HP-UX AAA Server A.07.01 Administrator's Guide
Notes:
• The scenarios described in this section are applicable whether you are using
RADIUS standard password authentication or EAP authentication.
• The HP-UX AAA Server supports only the following EAP authentication methods
for OTP authentication:
— PEAP (EAP-GTC)
— TTLS (PAP)
• Creating different inner and outer realms for OTP authentication is supported
only for TTLS (PAP). For information on creating tunneled EAP realms, see
“Adding a Realm” (page 89).
Validating OTP Alone
To configure the HP-UX AAA Server to validate OTP alone, complete the following
steps:
1. Configure the realm using the Realms Screen of the Server Manager. While
configuring the realm, use the procedure listed in “Configuring Realms for Database
Access via SQL” (page 94). In the User Storage Parameters field, ensure that the
RetrieveToken SQL action is selected and the configuration is saved. For more
information on configuring the realm, see “Adding a Realm” (page 89).
2. If not appended , append the contents of the sample OTP reference implementation
policy files (located in /opt/aaa/examples/config) to the default policy files
(located in /etc/opt/aaa) using the following commands:
# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp
# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp
3. In the /etc/opt/aaa/request-ingress.grp file, replace the <realm> variable
and configure the Otp-ActionId attribute according to the following rules:
Then …
If you have
configured...
Replace the <realm> variable in the following syntax with the realm name configured
in Step 1:
if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>"))
{
The realm
for RADIUS
standard
password
authentication
insert Otp-ActionId = 16
exit "ACK"
}
178 OATH Standards-Based OTP Authentication