchanges. RADIUS sessions are used to limit simultaneous access to a resource for users who share the same credential, and to manage the allocation and release of IP addresses acquired on behalf of the user by the AAA server.
Figure 1-2 Client-Server RADIUS Transaction When the user's device connects to the client, the client sends a RADIUS Access-Request to the AAA server. When the server receives the request, it validates the sending client. If the client is permitted to send requests to the server, the server then takes information from the Access-Request and attempts to match the request to a user profile.
Product Structure The HP-UX AAA Server is based on the client-server architecture.
IMPORTANT: For the most recent product documentation, see http:// www.docs.hp.com. HP-UX AAA Server Architecture The HP-UX AAA Server architecture consists of the following components: • Configuration files. Files to provide the information necessary for the server to perform authentication, authorization, and accounting requests for your system. In most cases, these files can be modified by using the Server Manager. • AATV plug-ins.
Figure 1-3 Authentication Process Configuration Files For detailed information on the server configuration files, Chapter 31: “Configuration Files ” (page 374). AATV Plug-Ins An AATV plug-in defines the actions that perform a variety of functions, including authenticating requests, authorization, and logging. Built-in actions support authentication of users using information from several different repositories, and accounting requests using several different polices and storage formats.
more information on the Finite State Machine, see Chapter 24: “Customizing the HP-UX AAA Server Using the Finite State Machine” (page 270). HP-UX AAA Server Commands, Utilities and Daemons Table 1-1 provides an overview of the HP-UX AAA Server commands, utilities, and daemons. Table 1-1 Commands, Utilities, and Daemons Command Description radcheck Sends RADIUS status and protocol requests to a AAA server and displays the replies. Receiving the reply confirms that the HP-UX AAA Server is operational.
Figure 1-4 Default Action Sequence Authentication to Verify the Client and User The authentication of an access request has a number of distinctive steps, as shown in Figure 1-5 (page 39). The rounded rectangles represent configuration files that the HP-UX AAA Server uses and the ovals represent one or more authentication types.
Figure 1-5 Authentication Steps Authentication Steps Following lists the authentication steps followed by the HP-UX AAA Server: 1. After the HP-UX AAA server receives an Access-Request, it attempts to match the client making the request to an entry in the clients file. The server attempts to authenticate a request only if a match can be made.
2. The iaaaUsers action checks the local users file. In this step, the User-Name attribute value from the Access-Request is used to find an entry for the user in the /etc/opt/aaa/users file. • If User-Name matches an entry, the server retrieves that profile and then authentication moves to step 5. • If User-Name does not match an entry, authentication moves to step 3. 3. If the iaaaUsers action does not find a matching user profile in the users file, the FSM calls the iaaaRealm action.
Figure 1-6 Authorization Steps Authorization Steps 1. 2. 3. The server receives the Access-Request. The server evaluates the request-ingress policy. This is the first step in the FSM, before the request is despatched for processing. The request ingress policy can be used to alter the request in one of the following ways: • A-V pairs may be added, changed, or removed. • The request classification may be altered. • The request may be rejected immediately.
Table 1-2 How Requests are Altered Using the proxy-egress and proxy-ingress Policies Use of the proxy-egress Policy Use of the proxy-ingress Policy A-V pairs can be added, modified, or removed. A-V pairs can be added, modified, or removed. The request may be rejected immediately. The reply type may be altered. The request may be dropped entirely and no reply is sent. The request may be dropped entirely and no reply is sent. The proxy target host may be changed.
a local realm configured in the las.conf file, the LAS module performs the following actions: • Checks the user profile for a Simultaneous-Session attribute-value pair, which determines the maximum number of active sessions the user can have. Default value is 1. • Authorizes or denies service based on Service-Class. The POSTLAS action performs Simultaneous Access Token (SAT) control, which is used to implement realm-based simultaneous session control.
Session Logs For Accounting During operation, the HP-UX AAA Server processes information received in an Accounting-Request from the client. By default, session logging information is written to a file following a predefined format, such as Merit or Livingston. You can modify how and where the server generates the logs by editing the log.config file. You can also schedule logging by editing the FSM.
2 Upgrading to Version A.07.01 This chapter explains how to upgrade to the HP-UX AAA Server A.07.01 from previous versions. The HP-UX AAA Server Upgrade Process The following process describes the HP-UX AAA Server A.07.01 product installation on a system where a previous version of the HP-UX AAA server is currently installed: 1. The contents of the existing configuration in /etc/opt/aaa/ are copied to /etc/ opt/aaa.old/. If any files with the same names exist in /etc/opt/aaa.old/, they will be overwritten.
-DEFAULT ProLDAP "" { Filter-Type CIS Directory "directory_name" { Host Port Administrator Password Searchbase Authenticate } } Additions have been made to the vendors file in this version of the HP-UX AAA Server. If you have modified the vendors file, you must merge the vendors file. For information on merging the vendors file, see“Merging the vendors File” (page 48).
5. Copy your legacy users files from /etc/opt/aaa.old/ to /etc/opt/aaa/ (including the default users file and all files with the .users extension). Update the users files as follows: • Remove all DEFAULT, dumbuser, pppuser, and slipuser entries. The following shows example entries for each: DEFAULT DEFAULT Authentication-Type = Realm Filter-Id = "unlim" • dumbuser dumbuser Authentication-Type = None Service-Type = Login, Login-Service = Telnet, Login-IP-Host = 255.255.255.
8. If you are using an OpenLDAP server, update the RADIUS schema file for the directory server. Copy /opt/aaa/examples/proldap/iaaa-radius.ldif to the OpenLDAP server. Stop and restart slapd after copying the schema file to the OpenLDAP server. Upgrading from Version A.05.x to Version A.07.01 Contact your HP Support representative if you are upgrading from Version A.05.x to Version A.07.01 or if you need assistance with your migration.
3 Installing and Securing the HP-UX AAA Server This chapter explains how to acquire, install, and secure the HP-UX AAA Server product. Always refer to the HP-UX AAA Server Release Notes for important information specific to each version of the product, including requirements and dependencies. Acquiring the HP-UX AAA Server Software You can get the most recent version of the HP-UX AAA Server product at the HP Software Depot: http://www.hp.com/go/softwaredepot.
NOTE: Check the Release Notes for the HP-UX AAA Server version you are installing to verify patch requirements. 4. 5. Download the AAA Server depot file from http://www.software.hp.com and move it to /tmp Verify that you have downloaded the file correctly: # swlist -d -s /tmp/.depot 6. Stop any active Tomcat processes: /opt/hpws/tomcat/bin/shutdown.sh 7. Install the AAA Server: # swinstall -s /tmp/.
7. 8. 9. Remove all files residing in the /var/opt/aaa/ and /opt/hpws/tomcat/webapps/aaa/aaalog/ subdirectories. Logout anyone using HP-UX AAA Server administrator login “aaa”. As root user, enter swremove HPUX-AAAServer or swremove at the command prompt to invoke the standard HP-UX GUI to select HPUX-AAAServer bundle for removal. Refer the swremove manpage for more information on this command.
Table 3-1 File Locations Upon Installation (continued) Directory File /opt/aaa/examples/config Finite state machine, sample policy files: • *.fsm: Sample FSM tables • sqlaccess-acct.fsm: Sample FSM required to implement accounting without session management using SQL Access • sqlaccess-acct-sess.fsm: Sample FSM required to implement accounting with session management using SQL Access • *.grp: Sample decision files • OTP sample reference implementation files: — oath-request-ingress.
Table 3-1 File Locations Upon Installation (continued) Directory File /opt/aaa/lib/dbcon/alternate Connector libraries that enable HP-UX AAA Server to communicate with supported database clients: • libdbcon_oci.so: OCI client connector library • libdbcon_odbc.so: MySQL Unix ODBC client connector library NOTE: Refer to Chapter 18: “SQL Access” (page 207) for details on using the client connector libraries.
Table 3-1 File Locations Upon Installation (continued) Directory File /etc/opt/aaa Configuration files: • aaa.config: runtime and tunneling configuration file • authfile: realm to authentication-type mapping file • clients: client to shared secret mapping file • db_srv.opt: configuration script for db_srv environment variables • dictionary: definition file required by the radiusd daemon • las.conf: authorization and accounting configuration file • log.config: session logging configuration file • radius.
Table 3-2 Files Generated During Operation (continued) Directory File /ipc/*.sm Shared memory files related to the interface used for some authentication types. IMPORTANT: You must not alter or delete the shared memory (*.sm) files. The server does not operate correctly if the files are changed or removed from the ipc directory. /logs/logfile The server log file /logs/logfile.
1. 2. Open/opt/hpws/tomcat/webapps/aaa/WEB-INF/gui.properties. Look for the following entry: rmi.config.secret = "secret" 3. 4. 5. Change the “secret” portion to a new value Open the /opt/aaa/remotecontrol/rmiserver.properties file. Look for the following entry: rmi.config.secret = "secret" 6. Change the “secret” portion to the same value configured in Step 3. IMPORTANT: The rmi.config.secret in /opt/aaa/remotecontrol/ rmiserver.properties and in /opt/hpws/tomcat/webapps/aaa/ WEB-INF/gui.
1. Generate a certificate for Tomcat to establish the SSL connection. Use the following steps to create a self-signed certificate with the Java command line keytool utility: 1. Remove $HOME/.keystore if it already exists 2. Enter the following command: $ export JAVA_HOME=/opt/java1.4 3. Enter the following command: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA 4. 5. 6. 2. Enter a password for the key store when prompted. Enter the certificate information (company, contact name, etc.
Creating a Tomcat Identity Specifically for the HP-UX AAA Server If several applications use Tomcat, you can configure Tomcat to have a user name and password specifically for the AAA Server. All other applications using Tomcat will have a different user name and password. Complete the following steps to create a Tomcat identity specifically for your HP-UX AAA Server: 1. Search for the following line in/opt/hpws/tomcat/conf/server.
Running the HP-UX AAA Server on Hosts with System Hardening Software If you are setting up the HP-UX AAA Server on a system that is being hardened using lock-down software such as Bastille, you must ensure that the ports used by the HP-UX AAA Server are kept open. The following ports must be kept open if you are running the HP-UX AAA Server: • Port 1812 (Radius authentication port) • Port 1813 (Radius accounting port) • Port 8081 (port used by the Server Manager.
$ su - aaa -c /opt/aaa/remotecontrol/rmistart.sh 4. Use the following command to start Tomcat as the www user: $ su - www -c "export JAVA_HOME=/opt/java1.4; /opt/hpws/tomcat/bin/startup.sh" 5. Point your web browser to: http://:8081/aaa NOTE: Any log files created when the HP-UX AAA server was running as the root user will not be accessible after performing this procedure. To view these logfiles, change the ownership to match the UID of when the log files were created.
/opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1 fi 6. Look for the following entry: # stop the daemon!!! if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi 7. Change the then statement to stop the RMI objects as the aaa user during shutdown: Change: if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi To: if [[ -x /opt/aaa/remotecontrol/rmistop.
4 Enabling the HP-UX AAA Server for GUI-based Administration This chapter explains how to enable your HP-UX AAA server software to begin administration. Accessing the Server Manager To start the HP-UX AAA Server and the Server Manager graphic user interface, complete the following steps: 1. Enter the following command: # export JAVA_HOME=/opt/java1.4 2. Start the Remote Method Invocation (RMI) objects to allow the AAA server software to communicate with Server Manager.
Testing the Installation To test the server installation quickly, perform the following procedure using Server Manager: • Add a loopback connection to a AAA server • Start the AAA server • Check the status for a response To Test the Installation Complete the following steps to test the server installation: 1. Connect to Server Manager and start the AAA server. See “Accessing the Server Manager” (page 62). 2.
11. Verify that your HP-UX AAA Server is installed and operating correctly by using the testing user (named test_user) created during installation. After test_user is authenticated and the AAA server sends an Access-Accept, the client sends an Accounting-Request to start the session. After the session is terminated, the client sends an Accounting-Request stop message to stop the session logging and the AAA server writes the session information to a file. a.
NOTE: Server commands will only be executed on servers selected in the Server Status frame. 3. Click Start. Figure 4-1 shows the return value in Server Manager’s message frame when a server is successfully started. Figure 4-1 Return Value After Successfully Starting a AAA Server AAA Server Start Options Select the Start button’s corresponding icon to display the Start Options screen shown in Figure 4-2. Table 4-1 describes the start options you can use.
Table 4-1 Server Start Options Option Description Authentication Port number to listen to authentication requests Accounting Port number to listen to accounting requests. Authentication Relay Port number to relay authentication requests. This option is useful when proxying requests to a AAA server that is not listening on the default port. Accounting Relay Port number to relay accounting requests.
• • • • request-ingress.grp reply-egress.grp proxy-egress.grp proxy-ingress.grp In order for other configuration changes to take effect, you must stop and restart the server. IMPORTANT: Save the configuration before reloading the configuration information. Starting AAA Servers From the Command Line The radiusd daemon is a process that services user authentication and accounting requests from RADIUS clients.
Table 4-2 radiusd Options (continued) Option Description -dd Data-directory Specifies the directory where the active session file (session.las) is located. If omitted, the default directory is /var/opt/aaa/data. -dm Accounting-directory Specifies the directory where Merit style accounting log files (session logs) are located. If omitted, the default directory is /var/opt/aaa/ acct. -p Authentication-port Specifies the UDP port number to listen to auth requests.
NOTE: The radiusd daemon determines what action must be taken when receiving requests based upon an FSM that it loads into memory when the server is started. The FSM can be configured, but it is static after server startup. The server uses the algorithm shown in Figure 4-3 to determine which FSM must be loaded into memory: Figure 4-3 Algorithm for Determining Which FSM to Load IMPORTANT: When started by the inetd service, radiusd times out if it does not receive a message in 15 minutes.
CAUTION: Do not stop a live server in production as it interrupts services to users. Using Server Manager 1. 2. From the navigation tree, click Administration. Select the servers you want to stop in the Server Status frame. NOTE: Server commands will only be executed on servers selected in the Server Status frame. 3. Click Stop. A message prompt enables you to confirm whether you wish to stop the server.
Table 4-3 New Server Connection Screen Fields (continued) Field Value to Enter Domain or IP Address Full DNS name or IP address (traditional IPv4 or IPv6 address) of an HP-UX AAA server Examples: IPv4 address- 192.0.2.0 IPv6 address- fedc:ba98:7654:3210:fedc:ba98:7654:3210 Domain name- example.org 3. Click Create. If the client program successfully connects to the server, the name you specified must appear in the Status Frame displayed in the lower left corner of the programs interface.
Part II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 5: “The HP-UX AAA Server Manager Interface” (page 76) • Chapter 6: “Managing HP-UX AAA Servers” (page 78) • Chapter 7: “Configuring RADIUS Clients Using the Access Devices Screen” (page 84) • Chapter 8: “Configuring Realms” (page 89) • Chapter 9: “Configuring Proxies” (page 105) • Chapter 10: “Configuring Users” (page 115) • Chapter
Table of Contents 5 The HP-UX AAA Server Manager Interface..................................................................................76 Commonly Used Icons in the GUI......................................................................................77 6 Managing HP-UX AAA Servers..................................................................................................78 Using the Server Connections Screen.................................................................................
Proxying Authentication and Accounting Messages to the Same Server........................112 Proxying Accounting Requests to a Central Server..........................................................113 Deleting a Proxy................................................................................................................113 10 Configuring Users.................................................................................................................115 Navigating the Users Screen...........
Session Tracking.....................................................................................................135 Writing Livingston CDR Accounting Records............................................................136 Livingston CDR Session Record Format................................................................137 Changing the Accounting Log Filename.....................................................................137 Changing the Accounting Log Rollover Interval............................
5 The HP-UX AAA Server Manager Interface HP-UX AAA Server Manager (Server Manager) is a browser-based application. It uses the HP-UX Tomcat-based Servlet Engine to provide a configuration interface between a web browser and one or more AAA servers. The Server Manager is used to start, stop, configure, and modify the servers. In addition, Server Manager can retrieve information about logged server sessions and accounting information for an administrator.
Commonly Used Icons in the GUI • Click to add new servers, realms, or users. • Click to delete the corresponding entry. • Click • Click • indicates that the configuration file cannot be modified using the Server Manager. Edit the configuration file manually using a command line editor. to display a context-sensitive Help screen. to edit the corresponding entry.
6 Managing HP-UX AAA Servers Your server configuration can be synchronized and controlled across one or more server installations. These server installations can be on the same machine as the Server Manager program, or on different machines. Server Manager identifies each AAA installation as a server connection and maps a hostname to the IP address (both traditional IPv4, and IPv6 address formats are supported) or DNS name of a remote machine where a AAA server is installed.
1. Click to display the Add Server screen. The Add Connection screen appears as shown in Figure 6-2. Figure 6-2 The Add Connection Screen 2. In the Server Attributes form, enter your server’s attributes according to the format shown in Table 6-1 Table 6-1 Fields in the Connection Attributes Form Field Name Attributes Name The identifying string of a remote server Domain Name or IP Address The client IP address or DNS name. Both traditional IP (IPv4), and IPv6 address formats are supported.
Figure 6-3 The Modify Connection Screen HP-UX AAA Server Properties section of the form includes a list of pathnames that cannot be modified. These pathnames must match the installation directories of the remote server. IMPORTANT: When setting an option to a given directory, the directory must exist and be editable on the machine. You must specify the logfile directory to access session logs through the maintenance functions listed in the navigation tree menu.
1. In the Server Connections screen, click the connection that you want to delete. icon corresponding to the server The Delete Server Connections screen appears as shown in Figure 6-4. This screen allows you to preview the properties of the server connection before you confirm deletion. Figure 6-4 The Delete Server Connections Screen 2. Click Delete to remove the server connection. Click Cancel to return to the Server Connections screen without removing the server connection.
When a server command, such as Start, is submitted, it will only be sent to checked servers. When you retrieve server logging, statistics, active sessions, or account information, only information from the checked servers will be displayed. Table 6-2 displays the icons that can appear in Server Manager’s Server Status frame and describes them briefly. Table 6-2 Icons in Server Manager’s Server Status Frame Icon Definition Running - Indicates the server is connected and running.
Figure 6-6 Server Manager’s Load Configuration Screen After you have made changes to the server configuration items, you can save the modified configuration on any server that has an active connection with the Server Manager program. When you click Save Configuration, the Server Manager interface displays a prompt (shown in Figure 6-7). Using this prompt, you can select the servers on which the settings must be saved.
