HP-UX AAA Server A.08.00.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

311

312

313

314

315

316

317

318

319

320

Security Consideration in Dynamic Authorization

This section describes the security features in Dynamic Authorization. The following

features are supported:

• “Replay Protection” (page 317)

• “Message-Authenticator” (page 319)

• “Reverse Path Forwarding Check for Proxies” (page 319)

Replay Protection

The Replay Protection feature protects the network from fraudulent transmissions

using valid data. The Event-Timestamp attribute is used for enforcing replay

protection. The HP-UX AAA Server discards all incoming messages if the

Event-Timestamp value is not within acceptable time limits. You can configure the

time window using the event_timestamp_window attribute in the aaa.config

file. For more information on the attribute, see “Dynamic Authorization-Related

Configuration Items” (page 516).

By default, the Event-Timestamp attribute checking is not enforced. The verification

of the Event-Timestamp attribute occurs only if the attribute is present in the incoming

message. If an Event-Timestamp attribute is not present, the attribute is ignored. To

enforce Event-Timestamp attribute checking, add the following lines in the /etc/

opt/aaa/client-reply-ingress.grp file:

if( count(Event-Timestamp) = 0 )

{

exit "NAK"

}

To configure the HP-UX AAA Server to send the Event-Timestamp attribute in the

outgoing messages, add the following SQL mapping in SQLAction, which creates the

client request.

FUNC(get_cur_timestamp) RAD(Event-Timestamp, REPLY)

To add the Event-Timestamp attribute in the outgoing Disconnect requests, add

the mentioned mapping in the CreateDisconnectReq or

CreateDisconnectReqServerGroup SQLAction within the /etc/opt/aaa/

sqlaccess.config file.

To add the Event-Timestamp value in the outgoing CoA requests, add the mentioned

mapping in the CreateCoAReq or CreateCoAReqServerGroup SQLAction within

the /etc/opt/aaa/sqlaccess.config file.

Configuring the Event Timestamp Window for Replay Protection Using HP-UX AAA Server Manager

To configure the Event Timestamp window for replay protection, complete the

following steps:

1. Log in to HP-UX AAA Server Manager.

2. Click Server Properties. The Server Properties window is displayed as follows:

Configuring for Dynamic Authorization 317