HP-UX AAA Server A.08.00.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

251

252

253

254

255

256

257

258

259

260

information on AATV writing, compiling, installing, and debugging, see Chapter 28

(page 437).

You can configure EAP-SIM and EAP-AKA to support pseudonyms. To perform a full

authentication using pseudonym, you must map an assigned pseudonym to the real

identity. EAP-SIM and EAP-AKA can manage the pseudonym mapping internally.

Alternatively, using customer-supplied plug-ins, they can store the mapping in an

external database using SQL Access and retrieve, when required. In accordance with

the RFCs, the HP-UX AAA Server must save at least two pseudonyms: the last one

used by the peer and the last one assigned by the HP-UX AAA Server. If you save the

attributes in an external database, the database record must include the following

attributes:

• Real-Username

• Real-Realm

• Last-Used-Pseudonym-Username

• Last-Used-Pseudonym-Expiration-Time

• Last-Assigned-Pseudonym-Username

• Last-Assigned-Pseudonym-Expiration-Time

These attributes are described as follows:

The database can also include the authentication information and the reply items. The

AATV, which retrieves the mapping information, must look for a match for the

Last-Used-Pseudonym-Username attribute or the

Last-Assigned-Pseudonym-Username attribute.

The AATV, which retrieves the mapping information, can check whether the matching

field has expired. If the mapping retrieval AATV checks for expiration, the

corresponding expiration time attribute need not be placed on the

AUTHREQ_REPLY_QUEUE list of the authreq. If the mapping retrieval AATV is not

configured to check for expiration, the expiration time attributes must be placed in the

authreq. Consequently, the EAP-SIM or the EAP-AKA AATV, which handles the

result of the lookup, checks for expiration.

If you write your own AATVs, which are necessary if an external database is employed,

a set of input attributes in the AUTHREQ_REPLY_QUEUE list of the authreq can be

used by the AATVs. Also, a set of returned attributes, that the lookup AATV adds to

the AUTHREQ_REPLY_QUEUE list of the authreq to interface with the HP-UX AAA

Server, can be used by the AATVs.

There are two AATVs involved in pseudonym handling. One AATV performs the

lookup and the other performs the update. This section describes the following AATVs:

• “Pseudonym Database Update AATV” (page 259)

• “Pseudonym Database Lookup AATV” (page 260)

258 Configuring EAP-SIM and EAP-AKA Authentication Methods