7 Configuring RADIUS Clients Using the Access Devices Screen The server configuration must include all the clients (NASs, access points and other network devices) that can communicate with the AAA server. If an access device is not included in the configuration, the server will not handle requests from, or send requests to the client. The Access Devices screen allows you to add a new client, and modify, or delete an existing client in the server configuration.
1. In the Access Devices screen, click list. corresponding to the New Access Device The Add Access Device Screen appears as shown in Figure 7-2. Figure 7-2 Server Manager’s Access Device Attributes Screen 2. In the Access Device Attributes form, enter information according to the information in Table 7-1.
Table 7-1 Add Access Device Configuration Form Options Option Function Name Enter the network location of the network device. This may be an IPv4 address (in dotted-quad notation), an IPv6 address (in colon-separated notation), or a valid DNS host name. When specifying Name as a DNS host name, you must use the name returned by thehostname command. Notes: • Ensure that your DNS is configured correctly (with both forward and reverse entries) for your AAA server.
Table 7-1 Add Access Device Configuration Form Options (continued) Option Function Vendor Enter the vendor-specific attributes that must be returned to the access device in a reply. In most applications, you can select the hardware vendor of the device or Generic if the device is not listed. You can make multiple selections by holding down the control key as you select vendor names.
3. Click Modify to save changes. Click Cancel to return to the Access Devices screen without saving any changes. Deleting a RADIUS Client To delete a RADIUS client, complete the following steps: 1. In the Access Device screen, click the client you want to delete. icon corresponding to the RADIUS The Delete Access Device screen appears as shown in Figure 7-3. This screen allows you to preview the access device entry before you confirm deletion. Figure 7-3 The Delete Access Device Screen 2.
8 Configuring Realms A realm is a group of users who share a common characteristic, such as being customers of the same Internet Service Provider (ISP). All users of a given realm are handled in the same way, either proxied to a remote server or locally authenticated using a specified method according to the authentication type assigned to the realm.
Figure 8-2 Server Manager’s Local Realm Attributes Screen 3. Complete the form on the Local Realm Attributes screen according to the information given in Table 8-1. Table 8-1 Fields in the Local Realm Attributes Form 90 Option Function Name Name of the realm that must be mapped. This name does not have to be a DNS host name. However HP recommends that the realm name match a domain name. The user will then be able to recognize the user@realmsyntax that resembles their email address.
Table 8-1 Fields in the Local Realm Attributes Form (continued) Option Function User Authentication Identifies the authentication method used for the realm: • Enable EAP: Select this option if user authentication by an EAP challenge is required. Select one or more EAP types.At least one authentication method must be selected. For PEAP (EAP-GTC), you must configure the NULL realm. The PEAP version ‘0’ only checkbox is displayed if you select PEAP(EAP-GTC), PEAP(EAP-MSCHAP), or PEAP(EAP-MD5).
Table 8-1 Fields in the Local Realm Attributes Form (continued) 4. Option Function Filter ID Optional. Allows the specification of a packet filter name to be associated with authentication through this realm name. It overrides any explicit filter name specified in a user profile. Session Tracking Optional. Determines if session tracking is enabled for a realm.
Table 8-2 Special Entries Special Entries When to Use Wildcard Entries When specifying the primary realm for an entry, you can use a wild card syntax such as *.realm. This syntax provides a shorthand for associating several related realms with a single authentication type. For example, a company may have several branches, eastern.company.com, western.company.com, and central.company.com. The wild card entry for that company would define *.company.com as the realm.
1. In the Local Realms screen, click the want to delete. icon corresponding to the realm you The Delete Local Realm screen appears as shown in Figure 8-3. This screen allows you to preview the realm attributes before you confirm deletion. Figure 8-3 The Delete Local Realm Screen 2. Click Delete to delete the realm. Click Cancel to return to the Local Realms screen without deleting the realm.
SQL actions in sqlaccess.config. See Chapter 18: “SQL Access” (page 207) for details on setting up the HP-UX AAA Server for SQL Access. Perform the following steps to configure the realm for Database Access via SQL. 1. From the navigation tree, click Local Realms. 2. On the Local Realms screen, click New Local Realm to open the Local Realm Attributes screen. 3. In the Name field, enter the name of the realm for which the user profiles are stored in a database and accessed using the SQL Access feature.
8. From the navigation tree, click Save Configuration If you have multiple remote servers, you will be prompted to select and confirm the servers where the realm configuration will be applied. Configuring Realms for LDAP This section discusses how to configure realms for Lightweight Directory Access Protocol (LDAP). These realms can be configured only after setting up the LDAP server. See Chapter 17: “LDAP Authentication” (page 204) for information on setting up an LDAP server.
Table 8-3 Values for Configuring Realms for LDAP (continued) Value Description Host Name of the host on which the LDAP directory server runs. The value must be a fully qualified DNS name, although an IP address also works. Both traditional IP (IPv4) and IPv6 address formats are supported. The HP-UX AAA Server can resolve DNS name format entries to IPv4 and IPv6 addresses. Enter an IPv4 address in dotted-quad notation. Enter an IPv6 address in IPv6 Literal format notation. For example: IPv4 address — 192.
Table 8-3 Values for Configuring Realms for LDAP (continued) Value Description Filter Filter flag allows authentication to be based either on the LDAP uid attribute, which normally is CIS, or on the AAA Server User-Id attribute, which is normally BIN. User-Id is a AAA Server-specific RADIUS attribute. This optional flag defaults to uid. IMPORTANT: With multiple LDAP directory servers, the Filter used for lookups must be consistent across all directories specified for a particular realm.
1. 2. On the Local Realms screen, select the name of the directory definition you wish to delete. Click Delete. Tuning the AAA Server to LDAP Server Connection The AAA server to LDAP server connection can be modified by adding the following entry to /etc/opt/aaa/aaa.config and then stopping and starting the server: aatv.
Oracle databases with user information according to your requirements. See “Configuring the Oracle Database ” (page 251) for information on how to configure your Oracle database. Configuring the HP-UX AAA Server Using Server Manager For each realm using Oracle authentication, you must specify the Oracle server. Complete the following steps to configure the HP-UX AAA Server Manager for Oracle authentication: 1. From the navigation tree, click Local Realms to open the Local Realms screen. 2.
NOTE: AAA authentication automatically performs load balancing and failover in a round robin fashion across all servers listed for a realm. You cannot configure the functioning of these features. 8. 9. 10. 11. 12. On the Oracle Server screen, click Save. Complete any of the remaining optional fields as necessary for your configuration. Click Create. Repeat these steps as necessary for your configuration. From the navigation tree, click Save Configuration.
#! /bin/sh ######################################################## # # WARNING: # For security purposes, this file should be readable, # writable and executable only by the aaa owner # or group aaa (Permission 660) ######################################################### ######################################################### # You will need to set the following Oracle environment # variables according to your Oracle configuration.
/opt/aaa/bin/db_srv to /opt/aaa/bin/db_srv -x CAUTION: The configuration script /etc/opt/aaa/db_srv.optcontains information that can be used to gain access to the Oracle database. Read access rights must therefore be limited. Scripts to Start and Stop the HP-UX AAA Server Oracle Daemon There are two scripts provided to stop and start the HP-UX AAA Server Oracle client daemon. Before executing start_db_srv.sh, the environment variables in the configuration script /etc/opt/aaa/db_srv.optneed to be edited.
8. 9. Repeat these steps as many times as necessary for your configuration. From the navigation tree, click Save Configuration. CAUTION: Save Configuration will save the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.
9 Configuring Proxies AAA proxy is an entity that acts as both a client and a server. When a request is received from a client, the proxy acts as a AAA server. When the same request needs to be forwarded to another AAA entity, the proxy acts as a AAA client. Figure 9-1 illustrates both ends of a proxy configuration relative to the local host. When the local host receives a request that it will authenticate, the server that forwarded the request is called the proxy server.
Figure 9-2 Server Manager’s Proxy Screen Changing the Default localhost Proxy Settings The HP-UX AAA Server includes a preconfigured proxy entry named localhost for use in loop-back testing. You must change the default shared secret value for the localhost proxy, or delete it if you do not plan to use loop-back testing. To change the shared secret for the default localhost proxy, complete the following steps: 1. From the navigation tree, click Proxies. 2. On the Proxies screen, click the localhost link. 3.
1. From the navigation tree, click Proxies, and then click New Proxy if you are creating a new proxy. If you are modifying an existing proxy, select the proxy you want to modify. The Proxy Attributes screen appears as shown in Figure 9-3. Figure 9-3 Server Manager’s Proxy Attributes Screen 2. Fill up the form on the Proxy Attributes screen according to the information given in Table 9-1.
Table 9-1 Proxy Configuration Options Option Function Name Enter the network location of the proxy server. The name can be an IPv4 address (in dotted-quad notation), an IPv6 address (in colon-separated notation), a valid fully qualified DNS name, or an IP (IPv4 or IPv6) address that contains a wildcard pattern. When specifying Name as a DNS host name, you must use the name returned by the hostname command.
Table 9-1 Proxy Configuration Options (continued) Option Function Response Options Select any of the check boxes to specify additional message-handling options. The following options are valid: RAD_RFC Verifies that the Access-Request conforms with the RADIUS RFC. Nonconforming messages are dropped. ACCT_RFC Verifies that the Accounting-Request conforms with the Accounting RFC. Nonconforming messages are dropped.
Table 9-2 Options for Forwarding Requests Option Description Realms to forward All requests originating from the realm listed in this drop-down list will be forwarded to the remote server. To add a realm to the list, select Add Realm from the list. To modify or delete a listed realm, select the realm name from the drop-down list. When you add or modify a realm, you specify the realm name and whether its accounting messages should be forwarded to the remote server.
8. Click Create. 9. From the navigation tree, click Save Configuration. 10. On the Save Configuration screen that appears, click Save. CAUTION: Clicking Save saves the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify. NOTE: By default, accounting requests originating from the realm are also forwarded to the remote server.
Table 9-3 Accounting Logging Options Configuration Logging Location • Account forwarding set to Yes for a proxy • Local configuration • Proxy accounting forwarded to remote server • No.
6. From the navigation tree, click Save Configuration. CAUTION: Clicking Save Configuration saves the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify. NOTE: By default, accounting messages are forwarded to the remote proxy server. Select Yes for Use Local Session Tracking to Suppress Forwarding of Accounting Requests to record accounting start and stop messages locally.
1. In the Proxies screen, click corresponding to the proxy you want to delete. The Delete Proxy screen appears as shown in Figure 9-4. This screen allows you to preview the proxy attributes before you confirm deletion. Figure 9-4 The Delete Proxy Screen 2. 114 Click Delete to delete the displayed proxy entry. Click Cancel to return to the Proxy screen without deleting the entry.
10 Configuring Users User profiles associate information with a user name for authentication and authorization. This information is defined by attribute-value pairs. The server configuration must include profiles for all the users that can access services through the AAA server. If a user profile is not included in the configuration, the server will reject the users access request. Profiles are stored in flat text files or in an external source. This section covers user profiles stored in a text file.
1. 2. From the navigation tree, click Users to access the Users screen shown in Figure 10-1. Select test_user by clicking the Edit icon corresponding to it. The Modify Users pane appears similar in appearance to the Add Users pane shown in Figure 10-2. 3. 4. Change the default password and confirm it by entering it again. Click Modify.
Figure 10-2 The Add Users Screen 3. Enter values in the form as per the instructions in Table 10-1. Table 10-1 General Attributes in the Add User Screen Attribute Name Description User Name Value to compare to the User-Name attribute value in the request. It must be less than 64 characters. &, “, ~, \, /,%, $, ‘, and space characters cannot be used. Authentication Type Use this field to supersede the Authentication type specified in the user’s realm.
Table 10-1 General Attributes in the Add User Screen (continued) 4. 5. 6. Attribute Name Description Service Type: Check/Reply Indicates a type of provided service. When used as a reply item, the server returns the value to the access device as an instruction to determine the service to provide. When used as a check item, the server will reject an Access-Request that does not include a hint for the specified service type.
3. Click Create if you are adding a new user profile. Click Modify if you are modifying an existing user profile. Click Cancel to return to the Users screen without making any changes. If each field contains a valid value, the profile will be created or modified; otherwise, an error message is displayed. Adding Users for SecurID Authentication To add a user profile for each individual user that will be authenticated through the ACE/Server, complete the following steps: 1.
Figure 10-3 The Modify Users Screen 3. 4. Fill the fields in the form according to the information given in Table 10-1. Click Modify to save changes. Click Cancel to exit without saving changes Deleting a User Profile You can delete a user profile in the default users file or in a realm file, which is the file created for a realm that uses file type authentication.
1. In the Users screen, click the icon corresponding to the user profile you want to delete. The Delete User screen appears as shown in Figure 10-4. This screen allows you to preview the user attributes before you confirm deletion. Figure 10-4 The Delete Users Screen 2. Click Delete to delete the displayed user profile. Click Cancel to return to the Users screen without deleting the user profile.
11 Modifying Server Properties You can modify server variables to override built-in defaults. Server startup options override a corresponding server property setting. You can modify server variables using the Server Properties screen. Enter values for the given parameters to modify a server variable. Navigating the Server Properties Screen The Server Properties screen can be accessed by selecting the Server Properties link the Server Manager Navigation tree.
NOTE: IPv6 support is not available for DHCP Relay. Table 11-1 DHCP Relay Properties Option Function DHCP Server Port (optional) The UDP port to send DHCP requests to. If no value is specified, 67 is used. DHCP Relay Port (optional) The UDP port to receive DHCP responses on. If no value is specified, 67 is used. Send User Class Determines which attribute in the DHCP message will carry the IP address pool name. If set to Yes, the pool name is sent in the User-Class option.
Table 11-2 DNS Update Properties Option Function DNS Refresh Interval (optional) Time (in seconds) used to periodically refresh the IP addresses for clients and proxies that are configured by host. If no value is specified, 3600 (one hour) is used. DNS Refresh Time Frame (optional) When the DNS Refresh Interval for a host name has expired, all other host names that will be refreshed within the specified number of seconds are refreshed immediately. If no value is specified, 60 is used.
Table 11-3 Message Handling Properties (continued) Option Function Max. Authentication Requests The maximum number of simultaneous authentication requests to be stored in a retransmission queue. When this limit is exceeded, all new authentication requests are discarded. HP recommends that this value matches the value used for Max. Accounting Requests. If no value is specified, 1000 will be used. NOTE: When this authentication queue limit is exceeded, the server stops responding to the Status command.
Tunneling Reply Items (Optional) Use the drop-down menu to specify the behavior when the HP-UX AAA Server receives an Access-Request that does not contain any Tunnel Hint attributes (like Tunnel-Type). The options are as follows: • Return-Configured-Tunnel-Attributes: Allows the return of tunnel attributes in the authentication reply. • Return-No-Tunnel-Attributes: Does not return any tunnel attributes in the authentication reply.
Table 11-4 Certificate Path Properties (continued) Option Function Client User Name Attribute For TLS only. Identifies the attribute in the user digital certificate to retrieve the user's name. This attribute must match the user name configured on the supplicant (client) software. The AAA server will check the user name in the certificate against the user name supplied in the EAP-TLS authentication request.
Local Users File Properties Enable (Yes) to enable case-insensitive searching in the default users file. The default setting is No (case sensitive search is disabled by default). ProLDAP Properties Clicking ProLDAP Properties takes you to the ProLDAP Properties screen where you can modify the properties described in Table 11-5. Table 11-5 ProLDAP Properties 128 Option Description Debug Determines whether OpenLDAP debug messages must be logged in the HP-UX AAA Server radius.debug file.
12 Logging and Monitoring This chapter covers the server's diagnostic functions that allow you to search and display information related to the server's operation and usage. Overview You can view the log files that record the details of each AAA transaction or the session logs that record information about each user's session. You can also access information for active sessions and manually terminate a session if necessary.
Figure 12-1 Server Manager’s Logfile Screen Search Parameters You can filter what dates and times to retrieve from the logfile. Table 12-1 Filter Parameters for Searching Logfiles 130 Option Description Begin (server time) The date and time of the first record in the range of data to retrieve. End (server time) The date and time of the last record in the range of data to retrieve. User Limits the result of the search command to messages related to a specific user.
Message Types You can filter what data to retrieve according to the type of messages. For each message type, you indicate whether the message type should or should not be retrieved by selecting the Yes or No radio buttons. The different message types are: • Server Failure This type of message indicates a server internal error or a problem with the configuration files. • Warning This type of message indicates a problem with the server, but the server is still able to process RADIUS requests.
Figure 12-2 Server Manager’s Statistics Screen Table 12-2 Statistic Search Parameters Option Description Begin (server time) The date and time of the first record in the range of data to retrieve. End (server time) The date and time of the last record in the range of data to retrieve. The AAA server statistics are displayed in a bar graph similar to the example in Figure 12-3.
NOTE: If the logfile exceeds its size limit (as configured in the File Size Property in the Server Properties link), a new logfile for that day will be created and identified by a part<01-09> portion of the logfile file name string. For example, /var/opt/aaa/ acct/session.yyyy-mm-dd_part<01-09>.log By default, the radius.fsm (logall.fsm) state table calls the LAS_ACCT module when the server receives an Accounting-Request to start or stop the session.
Figure 12-5 Detailed Accounting Record for a Selected User Format of Accounting Records in the Default Merit Style RADIUS accounting records store both the users account information and the users historical session information. Each record begins with a tab-delimited line of values that represent the default AAA server session information. This information includes time-based values, as well as HP-UX-specific and standard RADIUS A-V pairs.
Log-time: Connect time: This is the difference between the time on the machine where and when this log was written, and the start-time. This field is used to compress the data. How long (in seconds) the session was known to the local AAA Server host. Client A-V Pairs Represent attribute values that describe the client used for authentication and authorization.
Table 12-4 Reasons Why The Record Was Generated (continued) Reason Integer Billed/Info Description AC_AUTHORIZED 10 Info Session authorized: This record is intended for statistics only. AC_NASREBOOT 11 Info The session is released due to NAS reboot. AC_REMOTE 12 Info The session is for a remote server, failed to forward. AC_DUPLICATE 13 Info Duplicate accounting record received: This record is intended for statistics only.
Livingston CDR Session Record Format Each record of a user’s session begins with Date and Time and a list of Attribute-Value pairs, one below the other. This information includes time-based values as well as specific and standard RADIUS A-V pairs.
Changing the Accounting Log Rollover Interval The log rollover interval (how often a new log file is created to store accounting records) is determined by the timestamp portion of the filename. To change the interval follow the steps in “Changing the Accounting Log Filename” (page 137). The logging interval will change to the smallest unit of time in the timestamp portion of the filename. For example,%Y-%m-%d-%H, will change the rollover interval to hourly.
