HP-UX AAA Server A.07.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

401

402

403

404

405

406

407

408

409

410

Simultaneous-Use Attribute

This attribute’s value determines the maximum number of active sessions the user can

have. The default is 1 (if the LAS is enabled for the user’s realm, but no

Simultaneous-Use attribute value is specified for the user or the user’s realm). A

value of -1 disables the feature—providing no limit to number of simultaneous sessions

for a user in a realm enabled to use the LAS.

NOTE: Simultaneous session control is based on the inner identity (realm) for

tunneled-EAP authentications.

Attributes Concerning OTP Authentication

These attributes are used for configuring OTP authentication and customizing the

feature to suit various deployments. For information on these attributes, see “Attributes

for Configuring OTP Authentication” (page 172).

Check (and Deny) Items

A user entry can include check, configuration-only, and reply items to implement

simple policy decisions. Check items are A-V pairs that are compared to pairs in a

RADIUS Access-Request data packet. Reply items are A-V pairs that are included in

an Access-Accept, Access-Challenge, or Access-Reject messages to provide instruction

to the NAS for authorizing the user.

There are two types of check items:

• Regular check items

• Deny items

A check item is used to authenticate a user by matching the attribute value in a request

to the attribute value specified as a check item. A deny item is a regular attribute,

identical to a check item, except the value is not matched to the attribute as being equal

to a value but by being not equal (indicated by !=). In other words, a deny item causes

an Access-Request to be rejected if the deny item's value matches the corresponding

attribute value in the request.

IMPORTANT: The HP-UX AAA Server only compares a check item with the first value

that appears for an attribute in an Access-Request. The server will disregard any

additional instances of the same attribute in the request. This limitation also applies to

tagged attributes, like those used to establish VPN tunnels.

Attributes Concerning the NAS

NAS-IP-Address

This attribute indicates the identifying IPv4 address of the

NAS which is requesting authentication of the user. Either

the NAS IP address, NAS-IPv6-Address, or the

NAS-Identifier must be present in an Access-Request.

404 Attribute-Value Pairs