HP-UX AAA Server A.08.00.01 Administrator's Guide
The oath-request-ingress.grp Sample File
The oath-request-ingress.grp file is the primary sample reference implementation
file for configuring OTP authentication. You can configure OTP authentication-related
actions by setting the bitmask in the Otp-ActionId attribute, and configuring the
OTP-specific attributes listed in “Attributes for Configuring OTP Authentication”
(page 188).
To configure OTP authentication on a realm level, insert the OTP-ActionId value
and the realm name as follows:
if (( count (User-Name) > 0 ) && (substr (User-Name after "@") = "<realm>"))
{
#
# Add Otp-ActionId attribute if it is not present in the authreq
#
if (count (Otp-ActionId) = 0)
{
insert Otp-ActionId = <decimal representation of bit mask value>
}
exit "ACK"
}
For more information on the OTP authentication actions and the bit masks to be set,
see “Advanced OTP Authentication Configuration Concepts” (page 183).
The oath-reply-egress.grp Sample File
The oath-reply-egress.grp sample file is the reference implementation policy
file that enables you to increment the sequence counter that is required to complete
OATH standards-based One Time Password (OTP) authentication. It also helps to
update user authentication count and the token status.
The following condition checks the value of the Interlink-Proxy-Action attribute,
and does not update the counters and token status if the value is anything other than
ACK or NAK. For example, in the case of ACCT_START, ACCT_STOP, and ACC_CHAL
events, the sequence counter is not updated:
if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT")
|| (Interlink-Proxy-Action = "LAS_ACCT") ) )
{
exit "ACK"
}
If authentication is successful for the OTP configured realm, the following sample sets
the SQL action to update the sequence counter and success authentication count. If
authentication fails, it sets the SQL action to update the failed authentication count and
failed lock counter to update the token status.
Replace <realm> with the realm name that is configured in the
request-ingress.grp.oath file as follows:
216 OATH Standards-Based OTP Authentication