Part III Advanced Configuration Information This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 13: “Securing LAN Access With EAP” (page 142) • Chapter 14: “Managing Sessions” (page 152) • Chapter 15: “Assigning IP Addresses” (page 157) • Chapter 16: “OATH Standards-Based OTP Authentication” (page 162) 139
Table of Contents 13 Securing LAN Access With EAP.............................................................................................142 Overview...........................................................................................................................142 The Secure LAN Advisor............................................................................................142 Preparing Your LAN .............................................................................................
Advanced Configuration.............................................................................................168 Advanced OTP Authentication Configuration Concepts......................................169 Attributes for Configuring OTP Authentication..............................................172 Advanced Deployment Scenarios..........................................................................177 Validating OTP Alone...............................................................................
13 Securing LAN Access With EAP IMPORTANT: The EAP-LEAP authentication method is deprecated in this release and will be obsolete in the next release of the HP-UX AAA Server. The EAP-LEAP authentication method is replaced by the new EAP-PEAP authentication method. HP recommends that you use EAP-PEAP in place of EAP-LEAP for improved security. Unlike EAP-LEAP, EAP-PEAP supports mutual authentication and uses an encrypted tunnel to transmit the user's credentials.
Figure 13-1 The Secure LAN Advisor For Securing WLANs Preparing Your LAN A LAN requires you to synchronize items on the supplicant, access point, and AAA server. The following table lists the items you need to synchronize on each node and provides notes on configuring each item.
Table 13-1 LAN Configuration Items Item Nodes Notes Shared Secret • Access Device • AAA Server The shared secret configured on the access device and AAA server must match for the two to communicate. Use the Access Devices link to configure this item on AAA servers. EAP Support • Access Device Most access devices require you to enable EAP. You do not need to specify an EAP method, but you must enable support for EAP.
software for each EAP method (LAN access devices must only support EAP). For wireless clients, you must use supplicants that support the hardware platforms, operating systems, and WLAN cards in your environment. Ideally, you should try to use client hardware and software that allows you to use one EAP method for all your clients. This may mean avoiding solutions that are proprietary or support only a small variety of clients. Next, determine which of the following features are important to you: 1.
Table 13-2 Supported EAP Methods and Their Features EAP Method Feature Description TTLS 1, 2, 3, 5, 6 Tunneled TLS: Can carry additional EAP or legacy authentication methods like PAP and CHAP. Integrates with the widest variety of password storage formats and existing password-based authentication systems. Supplicants available for a large number of clients PEAP 1, 2, 5, 6 Protected EAP: Functionally very similar to TTLS, but does not encapsulate legacy authentication methods.
3. 4. 5. 6. 7. 8. 9. Load a AAA server configuration to Server Manger by selecting Load in the navigation tree. See “Loading and Saving Your Configuration” (page 82) for more information. Identify the RADIUS clients that will send access requests to the AAA server by selecting Access Devices in the navigation tree. See “Navigating the Access Devices Screen” (page 84) for more information. Configure realms for the encrypted tunnels if you are using TTLS, or optionally for PEAP.
and PEAP, and in testing environments for TLS. The self-signed server certificates are in/etc/opt/aaa/security/. The following is a list of the self-signed certificates located in /etc/opt/aaa/ security/: • rsa_cert.pem — AAA server certificate • rsa_key.pem — AAA server key • ca_list.pem — list of client CA certificates • demouser.p12 — sample client certificate • root.
NOTE: HP recommends using the self-signed certificates included with the HP-UX AAA Server to simulate your certificate administration before deploying your own personal certificates in a production environment. The HP-UX AAA Server has the following digital certificate requirements: • all certificate files stored on the HP-UX AAA Server must be in .pem or .
Figure 13-2 Server Manager’s Certificate Properties Screen 150 Securing LAN Access With EAP
3. Define the locations to certificates by entering the path, and clicking Create. Following list explains how to enter the path names in these fields: • Server Certificate Path: For TLS, TTLS, and PEAP. Enter the fully-qualified file name to the AAA server certificate in .pem or .cer format. • Server Private Key Path: Enter the fully-qualified file name to a file in .pem or .cer format that contains the private key used to generate the AAA server certificate. This file cannot be encrypted.
14 Managing Sessions NOTE: This chapter does not apply to session management using the SQL Access feature. See Chapter 18: “SQL Access” (page 207) for more information on session management using the SQL Access feature. This chapter covers two procedures: reading records of active sessions, and manually stopping sessions. Session Logs After a user is successfully authenticated and the AAA server sends an Access-Accept, the access device will send an Accounting-Request message to start the session.
Figure 14-2 Example Return for a Sessions Search 4. Select a session. The AAA server manager will display the attributes for the selected session similar to the example shown in Figure 14-3. Figure 14-3 Example of a Session’s Attributes 5. Click OK when you are done reading the session. Stopping a Session This procedure is intended for sessions that were terminated on the access device but are maintained as active by the AAA server. 1.
on the network. Session limits are defined through A-V pairs. These limits can be enforced on a user-by-user or global basis. Setting Limits on a User-by-User Basis If the user profile does not currently exist, follow the appropriate procedure to create a new profile. If the user profile does exist, access the user profile from the text file or database that stores the profile. Setting Timeout Values If the user profile is stored in a AAA server flat file: 1.
If the user profile is stored in a AAA server users file (grouped by realm or the default file), assign values to the User Attributes fields that can limit access: • Assign a NAS Port value (under the NAS/Login tab) to limit access to a specific dial-in connection identified by port. • Assign a NAS ID value (under the NAS/Login tab) to limit access to a specific dial-in connection identified by NAS.
5. Access the user profile and set the simultaneous session limit. • If the user profile is stored in a AAA server users file, select the Free tab from the User Attributes screen and then enter the following in the Check text box according to the limits you want to set.
15 Assigning IP Addresses The following information explains how the HP-UX AAA Server can be used to assign static or dynamic IP addresses to users. IMPORTANT: Currently, only static IPv6 addresses and prefixes can be assigned using the HP-UX AAA Server. Dynamic assignment of IPv6 addresses is not supported. Assigning Static IP Addresses The procedure for assigning the static IP (IPv4 and IPv6) addresses depends on where the user profile is stored.
Figure 15-2 The Framed User Attributes Form 5. 6. Enter the static IP for the user in the Framed IP Address field. Click Modify. To Assign a Static IPv6 Address to a Profile in Flat Files To assign a static IPv6 address to a user profile stored in AAA server flat files, complete the following steps: 1. From the navigation tree, click Local Realms. 2. Choose the users icon for the realm the user is in. The Users screen appears as shown in Figure 15-3.
Figure 15-3 The Users Screen 3. Click the Edit icon next to the user whose static IP address you want to modify. The Modify Users screen appears. 4. Click the Framed tab. The Framed User Attributes form is displayed on the screen as shown in Figure 15-4.
Figure 15-4 The Framed User Attributes Form 5. 6. Enter the static IPv6 Interface Id for the user in the Framed Interface ID field. Enter the static value for the prefix that needs to be assigned to the user in the Framed IPv6 Prefix field. NOTE: See “Syntax of IPv6 Attributes” (page 382) for more information on IPv6 attributes. 7. Click Modify.
To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF File To assign static IPv6 addresses to a user profile stored in an LDAP LDIF file, complete the following steps: 1. From the command line, open the LDIF file the user profile is stored in. 2. Add the following lines to the user profile: aaaReply: Framed-IPv6-Prefix = aaaReply: Framed-Interface-Id = 3. Save the file. Assigning Dynamic IP Addresses Using DHCP You can assign dynamic IP (traditional IPv4) addresses using DHCP.
16 OATH Standards-Based OTP Authentication This chapter introduces the Open AuTHentication (OATH) standards-based One-Time Password (OTP) authentication. It also describes how to enable the HP-UX AAA Server to provide OTP, and OTP and password (two-factor) authentication in different deployment scenarios. The term OTP authentication is used throughout this document to refer to the functionality that enables OTP authentication. The term two-factor authentication is used for password and OTP authentication.
For more information on OATH and the HOTP algorithm, see the following web addresses: • http://www.openauthentication.org/ • ftp://ftp.rfc-editor.org/in-notes/rfc4226.txt HP-UX AAA Server and OATH Support The HP-UX AAA Server supports the OATH standards sequence-based OTP authentication, which enables the HP-UX AAA Server to interoperate with other OATH compliant clients.
1. The user requests access to a protected resource by sending the user credentials (password or OTP, or password and OTP), which is encrypted with the shared secret, to the authenticator. The OTP can contain either six, seven, or eight digits. 2. 3. The authenticator forwards the request to the HP-UX AAA Server.
Configuring OTP Authentication on the HP-UX AAA Server The HP-UX AAA Server uses SQLAccess, the FSM, and policy actions to support OTP authentication. This feature offers the flexibility to customize OTP authentication depending on the deployment scenarios. Sample policy files are provided to simplify the process of configuring the HP-UX AAA Server to provide password and OTP authentication.
Notes: 1. 2. The HP-UX AAA Server supports only the token information that is stored in the SQL database. The HP-UX AAA Server supports only the following EAP authentication methods for OTP authentication: • PEAP (EAP-GTC) • TTLS (PAP) IMPORTANT NOTES: • After using the sample reference implementation and before deploying your implementation in a production environment, you must change the default passwords for database user, test user, and the shared secret of the test user.
Figure 16-2 OTP Authentication Configuration Flowchart Basic or Typical Configuration A basic or typical scenario involves configuring the HP-UX AAA Server to provide two-factor authentication when user and token information is stored in different tables Configuring OTP Authentication on the HP-UX AAA Server 167
in the same SQL database.
Use the following information to understand how to configure the HP-UX AAA Server and the attributes you can use to customize actions on varying levels.
Table 16-1 Bit Masks to Configure OTP Authentication Tasks (continued) Task Bit Mask Action Removes the OTP 2 The HP-UX AAA Server removes the OTP from the incoming password and replaces the User-Password attribute with password. This bit mask must be used if the User-Password attribute contains the password and OTP. Sets the proxy event code 1 The HP-UX AAA Server returns a proxy event to the FSM. Proxy files can be configured to proxy the request to the proxy target server.
The OTP-ActionId attribute is set at 112 by converting the binary value 01110000 into decimal. Table 16-2 lists some common actions along with the bit masks that must be used for configuration. Table 16-2 Common OTP Authentication Actions Action OTP-ActionId Value Bit Mask Set Validates the password and OTP (two-factor authentication) if the incoming request contains password and OTP.
Table 16-2 Common OTP Authentication Actions (continued) Action OTP-ActionId Value Bit Mask Set Validates only the password and stores the generated OTP in the Otp-In-Attribute attribute if the incoming request contains only password. 40 00101000 Validates only the password when the incoming 32 request contains only the password. This action is equivalent to the configuration for password authentication. HP recommends using the default configuration for better performance.
Table 16-3 Attributes for Configuring OTP Authentication (continued) Attribute Name Configuration Type Description Otp-Shared-Secret User level configuration only Specifies the unique shared secret between the OTP generator and the HP-UX AAA Server that generates the OTP. The HMAC algorithm requires this counter value to generate an OTP. The length of the shared secret must be at least 128 bits (RFC 4226 recommends 160 bits). This attribute is mandatory for each user.
Table 16-3 Attributes for Configuring OTP Authentication (continued) Attribute Name Configuration Type Description Otp-Add-Checksum User, realm, or system-wide level configuration Specifies the action to add the checksum while validating the OTP. If this attribute value is yes, the HP-UX AAA Server calculates the checksum for the generated OTP. While validating the OTP, if the calculated checksum is identical, the HP-UX AAA Server continues with the OTP validation.
Table 16-4 System-Wide OTP Configuration Items Configuration Item Description otp_lookup_window Specifies the size of the look ahead window. This enables the HP-UX AAA Server recalculate the next OTP values and check against the received OTP to synchronize the sequence counter. Default Value 10 otp_token_length Specifies the OTP length. Tokens can generate OTPs having six, seven, or eight digits. Default Value 6 otp_token_lock_counter Specifies the lock counter.
Configuring OTP Authentication for Tunneled EAP Mechanisms If you have created EAP tunneled realms using the Server Manager for PEAP (EAP-GTC) or TTLS (PAP) , refer to the following rules for specifying the realms when configuring OTP authentication: If you have configured the same inner and outer realms • If you are using PEAP (EAP-GTC) as the authentication mechanism, replace the variable with the configured inner realm name, using the following syntax in the request-ingress.
SQLAction RetrieveToken { { input RAD(User-Id, REPLY) DBP(userid, 253, CHAR) output DBR(DBmatchRow) DBC(serial_number, 128, CHAR) DBC(token_status, 128, CHAR) DBC(seq_counter, 38, CHAR) DBC(shared_secret, 128, CHAR) DBC(otp_length, 10, INT) DBR(DBretCode) SQLStatement db_oci FUNC(NAKonZero) RAD(Otp-Token-Serial-Number, REPLY) FUNC(AAATokenStatusCheck) RAD(HOtp-Seq-Counter, REPLY) RAD(Otp-Shared-Secret, REPLY) RAD(Otp-Token-Length,REPLY) FUNC(RETRIEVEonZero) { SELECT FROM WHERE serial_number, token_stat
Notes: • The scenarios described in this section are applicable whether you are using RADIUS standard password authentication or EAP authentication. • The HP-UX AAA Server supports only the following EAP authentication methods for OTP authentication: — PEAP (EAP-GTC) — TTLS (PAP) • Creating different inner and outer realms for OTP authentication is supported only for TTLS (PAP). For information on creating tunneled EAP realms, see “Adding a Realm” (page 89).
If you have configured... Then … Tunneled realms with different inner and outer realms for EAP authentication Replace the variable in the following syntax with the inner realm name configured in Step 1: if ((count (User-Name) > 0) && (substr (User-Name after "@") = "")) { insert Otp-ActionId = 16 exit "ACK" } Tunneled 1. Delete the following (default) condition in the request-ingress.
If you have configured … Then… Tunneled realms with the same inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 using the following syntax: • PEAP (EAP-GTC): /peap Or • TTLS (PAP): /ttls 5. Reload the configuration changes by selecting Reload from the Administration screen of the Server Manager. If the server is not running, start the HP-UX AAA Server to read the configuration information.
If you have configured...
Use the following rules while replacing the variable, with the realm name: If you have configured … Then… The realm for RADIUS standard password authentication Replace with the realm name configured in step 1 Tunneled realms with different inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 Tunneled realms with the same inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 usin
4. If not appended, append the contents of the sample OTP reference implementation policy files (located in /opt/aaa/examples/config) to the default policy files (located in /etc/opt/aaa) using the following commands: # cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp # cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp 5. In the /etc/opt/aaa/request-ingress.
If you have configured... Then … Tunneled 1. Delete the following (default) condition in the request-ingress.grp file: realms with if ((count (User-Name) > 0) && (substr (User-Name after "@") = "")) { same inner insert Otp-ActionId = 112 and outer exit "ACK" realms for } EAP authentication 2. Based on the EAP authentication method you have configured, add one of the following conditions in the /etc/opt/aaa/request-ingress.
If you have configured … Then… Tunneled realms with the same inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 using the following syntax: • PEAP (EAP-GTC): /peap Or • TTLS (PAP): /ttls 7. Reload the configuration changes by selecting Reload from the Administration screen of the Server Manager. If the server is not running, start the HP-UX AAA Server to read the configuration information.
If you have configured... Then … Tunneled realms with different inner and outer realms for EAP authentication Replace the variable in the following syntax with the inner realm name configured in Step 1: if ((count (User-Name) > 0) && (substr (User-Name after "@") = "")) { insert Otp-ActionId = 112 insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK" } Tunneled 1. Delete the following (default) condition in the /etc/opt/aaa/ realms with request-ingress.
Use the following rules while replacing the variable, with the realm name: If you have configured … Then… The realm for RADIUS standard password authentication Replace with the realm name configured in step 1 Tunneled realms with different inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 Tunneled realms with the same inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 usin
2. 3. Configure the proxy target server using the Server Manager and save the configuration. For more information on configuring proxies, see “Configuring Proxies” (page 105) If not appended , append the contents of the sample OTP reference implementation policy files (located in /opt/aaa/examples/config) to the default policy files (located in /etc/opt/aaa) using the following commands: # cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.
If you have configured... Then … Tunneled 1. Delete the following (default) condition in the /etc/opt/aaa/ realms with request-ingress.grp file: same inner if ((count (User-Name) > 0) && (substr (User-Name after "@") = "")) and outer { insert Otp-ActionId = 112 realms for exit "ACK" EAP } authentication 2. Based on the EAP authentication method you have configured, add one of the following conditions in the /etc/opt/aaa/request-ingress.
If you have configured … Then… Tunneled realms with the same inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 using the following syntax: • PEAP (EAP-GTC): /peap Or • TTLS (PAP): /ttls 6. 7. Reload the configuration changes by selecting Reload from the Administration screen of the Server Manager. If the server is not running, start the HP-UX AAA Server to read the configuration.
Validating OTP on the Local Server and Forwarding Password to Another RADIUS Server To configure the HP-UX AAA Server to validate the OTP and forward the password to another RADIUS server for validation, complete the following steps: 1. Configure the realm using the Realms Screen of the Server Manager. While configuring the realm, use the procedure listed in “Configuring Realms for Database Access via SQL” (page 94).
If you have configured... Then … Tunneled realms with different inner and outer realms for EAP authentication Replace the variable in the following syntax with the inner realm name configured in Step 1: if ((count (User-Name) > 0) && (substr (User-Name after "@") = "")) { insert Otp-ActionId = 83 exit "ACK" } Tunneled 1. Delete the following (default) condition in the /etc/opt/aaa/ realms with request-ingress.
If you have configured … Then… Tunneled realms with the same inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 using the following syntax: • PEAP (EAP-GTC): /peap Or • TTLS (PAP): /ttls 6. In the proxy-egress.
Forwarding OTP and Password to Another RADIUS Server for Validation To forward the OTP and password to another RADIUS server, HP recommends that you use the Server Manager to forward the complete request to the RADIUS server. For more information on forwarding requests, see “Configuring Proxies” (page 105).
RAD_TOKENS_TABLE serial_number user_name manufacturer token_status seq_counter shared_secret otp_length lookup_window checksum activation_code success_auth_count failed_auth_count failed_lock_count locktime The SQL actions and stored procedures listed in Table 16-5 are added in the sqlaccess.config file to support OTP authentication.
