HP-UX AAA Server A.07.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

381

382

383

384

385

386

387

388

389

390

• tag-int: single octet followed by three octets of integer

value (used for tunneling attribute)

• tag-string: single octet followed by 0-252 octets (used

for tunneling attribute)

pruning

May be replaced with an optional expression that controls

three server features

• whether the attribute is ever sent to the NAS

• whether or not the attribute may be logged

• encapsulation, if used, for vendor-specific attributes

Pruning Expressions

Pruning is a feature that allows the server to remove A-V pairs from an Access-Accept,

Access-Reject, or Access-Challenge message before sending the message to a client that

has been configured for pruning in the clients file, see “The clients File” (page 380).

The pruning to apply is defined by pruning expressions in the dictionary's attribute

entries.

These optional expressions are defined in an attribute entry as follows:

(ack, nak, chall, {NOLOG | ENCAPS | NOENCAPS | CONFIG | INTERNAL})

NOTE: If any value is omitted, but the comma is present for that value, that value

will use its default. If the expression is omitted, all values use their defaults.

ack, nak, chall,

determine how many instances of the attribute may be added

to an Access-Accept (ack), an Access-Reject (nak), or an

Access-Challenge (chall) reply. They can be specified as one

of the following values:

• 0: no attributes of this kind are part of the final reply. This is the default value.

• 1: at most, one attribute of this kind can be part of the final reply.

• *: any number of attributes of this kind can be part of the final reply.

NOTE: Since the default values for ack, nak, and chall are 0, added vendor-specific

attributes will not be returned to the NAS in any replies if you do not include a pruning

expression.

{NOLOG | ENCAPS | NOENCAPS}

define how the server reacts to the attribute:

• NOLOG: the attribute will not be added to the logfile or session logs.

• ENCAPS (or ENCAPSULATE): the attribute will be encapsulated in the vendor-specific

attribute, regardless of the vendor. This is a default value.

• NOENCAPS: the attribute will not be encapsulated within the vendor-specific

attribute.

The dictionary File 387