Manualshelf

HP-UX AAA Server A.07.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software
161162163164165166167168169170
16 OATH Standards-Based OTP Authentication
This chapter introduces the Open AuTHentication (OATH) standards-based One-Time
Password (OTP) authentication. It also describes how to enable the HP-UX AAA Server
to provide OTP, and OTP and password (two-factor) authentication in different
deployment scenarios. The term OTP authentication is used throughout this document
to refer to the functionality that enables OTP authentication. The term two-factor
authentication is used for password and OTP authentication.
This chapter addresses the following topics:
OTP and OATH Overview
“HP-UX AAA Server and OATH Support” (page 163)
“Components Required to Configure OTP Authentication” (page 164)
“Configuring OTP Authentication on the HP-UX AAA Server ” (page 165)
“OTP Authentication Configuration Flowchart” (page 165)
“Basic or Typical Configuration” (page 167)
Advanced Configuration” (page 168)
Advanced OTP Authentication Configuration Concepts” (page 169)
Advanced Deployment Scenarios” (page 177)
“Predefined Mapping and Conversion Functions” (page 194)
“Sample Configuration Files” (page 194)
OTP and OATH Overview
Like a password, OTP can be used to authenticate the user to obtain access to a network.
OTP can be used alone or along with a password for authentication. Typically, OTP is
used for two-factor authentication. For example, in large organizations, VPN access
often requires the use of user-name, password, and OTP for remote user two-factor
authentication. Added security is provided when an OTP is used for authentication,
because a user must enter a different OTP each time to authenticate to a validation
server.
OATH is an industry-wide collaboration to develop open-reference architecture for
strong authentication. OATH consortium has developed a set of open royalty-free
algorithms for one-time passwords. The OATH standards-based OTP authentication
solution uses the HMAC-based One-Time Password (HOTP) algorithm to generate an
OTP using a shared secret and sequence counter.
The HOTP algorithm is a sequence-based algorithm. Any OATH-compliant client
device can interoperate with an HOTP algorithm-enabled OTP validation server.
162 OATH Standards-Based OTP Authentication