Table 16-5 SQL actions and Stored Procedures that Support OTP Authentication (continued) SQL action Table Operated On UpdateFailedAuthCountAnd RAD_TOKENS_TABLE TokenStatus Operation A stored procedure that is created using dbsetup.sql. This procedure increments the failed authentication count after a failed authentication. This stored procedure also increments the lock counter for each failed authentication.
IMPORTANT: If the shared secret provided by the token vendor is in hexadecimal format, edit the /etc/opt/aaa/sqlaccess.config file to change the following entry in the RetrieveUserAndToken SQL action: DBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) RAD(Otp-Shared-Secret, REPLY) to DBC(RAD_TOKENS_TABLE.shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString) and reload the configuration changes.
actions by setting the bitmask in the Otp-ActionId attribute, and configuring the OTP-specific attributes listed in “Attributes for Configuring OTP Authentication” (page 172).
UpdateSeqenceCounterAndSuccessAuthCount and returns the POST_REPLY_EGRESS event to update the sequence counter and success authentication count using SQLAccess.
Part IV Integrating the HP-UX AAA Server With External Services This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 17: “LDAP Authentication” (page 204) • Chapter 18: “SQL Access” (page 207) • Chapter 19: “Oracle Authentication (Supported Using SQL Access)” (page 248) • Chapter 20: “Simple Network Management Protocol (SNMP) Support” (page 256) • Chapter 21: “VPN Tunneling” (page 258) • Chapter 22: “Using DHCP” (page 260) • Chapter 23: “Using SecurID” (page 262)
Table of Contents 17 LDAP Authentication..............................................................................................................204 LDAP Server Compatibility .............................................................................................204 Related LDAP Documentation ........................................................................................204 Authentication with LDAP ..........................................................................................
Result Handling for Retrieval Requests...........................................................231 Global Definitions..................................................................................................232 Advanced SQL Mapping Configuration.....................................................................232 Developing Custom Functions...............................................................................233 Null SQL Statements.......................................................
21 VPN Tunneling.....................................................................................................................258 Establishing a Tunnel for a User.......................................................................................258 22 Using DHCP........................................................................................................................260 Required DHCP Server Features....................................................................................
17 LDAP Authentication The Lightweight Directory Access Protocol (LDAP) authentication type provides a method for storing user profiles on an LDAP server. LDAP servers are useful when managing a large number of user profiles. NOTE: You can download Red Hat/Netscape Directory Server for HP-UX from www.software.hp.com. LDAP Server Compatibility The HP-UX AAA Server is designed to interoperate with LDAP Version 3 compliant directories. Refer to the HP-UX AAA Server Release Notes at http://docs.hp.
NOTE: The following procedures are required if your user entries are using attributes defined in the aaaPerson object class. If you are only storing user profiles based on the core LDAP inetOrgPerson object class (to retrieve the user ID and password), the following procedures are not necessary. The HP-UX AAA Server LDAP Schema The HP-UX AAA Server LDAP schema consists of the aaaPerson object class and a set of LDAP attributes utilized by aaaPerson.
To Configure Netscape Directory Server v6 1. Copy /opt/aaa/examples/proldap/55iaaa-radius.ldif to the LDAP server schema directory: (/var/opt/netscape/servers/slapd-/config/schema). 2. 3. Restart the directory server. Create an LDIF file for your user profiles and import to the directory. To Configure iPlanet Directory Server v5 1. 2. 3. Copy /opt/aaa/examples/proldap/55iaaa-radius.ldif to the LDAP server schema directory (/var/opt/iplanet/servers/slapd-/ config/schema).
18 SQL Access This chapter introduces the SQL Access feature, describes how it works and how to configure the HP-UX AAA Server for SQL Access. The term SQL Access is used throughout this guide to refer to the functionality that allows flexible and customizable access to an SQL database. This chapter also discusses how to manage user and token information that is stored in an SQL database.
Figure 18-1 SQL Access Components When the AAA Server receives a RADIUS request to perform an action (for example, authentication), it calls the SQL Access AATV if SQL Access is configured. The SQL Access AATV maps RADIUS attributes to database columns and prepares user defined SQL statements for execution. The connector libraries pass the SQL statements to vendor supplied database client libraries, which in turn communicate with the database.
RADIUS Attribute to SQL Statement Mapping You can use SQL mappings to define how to associate or "map" RADIUS attributes to and from the input and output of your SQL statement . The execution of the SQL statement and associated mappings occur in three steps: 1. Input Mappings 2. SQL statement execution 3. Output mappings In the typical case, you map RADIUS attributes (input source) to SQL statement placeholders (input target).
Figure 18-2 RADIUS Attribute to SQL Statement Mapping During input mapping, the value for the RADIUS attribute User-name is passed to the SQL statement SELECT as a search value into the database table USERTABLE using the SQL placeholder to bind to the data value John. The output mapping entry tells the SQL Access AATV that the database column db_passwd maps to the RADIUS attribute password, with a returned value of Johnpass in the attribute-value pair.
SQL Action Processing and Result Handling The SQL Access AATV processes all mapping entries of an SQL action in the order in which they are defined in the sqlaccess.config file. It first processes all input mapping entries in order, then executes the SQL statement, and finally processes the output mapping entries in order. SQL actions start with an event of ACK and mapping entries usually return an event of ACK.
• for detailed information on how to install your sample SQL Access implementation for Oracle. /opt/aaa/examples/sqlaccess/mysql-1: files to set up a sample implementation for MySQL and Unix ODBC driver. See the README in that directory for detailed information on how to install your sample SQL Access implementation for MySQL. NOTE: The database server and client are not provided with the HP-UX AAA Server.
Table 18-1 The sqlaccess.config Sample File (continued) SQL Action Table Operated On UpdateFailedAuthCount RAD_TOKENS_TABLE AndTokenStatus Operation A stored procedure that is created using dbsetup.sql. This procedure increments the failed authentication count after a failed authentication. This stored procedure also increments the lock counter for each failed authentication.
dbsetup.sql Sample File The dbsetup.
login_service RAD_SESS_TABLE sess_start_time session_id user_name nasid nasport assigned_framed_ip client_hw_address client_identifier In addition, the dbsetup.sql script for OCI creates a stored procedure to first retrieve the IP address for a session ID and then to delete it from the session table RAD_SESS_TABLE. Finite State Machine Sample NOTE: If you are using SQL Access for the retrieval of user entries only, you can use your existing FSM file.
Database Security Secure communication between the database client and the database server is controlled by the database server and client software. Therefore, choose your database environment based on your organization's security requirements. You may have to consider controlling access to the database tables based on views and privileges, data encryption requirements between the database client and server, or data encryption requirements of the data stored in the database.
See the README files for the supported environments in the respective directories at /opt/aaa/examples/sqlaccess/ for specific shared library path configuration information for the supported database clients. Database Client Connector Libraries For each supported database client, HP provides a corresponding client connector library. Copy the corresponding client connector library from /opt/aaa/lib/dbcon/ alternate/ to the execution directory /opt/aaa/lib/dbcon.
accounting without session management and accounting with session management using the SQL Access feature. 5. Restart the server. You can also send the kill -HUP signal to activate the SQL access implementation while the AAA server is running if you have not modified the FSM. Refer to “HUP Processing” (page 374) for details on the kill -HUP signal. sqlaccess.config File Configuration The sqlaccess.
/* Global Definition*/ [SQLMapConvLibs “path_to_lib:path_to_lib:…:path_to_lib”] /*Database Connection Definition*/ DBID instance { DBClient [DBUser [DBPassword [ReconnectWaitTime [OracleSID [ODBCDatastore db_client_library_interface db_user] db_user_password] reconnect_wait_time] Oracle_db_instance] ODBC_db_instance] } /*SQL Action Definition*/ SQLAction action_ID { [TimedEvent timed_event] /* repeat as needed */ { [input [source . . [source [output [source . .
[DBUser [DBPassword [ReconnectWaitTime [OracleSID [ODBCDatastore db_user] db_user_password] reconnect_wait_time] Oracle_db_instance] ODBC_db_instance] } Where: instance Identifies a unique instance of the AAA Server as a database client. Note that the database connection parameters for a particular instance must be defined before the SQL actions for that particular database instance in the sqlaccess.config file.
Example 18-1 Define the Oracle Database Connection Parameters ## Define the Oracle/OCI connection. DBID db_oci { DBClient DBUser DBPassword OracleSID } OracleOCI aaaoracleuser aaaoraclepassword "example.db.com:1521/testdb" Example 18-2 (page 221) defines an instance of an ODBC database interface as db_odbc with the connection parameters: Example 18-2 Define the MySQL Database Connection Parameters ## Define the MYSQL ODBC connection.
action_ID timed_event Required. Specifies a unique instance of an SQL action. Identifies the SQL action to be executed as configured in the FSM or in the authfile through the Local Realm screen in the Server Manager. Follow a naming convention for action_ID that allows for easy identification of the actions they perform to ensure the integrity of the processing logic. Optional. Used for actions not triggered by user requests.
Table 18-4 Output Mapping Data Types and Syntax Output Mapping Type Syntax source • RAD(vendor_id:attribute, attr_type, MAND) • DBC(db_column, db_width, db_type) • DBP(placeholder, db_width, db_type) • FUNC(mappingfunction) • DBR(result) target • RAD(vendor_id:attribute, attr_type, MAND) • FUNC(mappingfunction) RAD Mapping The RAD mapping identifies a RADIUS attribute for input and/or output mapping.
Table 18-5 RAD Mapping Parameters (continued) Parameter Description attr_type Optional. Specifies the type of RADIUS attribute, and is used to determine the queue where the attribute is located. A set of attribute queues is associated with each RADIUS request. You can specify one of the following queues: • REQUEST: Attributes from the inbound request. • REPLY: Attributes to be included in the reply. Also typically used for temporary attributes used for local processing.
Table 18-6 DBC Mapping Parameters Parameter Description db_column Mandatory. Specifies the column name of the database table. db_width Mandatory. Specifies the column width as defined in the database schema. Used by the database client library to determine the length of data to reserve for processing the column. db_type Mandatory. Used by the database column library to specify the type conversion to be performed on the data.
Table 18-7 DBP Mapping Parameters Parameter Description placeholder Mandatory. • For OCI: Any string value. Passed to the OCIBindByName function. Binds the mapping to a placeholder in the SQL statement as defined by the OCI syntax based on string matching. • For ODBC: Integer value. Identifies the order or position of the DBP parameter in the SQL statement. Passed to the SQLBindParameter function. Binds the mapping to a placeholder in the SQL statement as specified by the ODBC syntax.
Example 18-3 User and Password Input and Output Mappings For OCI: input RAD(User-ID, REPLY) DBP(userid,64,CHAR) output DBC(user_password,128,CHAR) RAD(Password, CHECK) DBC(address_pool, 128, CHAR) RAD(Address-Pool, REPLY) For ODBC: input RAD(User-Id, REPLY) DBP(1, 254,CHAR) output DBC(user_password, 128, CHAR) DBC(address_pool, 128, CHAR) RAD(Password,CHECK) RAD(Address-Pool,REPLY) The input mapping locates the RADIUS attribute User-Id in the reply queue and associates a data pointer to the local valu
Table 18-8 Pre-defined Mapping Functions Mapping Type Mapping Function Description Source AAALocalHost Returns the AAA Server hostname. It uses the RADIUS Server host name stored in aaa.config or the result of the gethostname() system call when hostname is not configured. Source AAALocalIP Returns the local IP address in binary format as returned by getaddrinfo() for AAALocalHost. Source AAALocalIPv6 Returns the local IPv6 address in binary format as returned by getaddrinfo() for AAALocalHost.
Conversion Functions A conversion function is executed between the source and target mapping and can be used to convert or modify data. You can identify a conversion function in the conversion_function variable for each mapping entry. conversion_function is the name of the function to execute. It can either be a pre-defined function included in the AAA Server, or a user-defined function. See “Advanced SQL Mapping Configuration” (page 232) for more information on user-defined conversion functions.
sql_statement User defined SQL statement. Passed unmodified to the database client library.
Functions” (page 227) for more information on pre-defined mapping functions to set event codes. For more information on event code handling for user retrieval action, see “Result Handling for Retrieval Requests” (page 231) in this section. If your mapping function returns an event other than ACK, control is returned to the FSM immediately with the event code set in the mapping function.
Example 18-5 SQL Statement with Result Mapping - OCI SQLAction RetrieveUser { { input RAD(User-Id,REPLY) DBP(userid, 254, CHAR) output DBC(user_password, 128, CHAR) DBC(address_pool, 128, CHAR) DBR(DBretCode) SQLStatement db_oci { SELECT FROM WHERE RAD(Password,CHECK) RAD(Address-Pool,REPLY) FUNC(RETRIEVEonZero) user_password, address_pool RAD_USERS_TABLE user_name=:userid } } } Global Definitions Global definitions are placed anywhere in the sqlaccess.
Developing Custom Functions You can define your own mapping and conversion functions, which must reside in libraries that are located at the paths configured in the SQLMapConvLibs setting of the global definition in the sqlaccess.config file.Ensure that the names of the custom functions do not conflict with the names of any other pre-defined or customized functions. HP suggests that you use a unique prefix for your custom functions.
Null Source and Target Mapping You can also specify SQL action mappings without the source or target mapping. In this case, no data will be input to the SQL statement and/or the SQL statement execution will not return any data. An example of an SQL action containing only SQL statements is an expired session cleanup operation as shown in Example 18-6: Example 18-6 SQL Action with Null Source and Target Mappings SQLAction CleanupExpiredSessions { TimedEvent 120 ## Invoke the action every 120 seconds.
Example 18-7 Timestamp Synchronization For OCI: SQLAction UpdateAcct { { input RAD(Class) output DBR(DBretCode) DBP(sessid, 254, CHAR) SQLStatement FUNC(ACKonZero) db_oci { UPDATE RAD_ACCT_TABLE SET update_time=current_timestamp WHERE session_id=:sessid } } } Finite State Table Configuration in the FSM SQL Access for user profile retrieval requires no modification to the FSM. Use the Local Realm screen in the Server Manager to configure the SQL action for the desired realm.
Example 18-8 FSM with Accounting Log via SQL Access ##################################### ## Start Accounting via SQL Access ## AcctLog: *.*.ACCT_START SQLAccess ReplyHold *.*.ACCT_STOP SQLAccess ReplyHold *.*.ACCT_ALIVE SQLAccess ReplyHold *.*.ACCT_MSTART SQLAccess ReplyHold *.*.ACCT_MSTOP SQLAccess ReplyHold *.*.ACCT_CANCEL SQLAccess ReplyHold *.*.ACCT_ON SQLAccess ReplyHold *.*.
Example 18-9 Remove Session Stored Procedure Definition create or replace procedure remove_session(sessid IN varchar2, ipaddr OUT NUMBER) IS BEGIN select ASSIGNED_FRAMED_IP into ipaddr from RAD_SESS_TABLE where session_id=sessid; delete from RAD_SESS_TABLE where session_id=sessid; END; Run Stored Procedure Call to remove_session in SQL Action: SQLAction StopSession-DHCP { { input RAD(Class) output DBP(ipaddr, 11, INT) DBR(DBretCode) SQLStatement DBP(sessid, 254, CHAR) FUNC(AAAFreeIP) FUNC(ACKonZero) db_
This section discusses the following topics: • “Managing Users” (page 238) • “Managing Users Using OTP to Authenticate” (page 241) Managing Users This section discusses the following topics: • “Adding Users to an SQL Database” (page 238) • “Modifying User Credentials” (page 240) • “Viewing User and Token Statistics” (page 246) Adding Users to an SQL Database To add a user into the SQL database, complete the following steps: 1.
Figure 18-4 The Add User Screen 4. Enter the relevant information according to the guidelines stated in Table 18-10 Table 18-10 Fields in the Add Users Form Field Name Description User Name Assign a user ID for the user. A user ID can comprise alpha-numeric characters, '-', '_', '!' and '@'. A user ID cannot exceed 128 characters. First Name, Last Name Enter the first name and last name of the user. The names can comprise alpha-numeric characters, '_', '-', '.', and the space character.
Table 18-10 Fields in the Add Users Form (continued) Field Name Description Enter Token Serial Number or Allocate Enter the token number listed on the token device to assign a Free Token a specific token to a user. To randomly allocate a free token serial number, check the Allocate a Free Token checkbox. NOTE: This is an optional field. If you are not using OTP authentication, leave this field blank. Contact Info Enter the contact information in the corresponding fields.
2. Enter your login and password when prompted. The User Database Administration Manager launches, as shown in Figure 18-3. 3. 4. Search the database by entering data for any one of the following fields: • User Id • Email Id • L. Name or F. Name • Work Phone • Token Serial Number A list of matching users is displayed. Click Modify User or the matching user listed. The Manage User screen is displayed. 5. 6. Modify the relevant information.
information into SQL insert statements. The generated file can be executed on the database to populate the database with the token table. After the tokens are imported into the database, they are in an AVAILABLE state, indicating that it is free and can be assigned to any user. Assigning Tokens to Users Once tokens are imported into the database, they must be assigned to users.
4. If OTP validation is successful, assign the token to the user by clicking Add User or Modify User Info at the bottom of the screen. The token is assigned to the user and its status changes from AVAILABLE to ASSIGNED. Additionally, the User Database Administration Manager generates and e-mails an activation code to the user. 5. If you are using a token device, mail it to the user. Allocating Any Available Tokens to a User To allocate any available token to a user, complete the following steps: 1.
Figure 18-6 The Enroll Token Screen 4. Complete the form in the Enroll Token screen according to the information in Table 18-11. Table 18-11 Fields in the Enroll Token Device Form 5. Field Name Description User Name Enter the user name assigned to you by the administrator. User names cannot exceed 128 characters. Besides alpha numeric characters, '-', '_', '!' and '@' can also be used. Activation Code This code is provided to activate the token device or software associated for your identification.
Synchronizing Tokens (Procedure for Users) The HOTP algorithm is sequence-based; therefore the token and the user profile database share a counter value. The counter value of the token increments each time a request is sent to the server. The counter value in the user profile database increments each time a client request is successfully authenticated. As a result, the counter value of the token does not always correspond with that in the database.
Table 18-12 Fields in the Synchronize Token Form 5. Field Name Description User Name Enter the user name assigned to you by the administrator. User names cannot exceed 128 characters. Besides alpha numeric characters, '-', '_', '!' and '@' can also be used. OTP 1, OTP 2 Enter two consecutive OTPs generated by your token To synchronize or unlock the token, click Synchronize.
