HP-UX AAA Server A.08.00.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

261

262

263

264

265

266

267

268

269

270

Table 17-18 Lookup AATV Attributes for EAP-AKA (continued)

DescriptionAttribute

An optional string attribute that contains the name of the AKA algorithm

used to authenticate the user. This attribute is optional if a default value is

configured for the realm. The value is case-sensitive.

AKA-Algorithm

A fixed-length binary string (octets) attribute that contains the 48-bit sequence

number, which is used to authenticate the user.

AKA-Sequence-Number

An optional fixed-length binary string (octets) attribute that contains a 16-bit

value. The value indicates whether the AKA-Sequence-Number is used for

AKA-Mode

a Circuit Switched or Packet Switched authentication. This attribute is optional

if a default value is configured for the realm.

AND

Optional Reply item, such as, Session-Timeout and Idle-Timeout.

Other reply attributes

Lookup AATV Functionality and Return Events

The Pseudonym Lookup AATV attempts to retrieve the Real-Username from its

database.

• If the information is found, the Lookup AATV updates the cur_request list of

the authreq with the specified output, and a RETRIEVE_SUCCESS message is

returned.

• If the information is not available, a RETRIEVE_ERROR message is returned.

• The Lookup AATV can check if the Pseudonym-Username has expired based on

the Pseudonym-Expiration-Time. If the Pseudonym-Username has expired,

a RETRIEVE_ERROR message is returned, and the cur_request list of the

authreq is not updated. If the AATV does not check for an expired entry, the

Pseudonym-Expiration-Time is returned. Subsequently, the HP-UX AAA

Server checks for the expiration.

The Pseudonym-Expiration-Time values represent the following:

— Last-Used-Pseudonym-Expiration-Time -- If the Pseudonym-Username

matches the Last-Used-Pseudonym-Username

— Last-Assigned-Pseudonym-Expiration-Time -- If the

Pseudonym-Username matches the Last-Assigned-Pseudonym-Username

• A successful mapping can also return user credentials and general reply-items. If

the user credentials are returned, these credentials are appended to the

cur_request list of the authreq, as specified.

Generating Authentication Vectors Using A3, A8, and AKA Algorithms

If authentication vectors are not retrieved from a datastore or supplied by an external

AuC, they must be generated using A3 and A8 algorithms for EAP-SIM or the AKA

algorithm for EAP-AKA.

Generating Authentication Vectors Using A3, A8, and AKA Algorithms 263