Manualshelf

HP-UX AAA Server A.07.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software
41424344454647484950
Table 1-2 How Requests are Altered Using the proxy-egress and proxy-ingress
Policies
Use of the proxy-ingress PolicyUse of the proxy-egress Policy
A-V pairs can be added, modified, or removed.A-V pairs can be added, modified, or removed.
The reply type may be altered.The request may be rejected immediately.
The request may be dropped entirely and no
reply is sent.
The request may be dropped entirely and no
reply is sent.
The request may be rejected immediately.The proxy target host may be changed.
4. Check Items. After authentication each check item in the user profile is processed
or matched against the request's corresponding Attribute-Value (A-V) pairs.
If all the check and deny items associated with User-Name are satisfied, the
CHK_DNY action returns an ACK value to the FSM.
If any check or deny item, including the user's password, is not matched
correctly, the authentication module returns a NAK value to the FSM. The
request fails, and an Access-Reject message is returned to the client.
5. User Policy. All requests are subjected to user policy after authentication. The user
policy is applied only after successful authentication. A user policy can be specified
in a Policy-Pointer attribute on the request as either a check item or a reply item.
If the Policy-Pointer attribute is found in the check items, then the HP-UX AAA
Server does not look for one in the reply items. The value of the Policy-Pointer
attribute should specify the URL for the decision file to be evaluated. If a request
contains a Policy-Pointer attribute, as either a check item or a reply item, the
specified policy is applied. If the request does not contain a Policy-Pointer, then
no user policy is applied. In this case the POLICY action returns an ACK event to
the FSM.
Some policies that can be implemented include:
Dialed Number Identification Service (DNIS)-routing requests according to
the number called from or called;
Grouping users by NAS addresses or ports;
Control session duration, concurrent usage, or delivered services by logical
groupings defined by the contents of specified A-V pairs;
Control access according to any time-based criteria.
6. Local Authorization Server (LAS). The LAS refers to the routines and code in the
server that handles authorization. LAS and POSTLAS actions are part of the LAS.
Session control with LAS is based on realms. Local Session tracking must be
explicitly enabled for a realm via the Server Manager or the /etc/opt/aaa/
las.conf file. If the realm is not listed, LAS does not enforce any session control
for users from that realm. When the LAS handles an Access-Request for a user in
42 Overview: The HP-UX AAA Server