Table 18-13 Valid Token Status Values Token Status Description ASSIGN Indicates that the token has been assigned to a user, but has not yet been activated. Once the token is activated, the token status changes to ACTIVE. ACTIVE Indicates that the token is currently assigned to a user AVAILABLE Indicates that the token is free and can be assigned to a user. When tokens are initially loaded into the database, their token status is AVAILABLE.
19 Oracle Authentication (Supported Using SQL Access) IMPORTANT: The Oracle authentication module is deprecated in this release and will be obsolete in the next release of the HP-UX AAA Server. The Oracle authentication module is supported using SQL Access. HP recommends that you set up your HP-UX AAA Server to interact with the Oracle database using the SQL Access feature. For more details on implementing SQL Access, see Chapter 18: “SQL Access” (page 207) .
Figure 19-1 Authentication Process with Oracle Thedb_srv daemon sends an SQL query to the Oracle database. The daemon uses an AUTH_NET_USER data structure to send the appropriate replies to the Oracle process. The ORACLE module will then process the replies and return the results to the AAA server engine. Multiple db_srv daemons can communicate with a single database or a set of replicated databases. Each daemon must be on a different machine or listening to a different port.
The following files are installed into the following directory hierarchy on installation: Table 19-1 lists files related to db_srv.
Table Spaces The physical database storage units, data files, are associated with table spaces according to the logical structure of the database. For example, table spaces may be created to separate different categories of data. Table spaces are divided into smaller logical divisions called segments, which are divided further into extents and data blocks. These levels of data storage allow control over how the data files are allocated for physical storage.
insert into AUTH_NET_USERS values ( 'User-Name', 'User-Password', Session-Timeout, Idle-Timeout, Port-Limit, Tunnel-Type, Tunnel-Medium-Type, 'Tunnel-Client-Endpoint', 'Tunnel-Server-Endpoint', 'Acct-Tunnel-Connection', Service-Type, Framed-Protocol, Framed-IP-Address, Framed-IP-Netmask, Framed-Routing, 'Filter-Id', Framed-Compression ); commit; Substitute attribute placeholders with an appropriate value to assign to the corresponding column value.
Figure 19-2 Oracle Database Table Format The AAA server uses this information to perform authentication using the network_auth_name and network_auth_password column values. The rest of the table’s column values are passed back as reply items to the AAA server’s Oracle process through the db_srv daemon.
create table AUTH_NET_USERS ( PRIMARY KEY (network_auth_name), network_auth_name VARCHAR2(63), network_auth_password VARCHAR2(128), session_timeout number (10), idle_timeout number(10), port_limit number(10), tunnel_type number(10), tunnel_medium_type number(10), tunnel_client_end VARCHAR2(64), tunnel_server_end VARCHAR2(64), acct_tunnel_connection VARCHAR2(64), service_type number(10), framed_protocol number(10), framed_ip_addr number(10), framed_ip_netmask number(10), framed_routing number(10), filter_id
Table 19-2 AUTH_NET_USERS Table (continued) Column Value Corresponding RADIUS Attribute session_timeout Session-Timeout idle_timeout Idle-Timeout port_limit Port-Limit tunnel_type Tunnel-Type tunnel_medium_type Tunnel-Medium-Type tunnel_client_end Tunnel-Client-Endpoint tunnel_server_end Tunnel-Server-Endpoint acct_tunnel_connection Acct-Tunnel-Connection service_type Service-Type framed_protocol Framed-Protocol framed_ip_addr Framed-IP-Address framed_ip_netmask Framed-IP-Netmask f
20 Simple Network Management Protocol (SNMP) Support Simple Network Management Protocol (SNMP) Support provides a mechanism for a centrally located management workstation to monitor the activity of remote computers and network services.
4. 5. 6. 7. 8. 9. for a username and password, you must enter the values specified during installation. From the navigation tree, click Server Properties. On the Server Properties screen that appears, select SNMP Properties. On the SNMP Server Properties screen that appears, select the Yes radio button and click Modify. From the navigation tree, click Save Configuration. From the navigation tree, click Administration. Click Start.
21 VPN Tunneling Tunneling involves access to a server that provides secure intranet or other network functionality through a dial-up or Internet connection from a client workstation. This process can be categorized as one of two types: voluntary or compulsory. Some applications, such as secure access to corporate intranets through the Internet, are characterized by voluntary tunneling, where users create the tunnel through client software at their workstation.
Tunnel-Type =:1:PPTP, Tunnel-Medium-Type =:1:IPv4, Tunnel-Client-Endpoint =:1:192.168.127.1, Tunnel-Server-Endpoint =:1:192.155.111.1, Tunnel-Password =:1:Michigan, Tunnel-Private-Group-Id =:1:engineering, Tunnel-Assignment-Id =:1:management, Tunnel-Preference =:1:first, Tunnel-Client-Auth-Id =:1:NET, Tunnel-Server-Auth-Id =:1:Michigan, Tunnel-Type =:2:L2TP, Tunnel-Medium-Type =:2:IPv4, Tunnel-Client-Endpoint =:2:192.168.127.1, Tunnel-Server-Endpoint =:2:192.170.130.
22 Using DHCP The HP-UX AAA server can act as a Dynamic Host Configuration Protocol (DHCP) relay to request IP address assignments from a DCHP server. Currently, only DHCPv4 is supported. To use DHCP, you must associate address pools with the AAA server’s incoming requests.
4. 5. Select the Free tab on top of the Modify Users screen. Enter the address pool for the user in the Reply Item field, for example: Address-Pool= 6. Click Modify. To Associate an Address Pool with a User Profile in an LDAP LDIF File 1. 2. From the command line, open the LDIF file the user profile is stored in.
23 Using SecurID IMPORTANT: The SecurID authentication is deprecated in this release and will be obsolete in the next release of the HP-UX AAA Server. The SecurID authentication can be replaced by Open AuTHentication (OATH) standards-based One-Time Password (OTP) authentication. OATH is an industry-wide collaboration to develop open-reference architecture for strong authentication. The OATH standards-based OTP authentication solution supports hardware and software tokens from multiple vendors.
Notes: • When SecurID users are prompted to enter their password, the user must enter a SecurID PASSCODE. • To support the SecurID authentication, a NAS must support RADIUS Access-Challenge messages. Configuring SecurID Authentication To configure the AAA server to work with the RSA ACE/Server, the following steps must be performed. If you are not familiar with the ACE/Server, contact your ACE administrator for assistance. Configuring the AAA Server for RSA SecurID Authentication 1. Copy the sdconf.
Figure 23-1 SecurID Add Client Screen 3. 264 Use SecurID documentation to add user profiles to the SecurID server.
Synchronizing the AAA Server with the ACE/Server After the first successful SecurID Authentication, the AAA server will save a file called securid in the AAA server configuration directory (/etc/opt/aaa by default). The securid file contains secret information required for further ACE/Server authentication requests. If the AAA server has been reinstalled, or if this file is not present in the AAA server configuration directory, perform the following steps to synchronize the AAA server with the ACE/Server.
Related Documentation For information on the RSA ACE/Server, visit their web site at http://www.rsasecurity.
Part V Customizing the HP-UX AAA Server This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 24: “Customizing the HP-UX AAA Server Using the Finite State Machine” (page 270) • Chapter 25: “Customizing the HP-UX AAA Server Using Policies” (page 283) • Chapter 26: “Customizing the HP-UX AAA Server Using the SDK” (page 315) 267
Table of Contents 24 Customizing the HP-UX AAA Server Using the Finite State Machine...........................................270 States ................................................................................................................................270 Using Xstring to call Policy .........................................................................................273 Using Xstring to Call an Alternate authfile ................................................................
Supported Operators...................................................................................................302 Operator Precedence and Association...................................................................302 Type Compatibility......................................................................................................303 Invoking a Policy..............................................................................................................
24 Customizing the HP-UX AAA Server Using the Finite State Machine The main component of the server’s software engine is the Finite State Machine (FSM) and a few associated routines. At server startup, the FSM reads instructions from a state table by loading and parsing a .fsm file. By default, it loads the radius.fsm file, unless it is missing or if you have specified another .fsm file using the radiusd -f command. The .
Figure 24-1 Default FSM State Transitions The actions triggered during this process read information from the server’s configuration, and from stored user profiles, and policy. Based on this information the actions perform the server’s authentication, authorization, and accounting functions. The server can be set up to do a variety of different functions by modifying existing or creating new FSM state tables.
State-name An arbitrary string to represent a state in the FSM. It can be any printable ASCII character except space, new line, carriage return, tab, and colon characters. • Every state except the Start state must be referenced by at least one event handler in any state as its next state. • Every state except the End must have at least one associated event handler. • Every state referenced in an event handler must be defined. A state is defined only once in the FSM.
Xvalue=integer Xstring=string An A-V pair (integer value) that may be passed to an Action as an argument. Only one integer argument may be specified for each event. An A-V pair (string value) that may be passed to an Action as an argument. Only one string argument may be specified for each event. Using Xstring to call Policy With the POLICY module, you can use the Xstring parameter to specify an URL where policy definitions are stored.
the server to return predefined or custom event names by using the Decision attribute in stored policy. Predefined Event Names Several event names that can be returned by an action are predefined in the server. Table 24-1 Predefined Event Names 274 Event Name Description ACCT The incoming request is an Accounting-Request. ACC_CHAL Access-Challenge message must be sent in response to an access challenge. ACCT_ALIVE The incoming Accounting-Request is an interim accounting message.
Table 24-1 Predefined Event Names (continued) Event Name Description ACT_TUNNEL_LINK_REJECT The incoming Accounting-Request that the user has been denied access to an established tunnel. AUTHEN The incoming request is an Access-Request. AUTH_ONLY Received Access-Request has a Status-Type of Authenticate-Only. CONTINUE The incoming Access-Request is a continuation of an in-progress EAP conversation. In general, you can allow the server to handle these events without any modification.
Table 24-1 Predefined Event Names (continued) Event Name Description PW_EXPIRED This event is returned by the AUTHENTICATE Action if the user profile includes an out-of-date value for the Expiration configuration attribute. RETRIEVE_ERROR This event is returned by iaaaUsers, ORACLE, PROLDAP, or another data store action if the action could not locate the user’s profile in the configured data store. RETRIEVEOTP_INFO Retrieves token information from the repository.
Table 24-2 Available Actions Actions Description ACCT Writes Livingston call detail records ACCT_SWITCH Direct FSM to next state based on reason code of the Accounting-Request ACK Signifies success iaaaAuthenticate Parses and verifies the password recieved in the request against the password in the stored user profile.
Table 24-2 Available Actions (continued) Actions Description iaaaRealm Attempts to locate where a user profile is stored for the realm extracted from a user request. REALM Handles realm-based authentication REDO Repeat an action REPLY Send a RADIUS reply (access or accounting) to a client ReplyDispatch Translates the Interlink-Reply-Status attribute to an FSM event. ReplyPrep Prepares to generate reply messages prior to reply-egress policy.
Table 24-3 Predefined FSM Tables (continued) Filename Function /opt/aaa/examples/config/ sqlacess-acct.fsm Sample FSM file required to implement accounting without session management using SQL access /opt/aaa/examples/config/ sqlaccess-acct-sess.fsm Sample FSM file required to implement accounting with session management using SQL access To use any of the above predefined state tables for the HP-UX AAA server, copy the required .fsm file to /etc/opt/aaa/radius.fsm and start the AAA server NOTE: aaa/.
1 START: 2 *.+AUTHEN.ACK 3 *.+AUTHENTICATE.ACK 4 Preauth: 5 *.PREPROC.ACK 6 *.PREPROC.NAK 7 . . . Lines 1-3 Line 4 Line 5 Line 6 PREPROC PREPROC Preauth Preauth iaaaUsers REPLY UsersCheck Hold *.+AUTHEN.ACK or +AUTHENTICATE.ACK indicates that the received message is an Access-Request. PREPROC indicates the action, which calls the custom PREPROC software module. PREPROC is programmed to parse User-Name, strip out the extraneous information, and assign the result to the User-Id attribute.
defined in your plug-in. TheACCTLog state in the following example uses a logging format generated by MYLOG for an ordinary session and uses another format generated by TUNNELLOG for tunnel sessions. ACCTlog: *.*.ACCT_START *.*.ACCT_STOP *.*.ACCT_ALIVE *.*.ACCT_MSTART *.*.ACCT_MSTOP *.*.ACCT_CANCEL *.*.ACCT_ON *.*.ACCT_OFF *.*.ACCT_TUNNEL_START *.*.ACCT_TUNNEL_STOP *.*.ACCT_TUNNEL_REJECT *.*.ACCT_TUNNEL_LINK_START *.*.ACCT_TUNNEL_LINK_STOP *.*.
Lines 9 to 15 Handle the accounting response from the remote server and close the request. NOTE: This example appears in the AAA Server-provided template file, proxyacct.fsm.
25 Customizing the HP-UX AAA Server Using Policies This chapter explains how you can use policies to customize the HP-UX AAA Server. This chapter also discusses some sample policy implementations.
Notes: • Customers can also write their own policy decision files and invoke them from the FSM or the user profiles. • This chapter discusses only the new (and easier to use) format for creating decision files. The old format contains policy group entries that are still supported. However, the old format is not documented in this chapter. For information about the old syntax, see Appendix E (page 445). • You cannot create a single decision file using syntax from both formats.
Example 25-1 An example of a policy file that restricts Session-Timeout to one hour for guests, removes unwanted attributes, and provides administrative privileges to administrators # Guests have a session-timeout of one hour. Normal users # have 5 hours. if (substr (User-Name after "@") = "guest.example.com") { insert Session-Timeout = 3600 } else { insert Session-Timeout = 18000 } if( NAS-IP-Address = "192.168.0.1") { # Delete Filter-Id for NASes that do not support it.
The delete Command Syntax delete Parameters The parameter is an attribute specification. For more information on specifying attributes, see “Attribute Specifications” (page 293). Operation The delete command deletes the specified attribute instance(s) from the request. If , refers to an instance that is not present, no instance is deleted. Examples Table 25-1 discusses some examples that illustrate the use of the delete command.
Table 25-1 Examples Illustrating the Use of the delete Command (continued) Attributes in the Request Command Result NAS-Port = 2 Reply-Message = "Hello, world!" delete NAS-IP-Address[0] NAS-Port = 2 Reply-Message = " Hello, world!" NAS-Port = 2 Reply-Message = "Hello, world!" delete NAS-IP-Address[last] NAS-Port = 2 Reply-Message = " Hello, world!" The insert Command Syntax insert = Parameters • • : The parameter is an attribute specification.
Table 25-2 Behavior of the insert Command in Various Scenarios If Then The parameter refers to an instance that the attribute is inserted at the end of the list is not present The parameter refers to a tagged attribute the tag for the inserted attribute is set to 0 (tag-int or tag-str) and is not a tagged value The parameter refers to an attribute that the tag is ignored is not tagged and is a tagged value Examples Table 25-3 discusses some e
For information on attribute functions (such as the count attribute function), see “Attribute Functions” (page 295). The modify Command Syntax modify = Parameters • • : The is an attribute specification. For more information on specifying attributes, see “Attribute Specifications” (page 293). : The is a value expression. It can be a value specification, an attribute specification, or an attribute function.
Table 25-4 Examples Illustrating the Use of the modify Command (continued) Attributes in the Request Command Result Reply-Message = "hello" Tunnel-Password = :17:"abc" modify Reply-Message = Tunnel-Password Reply-Message = "abc" Tunnel-Password = :17:"abc" Reply-Message = "hello" Tunnel-Password = :17:"abc" modify Tunnel-Password = Reply-Message = "hello" Tunnel-Password = Reply-Message :17:"hello" NAS-Port = 7 Reply-Message = "abc" Reply-Message = "def" modify NAS-Port = count( NAS-Port = 2 Reply-
Parameters • : The parameter must be a quoted string and a log-level type. Following are the valid log levels: — ERROR — CRITICAL — ALERT — WARNING — INFO NOTE: The parameter is case-insensitive. For example, ERROR is considered identical with Error. • : The parameter must be a quoted string. You can use multiple instances of and cause all named instances to be reported in the log file.
Parameters • • : The parameter is a Boolean expression. and : The and are sequences of action commands that can include additional if commands, nested to an arbitrary depth. When the else clause is omitted, can be considered as an empty sequence of action commands. Operation The if command first evaluates the boolean expression .
Example 25-2 Examples Illustrating the Use of the if Command Example 1 The following if statement: if ( Session-Limit[1] < 30 ) { modify Session-Limit[1] = 30 } else { if ( Session-Limit[1] > 240 ) { modify Session-Limit[1] = 240 } } With the following input: Session-Limit[0] = 10 Session-Limit[1] = 300 Results in: Session-Limit[0] = 10 Session-Limit[1] = 240 Example 2 The following if statement: if ( (NAS-IP-Address = "192.168.1.2") && ((NAS-Identifier = .jack.
• “Numeric Instance Specification.” • “Keyword Instance Specification” (page 295) The following sections describe these keywords in detail. Attribute Names Attribute names defined in the server's dictionary file can be used. Attribute names are case-insensitive. For example, Reply-Message is considered identical with REPLY-MESSAGE. For more information on attribute names, see “The dictionary File ” (page 385).
Keyword Instance Specification When a specific instance is required, it can be specified using one of the following keywords, or by using the asterisk (*) symbol: • The begin keyword: If you want to specify an attribute instance located at the beginning of the list, use the begin keyword. This keyword is supported only by the insert command, on the left side of the = operator.
The count Attribute Function Syntax count () Parameters The parameter is an attribute specification. For more information on specifying attributes, see “Attribute Specifications” (page 293). Numeric instances, last and * can be used as arguments for the count attribute function. If no attributes are specified, last is taken as the default. However, you cannot use attribute functions as arguments to the count function.
The offset Keyword Syntax substr ( offset ) substr ( offset length ) Parameters Following are the parameters for the offset keyword: • : The parameter is an attribute specification. For more information on specifying attributes, see “Attribute Specifications” (page 293). • : Specifies the offset from the beginning of the string to the first character of the desired substring. It must be a non-negative integer constant.
Example 25-3 Examples Illustrating the Use of the offset Keyword If Reply-Message = "a string of characters" , then: Example 1 substr ( Reply-Message offset 0 length 8 ) returns the following string: a string Example 2 substr ( Reply-Message offset 16 length 82 ) returns the following string: acters Example 3 substr ( Reply-Message offset 12 ) returns the following string: characters Example 4 substr ( Reply-Message offset 32 ) returns an empty string.
If is specified, the substring starts from the beginning of the string up to but not including the last occurrence of . NOTE: If or is not found, the entire string is returned.
