Manualshelf

HP-UX AAA Server A.07.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software
311312313314315316317318319320
1. Replace the radius.fsm file in the server's configuration directory with /opt/
aaa/examples/config/DAC.fsm. For example, if the server's configuration
directory is /etc/opt/aaa/radius.fsm, then enter the following command:
# cp /opt/aaa/examples/config/DAC.fsm /etc/opt/aaa/radius.fsm
NOTE: Take a backup of /etc/opt/aaa/radius.fsm before replacing it.
IMPORTANT: If you are using a different decision file than the supplied DAC.grp
decision file, change the CheckDAC state so that the POLICY action calls the DAC
decision file. For example,
CheckDAC: *.*.ACK POLICY AuthWait Xstring=decisionfile://DAC.grp
2. Copy the sample decision file /opt/aaa/examples/config/DAC.grp to the
server's configuration directory using the following command:
# cp /opt/aaa/examples/config/DAC.grp /etc/opt/aaa/
Step 2 Defining the DAC Policies
The default DAC.grp decision file contains sample entries. You must edit the DAC.grp
decision file to define your DAC policies. To edit the DAC.grp decision file, complete
the following steps:
1. Modify each group in the DAC.policy file according to your implementation
requirements. For example,
# Daytime Access Check
if ( (Access-Group = "daytime") &&
((Time-Of-Day >= "06:00") && (Time-Of-Day <= "20:00")) )
{
insert Reply-Message = "Daytime access allowed"
exit "ACK"
}
NOTE: The Reply-Message reply item attribute may not be returned if the user
is authenticated using a tunneled EAP method.
Comment out any condition you do not need by placing a hash symbol (#) before
each line. The last line must remain unchanged so that a user who does not match
one of the conditions is rejected.
2. If you rename the DAC.grp file, move it to the server's configuration directory
and edit radius.fsm so that the CheckDAC state Xstring parameter points to the
correct file name.
312 Customizing the HP-UX AAA Server Using Policies