If is not found, the empty string is returned. Example 25-5 Examples Illustrating the Use of the after Keyword If Reply-Message = "a string of characters", then: Example 1 substr ( Reply-Message after " of" ) returns the following string: “ characters” Example 2 substr ( Reply-Message after last " " ) returns the following string: characters Example 3 substr ( Reply-Message after "not-there" ) returns an empty string.
Parameters • : The parameter is an attribute specification. For more information on specifying attributes, see “Attribute Specifications” (page 293). Operation Returns the string value converted to uppercase with same type as the source. If refers to an instance that is not present, then a no-such-instance run-time error is generated.
Supported Operators Table 25-5 lists the operators you can use to create an expression with various combinations of A-V pairs.
Example 25-6 Examples Illustrating Precedence Rules Example 1 The boolean expression: Reply-Message = "hello" && NAS-Port > 7 || Reply-Message = "goodbye" || Reply-Message = "nothing" is fully parenthesized as: ( ( (Reply-Message = "hello") && (NAS-Port > 7) ) || (Reply-Message = "goodbye") ) || (Reply-Message = "nothing") and is evaluated as: if ( Reply-Message = "hello" ) if ( NAS-Port > 7 ) return true if ( Reply-Message = "goodbye" ) return true if ( Reply-Message = "nothing" ) return true return fals
Table 25-6 Compatible Attribute Types Value Type Compatible Attribute Types Integer-value • • • • String-value • string • tag-str • octets Date-value • date IP-address-value • • • • integer tag-int short octet ipaddr ipv6addr ifid ipv6prefix You must not mix attributes from different value-type groups, because this can cause a type mismatch load-time error. Invoking a Policy You can invoke policy using one of the following methods: • “Invoking Policies Through Predefined Policy Hooks.
the first step in the FSM, before the request is dispatched for processing. The request ingress policy can be used to alter the request in one of the following ways: • A-V pairs may be added, changed, or removed. • The request classification may be altered. • The request may be rejected immediately. • The request may be dropped entirely and no reply is sent. Figure 25-1 (page 305) illustrates the flow of the request ingress policy.
Figure 25-2 Flow of the User Policy Invoking Policy from User Profiles In the user profile (can be local users file, LDAP, or SQLAccess), add a Policy-Pointer as a check or reply item with the full pathname of the decision file containing the group authorization policies. Enclose the pointer in single or double quotes. The Policy-Pointer string cannot be more than 63 characters in length.
Figure 25-3 Flow of the Reply Egress Policy Proxy Egress Policy Proxy egress policy can be defined in the proxy-egress.grp decision file in the server's configuration directory. The proxy egress policy is applied before the RADIUS proxy request message is created and sent. The proxy egress policy can be used to alter the request in one of the following ways: • A-V pairs may be added, modified, or removed. • The request may be rejected immediately. • The request may be dropped entirely and no reply is sent.
Figure 25-4 Flow of the Proxy Egress Policy Proxy Ingress Policy Proxy ingress policy can be defined in the proxy-ingress.grp decision file in the server's configuration directory. The proxy ingress policy is applied after the proxy response is received. The proxy ingress policy can be used to alter the request in one of the following ways: • A-V pairs may be added, modified, or removed. • The reply type may be altered. • The request may be rejected immediately.
Figure 25-5 Flow of the Proxy Ingress Policy Useful Attributes for Policy Conditions Table 25-7 lists and describes attributes that are typically used for policy group conditions or replies. Table 25-7 Attributes Typically Used in Policy Group Conditions and Replies Attribute Description Interlink-Packet-Code This attribute contains the code from the RADIUS packet header. It can have an Access-Request or an Accounting-request value.
Table 25-7 Attributes Typically Used in Policy Group Conditions and Replies (continued) Attribute Description Interlink-Request-Type This attribute contains information about whether this is a normal request or a continuation of an in-progress EAP conversation. It can have a REQUEST or CONTINUATION value. Interlink-Reply-Status This attribute contains the reply status.
When a policy is evaluated, it can return an event to the FSM to direct the subsequent processing of a request. The policy can return events to the FSM in the following ways: • Exit Command: Using the Exit command terminates the evaluation of the policy. The specified event is returned to the FSM. • Default Event: If evaluation of a decision file reaches the end without encountering an Exit command, the default event is returned to the FSM. The default event is ACK.
1. Replace the radius.fsm file in the server's configuration directory with /opt/ aaa/examples/config/DAC.fsm. For example, if the server's configuration directory is /etc/opt/aaa/radius.fsm, then enter the following command: # cp /opt/aaa/examples/config/DAC.fsm /etc/opt/aaa/radius.fsm NOTE: Take a backup of /etc/opt/aaa/radius.fsm before replacing it. IMPORTANT: If you are using a different decision file than the supplied DAC.
DNIS Routing In a typical DNIS routing scheme, requests are handled according to the Calling Station-Id and Called-Station-Id attributes. The POLICY action matches the Calling-Station-Id and Called-Station-Id attribute values in the Access-Request to the conditions defined in the DNIS decision file, and returns the matching policy group reply items and the FSM events Forward and Abandon. The required events and states are defined in the DNIS.fsm file delivered with the server.
1. Edit the DNIS.grp decision file to reflect your station-based access policies. For example, to change the Calling-Station and Called-Station numbers in the Controlled Access condition, edit the DNIS.grp file as follows: # Controlled Access if ( (Calling-Station-Id = "7341234567") || (Called-Station-Id = "7341236543") ) { exit "Forward" } You can enter additional attributes to these access groups if your policies require that other conditions must be met.
26 Customizing the HP-UX AAA Server Using the SDK This chapter describes how to use the Software Developer's Kit (SDK) to customize the HP-UX AAA Server. This chapter addresses the following topics: • “SDK Overview.
Example 26-1 Example of a Pre-Paid Billing Application Using a Plug-in Created Using the HP-UX AAA Server SDK In this example, a service provider wants to implement a service where blocks of connect time are purchased in advance. In addition to being authenticated, each user must be authorized based on his or her account balance. Only those users with a positive balance are granted network access and their session is limited to the time equivalent of their balance at the time they are authenticated.
Migrating Plug-ins Created Using Previous Versions of the SDK Plug-ins created using previous versions of the SDK must be ported to use the new SDK and recompiled before using it with HP-UX AAA Server A.07.01. For information on recompiling your plug-in, see “Compiling and Loading a Plug-in” (page 321) Prerequisites for Using the SDK HP recommends installing the HP aC++ Compiler (# B3913DB) to compile plug-ins created using the HP-UX AAA Server SDK.
AATV Components An AATV is implemented as a shared library that contains specific functions. These functions are called from the HP-UX AAA Server. An AATV can contain the following functions: • “The init Function.” • “The action Function.” • “The timer or callback Function” (page 319) • “The cleanup Function” (page 319) NOTE: These functions are optional. However, you must implement at least one of these functions.
IMPORTANT: All common event codes and corresponding event names are defined in the sdk.h header file. You can also define new event codes, for example, in scenarios where the AATV action produces multiple results that need to be handled by an AATV separately. However, do not use the sdk.h file to define new event codes. Instead, use the FSM file radius.fsm to define new event codes.
The ACE AATV The ACE AATV is a sample challenge-response authentication AATV. At a high level, this plug-in performs the following functions: 1. Checks that the User-Id A-V pair is present in the request. If it is not present, an error is returned. 2. If the User-Id A-V pair is present, then it checks whether the State A-V pair is present. If the State A-V pair is present, it proceeds to step 3. If it is not present, it creates a State A-V pair with the User-Id value and appends a string .
3. Add the aatv_load function to register the AATV to the HP-UX AAA Server. The aatv_load function, shown below, initializes the global aatv_info_v2_t structure that contains the function pointer to the init(), action(), timer(), and cleanup() functions. int aatv_load (aatv_info_v2_t where: aatv_list aatv_count aatv_info_v2_t 4. **aatv_list, int * aatv_count) is a list of all the AATVs that are loaded. is the number of AATVs that are loaded.
6. To ensure that the AATV is loaded correctly, check the logfile for an entry similar to the following: read_dyn_cfg: Loaded shared object: , Testing and Debugging a Plug-in You must test the software module before you start using it in a production environment. You can use several different methods to debug any modules that you create. This section discusses testing the software module using the GNU Project Debugger (gdb).
7. Attach the radius pid, as follows: # gdb> attach An output similar to the following displays: Reading Reading Reading Reading Reading Reading Reading 8. symbols symbols symbols symbols symbols symbols symbols from from from from from from from /opt/aaa/aatv/proldap.so...done. /opt/aaa/aatv/securidAatv.so...done. /opt/aaa/aatv/snmpAgent.so...done. /opt/aaa/aatv/tacplus.so...done. /opt/aaa/aatv/tunneling.so...done. /opt/aaa/aatv/vlogit.so...done. /opt/aaa/aatv/samplesc.so...
Part VI Troubleshooting This part of the HP-UX AAA Server A.07.01 Administrator’s Guide is organized as follows: • Chapter 27: “Troubleshooting Overview” (page 327): Describes the AAA environment and an overview of HP-UX AAA Server troubleshooting. • Chapter 28: “Troubleshooting Procedures” (page 332): Provides a troubleshooting flowchart followed by specific troubleshooting tables that enable you to identify the problem, and take the necessary corrective actions.
Table of Contents 27 Troubleshooting Overview.....................................................................................................327 AAA Environment Components......................................................................................327 HP-UX AAA Server Operation.........................................................................................328 Probable Causes for Failure..............................................................................................
30 Reporting Problems...............................................................................................................368 Server Set Up Information................................................................................................368 Server Manager Related Information...............................................................................369 External Components.......................................................................................................
27 Troubleshooting Overview This chapter of the HP-UX AAA Server Administrator's Guide provides an overview of HP-UX AAA Server troubleshooting with respect to the AAA environment.
Figure 27-1 AAA Environment Components HP-UX AAA Server Operation Figure 27-2 depicts the HP-UX AAA Server operation from the troubleshooting perspective.
Figure 27-2 HP-UX AAA Server Operation The HP-UX AAA Server operation consists of the following steps: 1. The user or device that requires authentication communicates with the RADIUS client and provides authentication credentials such as user name and password. At this stage, incorrect supplicant configuration or invalid credentials can lead to authentication failures or an unresponsive HP-UX AAA Server. NOTE: Troubleshooting the supplicant is outside the scope of this chapter.
a. The HP-UX AAA Server can contact an external service such as a database or LDAP directory server to retrieve user information and perform authentication. b. The HP-UX AAA Server can forward the request to a proxy HP-UX AAA Server for authentication. c. The HP-UX AAA Server can contact a DHCP server for IP address management.
information can be used to identify the external service accessed to process the RADIUS request. Some external service failures do not result in the HP-UX AAA Server recording a message in the server logfile. For example, if the HP-UX AAA Server times out on waiting on a busy database server, it does not record an error in the logfile. No reply is sent to the RADIUS client. Protocol Limitations The HP-UX AAA Server communicates with the RADIUS client using the RADIUS protocol.
28 Troubleshooting Procedures This chapter describes how to troubleshoot problems that you encounter while using the HP-UX AAA Server in the AAA environment. This chapter includes a diagnostic flowchart and troubleshooting tables that enable you to identify the problem and perform the appropriate corrective actions.
Figure 28-1 Troubleshooting Flowchart Troubleshooting Flowchart 333
Troubleshooting Flowchart Process This section describes the troubleshooting process that you can follow to troubleshoot and identify problems with the HP-UX AAA Server. Each step listed below maps to the problem that is depicted in Figure 28-1. 1. Can launch Server Manager and view all applets and icons? Launch the Server Manager administration and verify if all the applets and icons can be viewed.
3. HP-UX AAA Server responds to request? Check to see if the HP-UX AAA Server responds to access-requests from clients/supplicants. Problem Resolution Is the server not responding See “Troubleshooting an Unresponsive HP-UX AAA Server” to requests? (page 343). If you are able to resolve the problem using the suggestions listed in this section, but are facing other problems, proceed to step 4. If you are not facing any other problems, end the troubleshooting process.
Common Problems With the Server Manager Table 28-1 lists the common problems that you can encounter while using the Server Manager administration utility. Compare the problem you observe with those listed in this table and perform the corresponding corrective actions. Table 28-1 Common Problems with the Server Manager Problem Cause Cannot launch the Server Manager Server Manager cannot be launched for the following reasons: • An unsupported browser is used. • Incorrect URL or port number specified.
Troubleshooting Server Manager Launch Problems This section describes how to troubleshoot problems when you cannot launch the Server Manager administration utility. If you are unable to launch the Server Manager, complete the following steps: 1. Verify that you are using a supported browser. For a list of supported browsers, see HP-UX AAA Server A.07.01 Release Notes at www.docs.hp.com in the Internet and Security Solutions section. 2. Verify the port number specified in the URL.
Troubleshooting Remote Management Problems This section describes how to troubleshoot remote management problems. If you are unable to use the Server Manager to administer an HP-UX AAA Server, complete the following steps: 1. Verify that the version number of the HP-UX AAA Server is same as that of the Server Manager administration utility. 2.
Troubleshooting the HP-UX AAA Server This section describes how to troubleshoot problems with HP-UX AAA Server startup and operation.
Table 28-2 Common Problems with HP-UX AAA Server Startup (continued) Problem Troubleshooting Incorrect permissions Log Message radiusd: Error '13' (Permission denied). Cannot launch radiusd daemon. User cannot open /var/opt/aaa/run/radiusd.pid. Verify read/write permissions for user on the file. Cause The radius.pid file does not have read-write permissions for the user who is trying to start the radiusd daemon.
Table 28-2 Common Problems with HP-UX AAA Server Startup (continued) Problem Troubleshooting Unable to load AATVs Log Message open_library: Cannot open shared object '': ‘'.
Table 28-2 Common Problems with HP-UX AAA Server Startup (continued) Problem Troubleshooting FSM-related problems Log Message doconfig: init_fsm() failed rad_fsminit: invalid action name: 'invalid' line Cause The FSM file /etc/opt/aaa/radius.fsm contains an invalid action specified at line . Solution Edit the /etc/opt/aaa/radius.fsm to specify a valid action name at line . See “Actions ” (page 276)for more information on specifying actions.
1. Check if the radiusd daemon is already running by entering the following command: # ps -ef |grep radiusd If radiusd is running, the radiusd process must be displayed. If the radiusd daemon is already running, you can stop and start the HP-UX AAA Server from the Server Manager Administration utility or the command line. For more information, see “Starting AAA Servers Using Server Manager” (page 64) or “Starting AAA Servers From the Command Line” (page 67).
3. If the HP-UX AAA Server received the request and remained unresponsive, but did not log an error in the logfile, see “Troubleshooting External Services” (page 346). If the HP-UX AAA Server did not receive the request, perform the following steps: 1. Verify that the DNS server is available by entering the nslookup command. For more information on the nslookup command, see nslookup(1M). 2.
Table 28-3 Common Configuration Problems (continued) Problem Troubleshooting Request dropped Log Message get_radrequest: Request dropped. Unknown RADIUS packet 'invalid(66)' received from client 'example.com:50390 Or get_radrequest: ill formed packet from [55421] code = 1, vers = 1, len(hdr) = 1000, len(rcvd) = 56 Or get_radrequest: NO a/v pairs from [55697] - access (type 1), len = 20 Or Request from 'example.com: port' dropped.
Table 28-3 Common Configuration Problems (continued) Problem Troubleshooting Request dropped Log Message The specified attribute instance 'RADIUS:State[10]' could not be found. Cause This error can occur if one of the policy files is using an attribute instance that is not present in the incoming request. Resolution If you are unsure whether the attribute used in the policy file will be present in all the incoming requests, verify that it is present in the request before actually using it.
However, not all external service problems result in error messages being recorded in the logfile.
Table 28-4 External Service Failure Problems (continued) Problem Troubleshooting Unable to connect Log Message to the LDAP server as administrator get_open_result: Cannot connect to LDAP server '' as LDAP user (Keyword 'Keyword') 'cn=value,dc=value,dc=value,dc=com'. ERROR '49' (Invalid credentials). Access denied .
Table 28-4 External Service Failure Problems (continued) Problem Troubleshooting Unable to connect to the Oracle database server Log Message Connecting DB '' with service 'example:1521/ora10g', user 'system'OCI_ERROR (AAA_OCIServerAttach -1): ORA-12154: TNS:could not resolve the connect identifier specified OCI_ERROR(AAA_OCISessionBegin -1): ORA-24327: need explicit attach before authenticating a user Failed to open database connections for db_oci db id Cause The Oracle server and port that
Table 28-4 External Service Failure Problems (continued) Problem Troubleshooting Unable to connect to the MySQL database server Log Message wrong ODBCdatastore in sqlaccess.
Table 28-4 External Service Failure Problems (continued) Problem Troubleshooting Unable to connect Log Message to the DHCP server Authentication: 205/0 '' via from port Outbound (8 retries) - FAILED DHCP server not responding -- total 24, holding 0 Cause The DHCP server is busy or unavailable. Solution Verify if the DHCP server is running and can service IP address requests. Or, Specify an alternate DHCP server.
• • Authentication Relay Port: Ensure that the correct UDP port that is used to relay authentication requests (configured in /etc/services) is specified. The default authentication relay port is 1812. Accounting Relay Port: Ensure that the correct UDP port that is used to relay accounting requests (configured in /etc/services) is specified. The default accounting relay port is 1813. For more information on proxy server configuration, see Configuring Proxies on page 119.
Table 28-5 Common Authentication Failure Problems Problem Troubleshooting Unable to authenticate Log Message Authentication failed. Unsuccessful password comparison for user '' in realm ''. Verify password in request and user profile.
Table 28-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message aaa_realm: Request denied. Unknown realm '' for user ''. Verify realm configuration through Server Manager or in files '' for the realm and '' for the realm or default realm entry Cause The HP-UX AAA Server is not configured to service requests from the realm. Solution 1.
Table 28-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message check_request: Access denied. Request does not match check item '' for user '' in realm ''. Expected: '',received: '' Or check_request: Access denied.
Table 28-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message dhcpRelayAatv_ActionFunction: Request failed. DHCP Relay is disabled. Verify DHCP Server-Name/ IP-Address at DHCP server properties in the Server Manager at Server Properties > DHCP Relay Properties or in /etc/opt/aaa/aaa.
Table 28-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message Sequence counter resynchronization failed for user in realm after unsuccessful OTP validations. The last sequence counter attempted is . Cause The HP-UX AAA Server is not able to resynchronize the sequence counter as the OTP in the request is incorrect.
Table 28-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message Invalid OTP Action Id. The OTP Action Id set through the bit mask for user in realm is zero. The valid OTP Action Id value is range from 1 to 127. Configure the valid OTP Action Id. Or Invalid OTP Action Id. The OTP Action Id set through the bit mask for user in realm is negative. The valid OTP Action Id value is range from 1 to 127.
Table 28-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message Shared secret for user in realm is bytes. The shared secret must not be less than 16 bytes. Verify the length of the shared secret in the token repository. Cause The length of the shared secret is too short. Resolution Verify that you have entered a shared secret that is more than 16 bytes.
Table 28-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message Configured hexadecimal string for user of realm has one or more non-hexadecimal characters. Verify the configured hexadecimal string in the token repository. Cause The configured hexadecimal shared secret has non-hexadecimal characters. Resolution Hexadecimal characters range from 0–9 and a-f.
Table 28-6 EAP Problems Problem Troubleshooting Invalid EAP type specified Log Message Invalid EAP type '' specified for the user '' for realm ''. Verify the EAP type configured for the realm 'example.com' in the appropriate authfile in '/etc/opt/aaa'. Or, verify the EAP configuration in the Local Realms screen in Server Manager. Cause The EAP type specified in the request does not match the EAP type configured for the realm.
Table 28-6 EAP Problems (continued) Problem Troubleshooting Unable to authenticate Log Message ProcessHandshake TLS: AAA Server generated TLS alert: 'certificate_revoked'. The certificates used for validation have been revoked by the CA Cause The client or supplicant certificate has been revoked. Solution Advise the user to acquire a new certificate from the administrator or ISP, and retry authentication.
Troubleshooting Provisioning Errors The supplicant will not be able to connect to the network service unless the HP-UX AAA Server sends the provisioning attributes (such as session key, tunneling, and filter attributes) expected by the RADIUS client. This occurs even if the HP-UX AAA Server sends an Access-Accept to the RADIUS client. To troubleshoot provisioning errors, perform the following steps: 1.
29 Troubleshooting Resources The HP-UX AAA Server includes a set of utility programs that can: • check the status of the HP-UX AAA Server • emulate a RADIUS client • turn debugging on and off • set and modify the debug level Additionally, the RADIUS client and EAP supplicant vendors typically provide troubleshooting capabilities for their components. Protocol analyzers can also be used if more detailed troubleshooting is required.
radcheck [-p port] [-t timeout] [-r retries] [-x] [-x] [-x] [-x] [-v] Server If radcheck is successful, a message similar to the following is displayed: Server Name (UDP-port) is responding on standard output. For more information on the radcheck utility, see radcheck (1M). The radpwtst Utility: For Testing Authentication The radpwtst utility simulates a RADIUS client that sends and receives RADIUS messages to and from the HP-UX AAA Server.
radsignal [-h] [-v] [[-di ipcdir] pid level] [[ ipcdir] pid roll logfile] [[-di ipcdir] pid roll stream [stream-name]] For more information on radsignal, see radsignal (1M). The HP-UX AAA Server Logfile and Debug File You can use the following logfile and debug file to troubleshoot the HP-UX AAA Server: • /var/opt/aaa/logs/logfile - The HP-UX AAA Server Logfile • /var/opt/aaa/logs/radius.debug - The HP-UX AAA Server Debug File This section discusses the HP-UX AAA Server logfile and debug file.
Table 29-1 Debugging Levels in the HP-UX AAA Server Debug Level Level of Information 1 Minimal information 2 • Level 1 information • High-level FSM output and limited function tracing 3 • Level 2 information • Full function tracing 4 • Level 3 information • Low-level FSM and configuration file output At runtime, radiusd logs debugging information that may be useful for troubleshooting.
30 Reporting Problems If you are unable to solve the problem, do the following: 1. Read the release Notes for [Product/Platform/Component] to see if the problem is known. If it is, follow the workaround offered to solve the problem. 2. Determine whether the product is still under warranty or whether your company purchased support services for the product. Your operations manager can supply you with the necessary information. 3. Access http://www.itrc.hp.
Server Manager Related Information If you are facing problems with the GUI based administration, include the following information: • Server Manager version number • HP-UX Java SDK version number • HP-UX Tomcat-based Servlet Engine version number • Contents of the /opt/aaa/remotecontrol/admin.log file • Contents of the /opt/aaa/remotecontrol/file.log file • Contents of the /opt/aaa/remotecontrol/maintenance.log file • Contents of the /opt/aaa/remotecontrol/session.
Clients • • • Client type Patch type Tracing logs for EAP log files Access Points • • 370 The make of the access point (such as Cisco or HP) Version of hardware and firmware Reporting Problems
Part VII Reference This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 31: “Configuration Files ” (page 374) • Chapter 32: “Attribute-Value Pairs” (page 400) • Chapter 33: “MIB Objects” (page 419) 371
Table of Contents 31 Configuration Files ...............................................................................................................374 HUP Processing................................................................................................................374 The aaa.config File.......................................................................................................375 Variables in the aaa.config File...................................................................
The log.config File ......................................................................................................393 Syntax of a Stream Entry.............................................................................................393 Default Entry ..............................................................................................................395 End Entry ....................................................................................................................
31 Configuration Files The Server Manager interface configures most of the HP-UX AAA Server’s configuration files. However, some features of the HP-UX AAA Server cannot be configured through the Server Manager interface. If you want to define policy, vendor-specific attributes, or logging behavior, you must manually edit the configuration files. The information in this chapter is provided as a reference for the configuration files that Server Manager cannot configure.
• • • • • engine.config (all values except the certificate properties, which require a server stop and start to be refreshed) las.conf EAP.authfile aaa.config.license sqlaccess.config The aaa.config File The aaa.config file contains keyword-value entries, one-per-line, which allows the user to override compiled-in default values in the AAA server. The aaa.config file can be used for performance tuning, debugging, or overriding built-in defaults.
The aatv.ProLDAP Property This property controls AAA server connections to an LDAP server. • Retry-Interval sets the number of seconds for the AAA server to wait before trying to reconnect to a LDAP directory server, when a realm has failover directory servers configured. Defaults to 60 seconds. • Retry-Wait sets the number of seconds that the AAA server will wait before attempting to connect to the same failover LDAP server.
In the above example, a message will be suppressed for 20 seconds, if it is logged more than 150 times within 2 seconds. The list_copy_limit Variable This variable can be used for customized server configurations that accumulate A-V pairs or generate large responses. The default (and maximum) value is 512. Following is the syntax of the list_copy_limit variable: list_copy_limit=256 The localUsersFile.FilterType Property This property can be used to specify the case matching for each users file.
The log_generated_request Variable This variable turns the logging of internally generated packets on (or off) when they are created, and when they reach their end-state. It is useful for a customized server configuration that produces accounting requests based on internal state transitions rather than on an externally delivered requests.
The value of defserver connection means to report only from the original request. The value of +abort means to abort and core-dump if there is a mismatch. The radius_log_fmt Variable This variable overrides the logfile format string used. The reply_check Variable This variable specifies which attributes to check on a reply from a forwarded request to ensure that they are the same as the forwarded request.
For more information on these configuration items, see “System-Wide OTP Configuration Items” (page 174). The clients File The server configuration must include all the clients (NASs, RADIUS proxy servers, and other network devices) that can communicate with the AAA server. If a client is not included in the configuration, the server discards its messages. The /etc/opt/aaa/clients file contains the identifying information for these clients.
Wildcard Support for IPv4 and IPv6 To allow access from any IP address or from any IP address of a particular subnet, specify a wildcard pattern in the etc/opt/aaa/clients file. Wildcard IP addresses are specified by using the high order components followed by the asterisk wildcard. Following are some examples of valid IPv4 wildcard patterns: * 192.* 192.0.* 192.0.2.* Following are some examples of invalid IPv4 wildcard patterns: *.0 192.
IMPORTANT: Configuration files have a maximum input line length of 255 characters. No checking is done to insure that a configuration statement has not exceeded this limit. NOTE: The order of the entries is important; the first entry that matches the request will be used to authenticate the user. The server will ignore the remaining entries; therefore, you should list the most specific entries first and the default entry should be last.
Example 31-2 Examples of Framed-Interface-Id Attribute Syntax fedc:ba98:7654:3210 a:b:c:d IMPORTANT: Do not use “::” in the Framed-Interface-Id syntax. Framed-IPv6-Prefix This attribute indicates an IPv6 prefix to be configured for the user. Example 31-3 Examples of Framed-IPv6-Prefix Attribute Syntax 0/64/12ab::cd30:0:0:0:0 0/28/fedc:ba98:7654:3210:fedc:ba98:7654:3210 The first field in the above examples is the Reserved field. If you do not list this field, the default value 0 will be used.
Example 31-4 Examples of Login-IPv6-Host Attribute Syntax fedc:ba98:7654:3210:fedc:ba98:7654:3210 12ab::4871 2222::4 hostname.domain.com CAUTION: A value of 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF in the Login-IPv6-Host indicates that the radius clients (NAS) must allow the user to select an address or name of the server to be connected to. A value of 0x0 in the Login-IPv6-Host indicates that the Radius clients (NAS) must select an address or the name of the server the user has to be connected to.
value in the request and then will check the request for a tunnel hint. If the password does not match, or there is no hint for medium type or the hint does not specify the IP address type, the server will respond with an Access-Reject; otherwise, the server will return the listed tunneling attribute values to the client. fred-eng Password = "laser", Tunnel-Medium-Type = IPv4 Tunnel-Type = PPTP, Tunnel-Medium-Type = IPv4, Tunnel-Client-Endpoint = 192.168.127.1, Tunnel-Server-Endpoint = 192.155.111.
Attribute-Value (A-V) pairs. See Chapter 32: “Attribute-Value Pairs” (page 400) for information about the data format of A-V pairs in RADIUS messages. IMPORTANT: Configuration files have a maximum input line length of 255 characters. No checking is done to insure that a configuration statement has not exceeded this limit. All configuration files must end with a new line.
• • pruning tag-int: single octet followed by three octets of integer value (used for tunneling attribute) tag-string: single octet followed by 0-252 octets (used for tunneling attribute) May be replaced with an optional expression that controls three server features • whether the attribute is ever sent to the NAS • whether or not the attribute may be logged • encapsulation, if used, for vendor-specific attributes Pruning Expressions Pruning is a feature that allows the server to remove A-V pairs from an
• • CONFIG: the attribute is a configuration item. INTERNAL: the attribute is internal to the server and will be removed from incoming and outgoing RADIUS messages. NOTE: ENCAPS and NOENCAPS keywords are mutually exclusive. If you specify both, only the last one will apply. CONFIG is mutually exclusive from NOLOG, ENCAPS, NOENCAPS, and INTERNAL.
Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE LAS-Code LAS-Code LAS-Code LAS-Code LAS-Code LAS-Code LAS-Code LAS-Code LAS-Code LAS-Notlocal LAS-Suspend LAS-Failed LAS-Authorized LAS-NASreboot LAS-Remote LAS-Duplicate LAS-Collision LAS-Stop 7 8 9 10 11 12 13 14 15 The las.conf File The las.conf file contains a list of configuration items for the Local Authorization Server (LAS) that controls realm-based authentication.
Table 31-1 Default LAS Session Timing Parameters Parameter Default Description Session-Hold-Time 45 seconds Tells LAS how long to wait for an Accounting-Start message from the NAS. After the specified number of seconds, a session is moved into not-confirmed state, in which it is not counted as a simultaneous session. This parameter us only used for Hunt-groups.
number-of-tokens Number of tokens in the token pool. Example Tokenpool Sample-pool End-Tokenpool 4 Realm Configuration This section lists realms by name and, optionally, any services, token pools or any custom AATV support for a realm. A realm entry las.conf is required to perform session tracking. The default server behavior is to log accounting messages locally, whether the server processes Access-Request messages locally or sends them to a proxy server. If a realm entry exists in the las.
• • A Token-pool-name is the name of a defined token pool. max-number-of-tokens specifies how many tokens a realm may use. The vendors File The vendors file contains a list of vendor entries. Each vendor entry contains a vendor name and vendor number. The vendor numbers are SMI Network Management Private Enterprise Code numbers, as managed by Internet Assigned Numbers Authority (IANA).
The standard-value and vendor-specific-value fields are optional and can be repeated any number of times. When used, the list of standard and vendor values is enclosed in parenthesis. These values are used to map attributes from the common attribute space defined in the RADIUS RFC to internal nonconflicting vendor-specific attributes. These fields address the issue that occurs when a vendor has assigned vendor-specific attributes in the standard attribute address space.
aatv Specifies one of the following AATVs to use for logging. • LOG_ACCT (Livingston/Lucent/RABU style call detail format, default) • LOG_ALL (logs all streams defined in log.config) • LOG_BRIEF (simple session format) • LOG_BY_ATTRIBUTE (logging based on user specified attribute in radius.
Default Entry The stream entry identified with the name, *default*, will be used when LOG is invoked by the FSM without an Xstring parameter. End Entry The one-keyword end entry tells the session logging subsystem to stop reading the configuration file, allowing subsequent text to be ignored. Logging Multiple Streams To log multiple streams you must define a default stream with the AATV sub-command set to LOG_ALL. When you specify a log.
Table 31-2 Information Recorded by LOG_V2_o (continued) Field Type Value Description 12 string service_class Service-Class attribute value 13 string filter 14 string[/string[/string]] service_type Service-Type followed by additional fields separated by a ‘/’, depending on Service-Type.
aatv buffer close filename log_v1_1 1 on record.%y%m%d.las } stream new { aatv aatv-value buffer close filename log_v2_0 7 1 on recordv2.%y%m%d.las } end Logging Based on attributes This sample aatv logs all accounting request logs for yourorg.com in the yourorg.%Y%M.log file and the rest of the accounting request in the realm.%Y%M.log file. This stream configuration for logging is based on log_by_realm. The log_by_realm AATV searches for the User-Realm attribute.
Accounting Log Based on Attribute Value You can write accounting log to different log files, based on the RADIUS attribute value in the RADIUS accounting-request. To write accounting log to a different log file, you must modify the /etc/opt/aaa/log.config and /etc/opt/aaa/radius.fsm files. To write accounting log to different log files, complete the following steps: 1. Modify the /etc/opt/aaa/log.
5. Send accounting Start and/or Stop request without Called-Station-Id attribute. Example of an accounting start message: radpwtst -c 4 -s localhost -u ppp -i 1.1.1.1 -l 4 -:Acct-StatusType=Start-:Called-Station-Id=12345 -w password test_user Example of an accounting stop message: radpwtst -c 4 -s localhost -u ppp -i 1.1.1.1 -l 4 -:Acct-StatusType=Stop-:Called-Station-Id=12345 -w password test_user You can now see the following file: /var/opt/aaa/acct/ logotherattr.2005-05-16.
32 Attribute-Value Pairs The RADIUS protocol defines things in terms of attributes. Each attribute may take on one of a set of values. When a RADIUS packet is exchanged among clients and servers, one or more attributes and values are sent pairwise as an Attribute-Value pair (A-V pair). For the HP-UX AAA Server software, all valid attributes and values are listed in the dictionary file.
Examples The following examples are syntactically valid A-V pair lists: Password = "rock", Service-Type = "Framed", Comment = "This is OK" Password =rock Service-Type =Framed Comment ="This is OK" The following examples are not syntactically valid A-V pair lists: Password="rock"Service-Type="Framed"Comment="This is not OK" Password= rock Service-Type= Framed Comment= This is not OK Tagged Attributes A RADIUS message can include multiple values for one or more attributes that are tagged to organize the att
Configuration Attributes You can add configuration attributes that are not directly supported by the Server Manager graphic interface. You can add configuration attributes through the Server Manager as a check item under the Free tab on the User Creation screen. For more information, see “Tabs on the Add Users Screen” (page 118). The authentication type is applied to a user just as it Authentication-Type would be applied to a user belonging to a realm.
Group-Name Password Can be any string value. Unlike other configuration-only attributes, Group-Name initially appears in a user entry as a reply item and would be used as a check item in a policy definition by LDAP or a customized authentication method. Specifies the value to compare to the User-Password attribute value in the Access-Request or the user's input in response to an Access-Challenge. The \ character must not be used. NOTE: The RADIUS protocol does not send clear text passwords.
Simultaneous-Use Attribute This attribute’s value determines the maximum number of active sessions the user can have. The default is 1 (if the LAS is enabled for the user’s realm, but no Simultaneous-Use attribute value is specified for the user or the user’s realm). A value of -1 disables the feature—providing no limit to number of simultaneous sessions for a user in a realm enabled to use the LAS. NOTE: Simultaneous session control is based on the inner identity (realm) for tunneled-EAP authentications.
NAS-IPv6-Address NAS-Identifier NAS-Port This attribute indicates the identifying IPv6 address of the NAS which is requesting authentication of the user. This attribute must be unique to the NAS within the scope of the RADIUS server. Either the NAS-IP-Address, NAS-IPv6-Address, or NAS-Identifier must be present in an Access-Request. This attribute contains a string identifying the NAS originating the Access-Request.
Other Attributes Called-Station-ID Calling-Station-ID Connect-Info This attribute indicates where the user called to, using Dialed Number Identification Service (DNIS), or similar technology. Note that this may be different from the phone number the call comes in on. This attribute indicates where the user called from, using Automatic Number Identification (ANI) or similar technology. This attribute is sent from the NAS to indicate the nature of the user's connection.
Table 32-1 Reply Item Attributes (continued) Attribute Check Item (HInt) Reply Item Filter-Id No Yes Framed-Compression Yes Yes Framed-IP-Address Yes Yes Framed-IPv6-Prefix Yes Yes Framed-Interface-Id Yes Yes Framed-IP-Network Yes Yes Framed-IPX-Network No Yes Framed-MTU No Yes Framed-Pool No Yes Framed-IPv6-Pool No Yes Framed-Protocol Yes Yes Framed-Route No Yes Framed-IPv6-Route No Yes Framed-Routing No Yes Idle-Timeout No Yes Login-IP-Host No Yes Login-I
Table 32-1 Reply Item Attributes (continued) Attribute Check Item (HInt) Reply Item Session-Timeout No Yes Tunnel-Assignment-ID No Yes Tunnel-Client-Auth-ID Yes Yes Tunnel-Client-Endpoint Yes Yes Tunnel-Medium-Type Yes Yes Tunnel-Password Yes Yes Tunnel-Preference Yes Yes Tunnel-Private-Group-ID Yes Yes Tunnel-Server-Auth-ID Yes Yes Tunnel-Server-Endpoint Yes Yes Tunnel-Type Yes Yes General Attributes Service-Type This attribute indicates a type of provided service.
• NAS-Prompt: The user should be provided a command prompt on the NAS from which non-privileged commands can be executed. Authenticate-Only: Only Authentication is requested, and no authorization information needs to be returned in the Access-Accept (typically used by proxy servers rather than the NAS itself). Callback-NAS-Prompt: The user should be disconnected and called back and then provided a command prompt on the NAS from which non-privileged commands can be executed.
• • Login-TCP-Port Login-LAT-Service Login-LAT-Node Login-LAT-Group Login-LAT-Port PortMaster (proprietary) LAT This attribute indicates the TCP port that the user is to be connected to when Service-Type is defined as Login. This attribute indicates the system that the user is to be connected to when Login-Service is defined as LAT. This attribute indicates the node that the user is to be connected to when Login-Service is defined as LAT.
Framed-Compression This attribute indicates a compression protocol to be used for the link. Valid values for this attribute are: • None • Van-Jacobsen-TCP-IP • IPX-Header-Compression Framed-Route This attribute provides routing information to be configured for the user on the NAS. This attribute is used in an IPv4 environment. This attribute provides routing information to be configured for the user on the NAS. This attribute is used in an IPv6 environment.
• • • • • • • • • • Tunnel-Medium-Type Transport medium to use when creating a tunnel for those protocols (e.g., L2TP) that can operate over multiple transports. Valid values for this attribute are: • IPv4 (IP version 4) • IPv6 (IP version 6) • NSAP • HDLC (8-bit multidrop) • BBN-1822 (1822) • IEEE-802 (All 802 media plus Ethernet “canonical format”) • E-163 (POTS) • E-164 (SMDS, Frame Relay, ATM) • F-69 (Telex) • X-121 (X.
Tunnel-Private-Group-ID Tunnel-Assignment-ID A group identifier for a private session. Private groups may be used to associate a tunneled session with a particular group of users. For example, it may be used to facilitate routing of unregistered IP addresses through a particular interface. This attribute indicates what tunnel will be used to provide an appropriate level of service for the user. Data transfer for users that share the same assignment will be multiplexed over a shared tunnel.
Tunnel-Server-Auth-ID Name used by the server during the authentication that occurs between the Tunnel-Client-Endpoint and Tunnel-Server-Endpoint based on Tunnel-Password and any other checks that may be configured for Tunnel-Server-Endpoint. Other Attributes Acct-Interim-Interval This attribute indicates the number of seconds between each interim update for a specific session.
IMPORTANT: When using the Server Manager interface, you can define only one Reply-Message value. NOTE: When using complex policy, it is possible to use the Reply-Message attribute to send one message when the authentication succeeds and a different message if the authentication fails. Attributes in Accounting Records This section describes the attributes that may appear in an accounting record. An accounting record is stored in the HP-UX AAA Server session logs.
How many octets have been received from the port over the course of this service being provided. Only appears in a stop message. How many octets have been sent to the port in the course of delivering this service. Only appears in a stop message. Unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session will have the same Acct-Session-Id. This attribute appears in all accounting messages.
Table 32-2 Session Termination Causes (continued) Cause Description Port Error Client detected an error on the port that required ending the session. NAS Error NAS detected some error (other than on the port) which required ending the session. NAS Request NAS ended session for a non-error reason not otherwise listed here. NAS Reboot The NAS ended the session in order to reboot.
Acct-Interim-Interval 232 (4,294,967,295) over the course of the service being provided. Working in concurrence with the Acct-Output-Octets attribute, this attribute allows for the continuous accounting of data output beyond the limit of the Acct-Output-Octets attribute and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update. This attribute indicates the number of seconds between each interim update for a specific session.
33 MIB Objects RFCs 2619 and 2621 describe the MIB objects for HP-UX AAA Server. Since the HP-UX AAA Server performs both authentication and accounting functions, some of the MIB objects return duplicated information. All of the RADIUS MIB objects that are sent to the management workstation by the server in response to SNMP requests are read-only, except radiusAuthServConfigReset and radiusAcctServConfigReset.
Table 33-1 MIB Objects and Definitions (continued) 420 MIB Object Definition radiusAuthServTotalAccessRequests The number of messages of any type received through the authentication port. radiusAccServTotalRequests The number of messages of any type received through the accounting port. radiusAuthServTotalInvalidRequests Total number of authentication requests received from an unknown address. radiusAccServTotalInvalidRequests Total number of accounting requests received from an unknown address.
Table 33-1 MIB Objects and Definitions (continued) MIB Object Definition radiusAuthServTotalBadAuthenticators Total number of Access-Request messages with invalid Message-Authenticator attributes. radiusAccServTotalBadAuthenticators Total number of accounting messages with invalid Message-Authenticator attributes received from clients.
Table 33-1 MIB Objects and Definitions (continued) 422 MIB Object Definition radiusAuthClientAddress, radiusAccClientAddress The IP-Address of the corresponding client. radiusAuthClientClientID, radiusAccClientClientID The NAS-Identifier of the corresponding client. radiusAuthServAccessRequests Number of messages of any type received through the authentication port from the corresponding client.
Table 33-1 MIB Objects and Definitions (continued) MIB Object Definition radiusAuthServPacketsDropped, radiusAccServPacketsDropped Number of incoming packets from the the corresponding client entry that were silently discarded for some reason other than malformed, bad authenticators, or unknown types. radiusAuthServUnknownTypes, radiusAccServUnknownTypes Number of unknown RADIUS messages received from the corresponding client.
A Supported IETF RFCs Table A-1 lists the key IETF RFCs the HP-UX AAA Server supports. Refer to the IETF Website for more information on these RFCs at http://www.ietf.org.
Table A-2 Additional IETF RFCs Supported by HP-UX AAA Server (continued) RFC # RFC Title 3575 IANA Considerations for RADIUS 3576 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) 3579 RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol 3580 IEEE 802.
B Supported Authentication Methods The following list describes the authentication methods the HP-UX AAA Server supports: Password Authentication Protocol (PAP) This authentication method is most appropriately used where a plaintext password must be used to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.
The following is a list of the EAP supported authentication methods you can use with this version of the HP-UX AAA Server: • Transport Layer Security (TLS): Uses TLS (also known as SSL) to authenticate the client using its digital certificate. NOTE: Some wireless supplicants require specific extensions to support certificates for EAP. TLS features include Dynamic Key Exchange; Mutual Authentication; Digital Certificate/Token Card-based Authentication; and, Encrypted Tunnelling.
C RADIUS Data Packets The Access-Request and other RADIUS data packets contain a header and a set of attribute-value (A-V) pairs, which are used by the server during the AAA transaction. The RADIUS RFC 2865 defines how vendors can extend the protocol. Encapsulation is the RFC defined way of extending RADIUS. Conflicts can occur when the RFC is not followed. In those cases, the server can map the attributes to unique internal values for processing.
instructions or other messages to an Access-Accept data packet (reply items). These A-V pair’s values will also appear in server session logs. The A-V pairs usually appear as AttributeName=Value in the configuration files and AttributeName=:Type:Value in the log files.
D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK This appendix discusses the header files, data structures, and APIs that the HP-UX AAA Server SDK includes. This chapter addresses the following topics: • “Header Files and Data Structures in the SDK.” • “APIs in the HP-UX AAA Server SDK” (page 430) Header Files and Data Structures in the SDK This section lists the header files and the predefined data structures that the SDK includes. The HP-UX AAA Server SDK includes the sdk.
• Asynchronous APIs — These APIs enable you to write AATVs that are required for making asynchronous calls to external servers. • Secondary APIs — These additional APIs enable you to further customize the HP-UX AAA Server. The following sections describe these APIs in detail. A-V Pair APIs This section discusses the A-V pair APIs. sdk_avp_t *sdk_avp_allocate() Allocates an A-V pair, initializes all fields as 0, and returns a pointer to it.
attrid attrlen attrval tag The input variable that stores the attribute ID of the A-V pair. For vendor specific attributes, the attribute ID is the vendor type or sub-attribute. The input variable that stores the length of the attribute (in bytes) of the A-V pair. For vendor-specific attributes, this value is the vendor length. The input pointer that points to the attribute value of the A-V pair. For vendor-specific attributes, the attribute value is the sub-attribute value.
avp vendid attrid attrlen attrval A pointer to an A-V pair to be set or modified. The vendor ID of the attribute to be set or modified. For a standard RADIUS attribute, use VC_RADIUS which is 0 The attribute ID to be set or modified. For a vendor-specific attribute, the attribute ID is the vendor type or sub-attribute. The length of the attribute (in bytes) to be set or modified. For a vendor-specific attribute, the length is the vendor length. The attribute value to be set or modified.
qtype attrid attrlen attrvalue position tag The type of list to be accessed. It can be one of the following types: • AUTHREQ_REQUEST_QUEUE • AUTHREQ_REPLY QUEUE • AUTHREQ_CHECK_QUEUE • AUTHREQ_DENY_QUEUE The attribute to be discovered The attribute length to be matched. If the length is 0, the attribute length and value are not considered in the match. The attribute value to be matched. If the value is NULL, the attribute length and value are not considered in the match.
attrvalue position tag vendor-specific attributes, the attribute length (attrlen) is the vendor length. The attribute value to be matched. If the attrvalue value is NULL, the attribute length and value are not considered in the match. For a vendor-specific attribute, the attribute value (attrvalue) is the sub-attribute value. Pointer to an A-V pair already found in the list. If this value is NULL, then the search starts from the beginning of the list. The tag value for a tagged attribute.
Inserts an A-V pair into the A-V pair list of type qtype in authreq. Table D-1 lists the different insertions that this API performs, based on the values of the loc_avp A-V pair. Table D-1 Actions Performed as a Result of the loc_avp A-V Pair Parameter Value Action The loc_avp A-V pair in the list is valid and the The new_avp A-V pair is inserted before loc_avp. value of the position parameter is INSERT_BEFORE.
infotype The information type interested. Table D-2 lists the various information types. Table D-2 Information Types Information Type Description AUTHREQ_CODE Code: The packet type, one of Access-Request, Access-Accept as defined in RFC 2865. The code has a type of unsigned short. AUTHREQ_FWD_ID Forward ID: A locally generated sequence number for a request to be forwarded. The forward ID has a type of unsigned short.
uses an IPv6 address and the user input argument is SDK_AUTH_CLIENT_IPADDRV4. Return Returns one of the following values: • SDK_SUCCESS if the operation succeeds. • SDK_INVALID_ARG if the arguments are invalid. Logging APIs This section discusses the APIs that can be used to customize the logging functionality of the HP-UX AAA Server. NOTE: The HP-UX AAA Server supports two logging subsystems that are used simultaneously.
NOTE: If the arguments are insufficient for the format, the behavior can be unexpected. Return This API returns one of the following values: If the message is logged. 0 If the message is queued. 1 -1 If the message is not logged or queued. int sdk_log_debug() int sdk_log_debug (int level, const char *format, /* [arg,], */ ...) Usage Logs the provided debug log message in the HP-UX AAA Server debug log file located at /var/opt/aaa/logs/radius.debug.
NOTE: If the arguments are insufficient for the format, the behavior can be unexpected. Return Returns one of the following values: If the message is logged. 0 If the message is queued. 1 -1 If the message is not logged or queued. Asynchronous Event and I/O APIs The HP-UX AAA Server maintains a global list of file descriptors and calls system functions, to monitor file descriptors for inbound messages.
Unregisters a file descriptor with the HP-UX AAA Server. The HP-UX AAA Server does not monitor the file descriptor for inbound messages once the file is unregistered. Input fd The file descriptor that needs to be unregistered. Return Returns one of the following values: • SDK_SUCCESS if the operation succeeds. • SDK_INVALID_ARG if the arguments are invalid. • SDK_FAILURE if the operation fails.
Return Returns a pointer to the authreq found or NULL if the operation fails. char *sdk_get_config_dir() Obtains the AAA configuration directory and returns the name of the configuration directory. The default configuration directory is /etc/opt/aaa/. Return Returns the name of the configuration directory if the operation succeeds, or NULL if the operation fails.
infotype The information type. Table D-4 lists the valid values of the infotype parameter. Table D-4 Possible Values of the infotype Parameter len value Information Type Value Description CLIENT_SHARED_SECRET The shared secret between the client and the HP-UX AAA Server. The shared secret is a character string. CLIENT_AUTHEN_PORT The UDP port to which authentication or authorization messages must be sent. The port has a type of unsigned short.
enpwlen clpasswd clpwlen Length of encrypted password. A pointer to the buffer where the clear text password is to be stored. A pointer to an integer, where the size of the clear text password is to be stored. Output clpasswd A pointer to the clear text password. clpwlen A pointer to the length of the clear text password.
E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server This appendix describes the syntax of the decision files that are present in earlier versions of the HP-UX AAA Server. While decision files created using this syntax are supported in this version of the HP-UX AAA Server, HP encourages customers to use the syntax described in Chapter 25 (page 283) to create new decision files.
Table E-1 A-V Pair Expression Operators (continued) Operator Description <= Less than or equal to && Logical AND || Logical OR ! Logical NOT You can also use parentheses to nest expressions. Line breaks are not significant. Table E-2 illustrates some possible expressions that you can use to control access depending on the dial-in phone number and time of the call.
Date-Time 24 hour clock in yyyy:mm:dd:hh:mm format. This attribute is compared to the current system clock of the system hosting the HP-UX AAA Server that is making the comparison. Time-of-Day 24 hour clock in hh:mm format. This attribute is compared to the current system clock of the machine hosting the AAA server that is making the comparison. Hours must be two digits, for example, 08:00, not 8:00.
Notes: • Test = $Value$Pos$Len will add a new A-V pair to the request. It will not update an existing pair. For example, when the request includes a Test = “String” A-V pair, the expression Test = $Test$2$3 will append Test = “rin” to the request, which results in both Test = “String” and Test = “rin” in the request. • Because the left-side attribute is handled differently than the right-side attribute value, multiple attributes in a request can cause some unexpected indirection results.
21 } 22 Group NORMAL { 23 Reply { 24 Decision = $Interlink-Proxy-Action 25 } 26 } Line 1 Lines 2 to 5 Lines 7 to 9 Line 10 Line 13 Lines 14 to 16 Lines 18 Line 19 Line 22 Line 24 Names the first group entry Controlled-Access. If the user calls from 1234567890, or calls into 8005551212, the user belongs to this group. The Authentication-Type attribute indicates that requests from members of this group must be proxied. The Server-Name and Server-Port attributes specify flatland.
Access-Group attribute is added to the dictionary file and user profiles as a configuration item. For more information, see “The dictionary File ” (page 385).
Line 33 Line 34 group, because this group entry does not include a condition section. The Decision attribute returns the NAK value to the FSM as an event, which rejects the request. Specifies a message that is sent back to the user.
Glossary of Terms A-B A-V Pair Attribute-value pair. AAA Abbreviation for Authentication, Authorization, and Accounting. AAA Server A software application that performs authentication, authorization, and accounting functions. Access-Accept AAA Server returns an Access-Accept to the client when an Access-Request is valid. The Access-Accept will contain A-V pairs that specify what services the authenticated user is authorized to use.
C-D Challenge Handshake Authentication Protocol Log-in security procedure for dial-in access. Rather than send an unencrypted password, a random number is sent to the client as a challenge. The challenge is one-way hashed with the password, and the result is sent back to the server. The server does the same with its copy of the password and verifies that it gets the same result to authenticate the user, abbreviated as CHAP. CHAP Challenge Handshake Authentication Protocol.
Integrated Services Digital Network A digital access line, abbreviated as ISDN. Interlink Used to connect multiple AAA servers in a fabric with SLAs and to establish policies among them. Internet Engineering Task Force Internet standards setting organization, abbreviated as IETF. Internet Protocol A Layer 3 (network layer) protocol that contains addressing information and some control information that allows packets to be routed, abbreviated as IP.
navigation tree Refers to the navigation links on the left side of the Server Manager GUI. Network Access Server A device that interfaces telephony circuits to the network, abbreviated as NAS. Numbers and Symbols Secure LAN Advisor The Secure LAN Advisor is an HTML tutorial/help system in the Server Manager GUI that walks you through the tasks and Server Manager screens for securing WLANs with the HP-UX AAA Server.
Realm A realm is a logical group of users, who usually can be authenticated using one particular method. Grouping users into realms simplifies the management of those users in a distributed environment. For example, an ISP’s users may be from different organizations located in different cities. Each organization already has one way or another to authenticate its users and each corresponds to a realm.
T-U-V-W-X-Y-Z TLS (Transport Layer Security) Uses TLS (also known as SSL) to authenticate the client using its digital certificate. Note: some wireless supplicants require specific extensions to support certificates for EAP. TLS features include: Dynamic Key Exchange; Mutual Authentication; Digital Certificate/Token Card-based Authentication; and, Encrypted Tunnelling. Token See Simultaneous Access Token.
Index A A-V pair pruning, 387 removing, 387 A-V pair, configuration attributes, 402 A-V pair, specifying, 400 AAA Server upgrade, 45 aaa.
event names, 274 Event-n - FSM, 272 Expiration event name, 276 expression - decision file, 445 F failover, configuring Oracle for, 100 File size properties, 127 Finite State Machine, 270 finite state machine accounting logs, 132 Check and Reply, 447 general information, 270 multiple streams, 393 FMS - Event-n, 272 Framed-Protocol example, 388 FSM Action-n, 272 State-name, 272 version tracking, 279 G GTC, features, 146 GUI icons, 131 H hardening programs Bastille, 59 HTTPS, configuring, 56 HUP processing,
HOtp-Seq-Counter, 172 Otp-ActionId, 173 Otp-Add-Checksum, 174 Otp-Lookup-Window, 172 Otp-Retrieve-TokenInfo-Action Id, 174 Otp-Shared-Secret, 173 Otp-Token-Length, 173 Otp-Token-Lock-Counter, 173 Otp-Token-Serial-Number, 173 Reply-Egress-ActionId, 174 OTP authentication concepts using bit masks, 169 OTP authentication configuration concepts, 169 override AAA server defaults, 375 P PEAP (Protected EAP), 427 PEAP, features, 146 policy proxy-egress, 41, 307 proxy-ingress, 41, 308 reply-egress, 306 request-ing
Mappings RAD, 223 Pre-requisites, 215 README, 211 Sample Implementing, 211 shared library path, 216 SQL Actions, 211 SQL statement, 229 sqlaccess.config, 218 SQL Access AATV, 208 SQL Access. See also Mapping, 209 SQL Actions, 221 sqlaccess.
