HP-UX AAA Server A.08.00.01 Administrator's Guide

RADIUS Topology

The RADIUS protocol follows the client-server architecture. The client sends user

information to the AAA server using Access-Request or accounting-Request messages.

The AAA server processes the request locally, or, if acting as a proxy server, forwards

(proxies) the request to a secondary RADIUS Server.

When processing a RADIUS request locally, the AAA server can utilize additional

external services (LDAP, external database access, DHCP, and so on.) to service the

request.

The processing of RADIUS requests is usually configured on a per-realm basis. A realm

is a group of users sharing a common component in the Network Access Identifier

(NAI) attribute in the RADIUS request (for example,"example.org" is the realm

component for "username@example.org").

In Figure 1-1 (page 35), a sample Internet Service Provider (ISP) uses four AAA servers

to handle user requests. User organizations are grouped into realms. Each user connects

to one of the ISP's servers through a local Network Access Server (NAS). The NAS

sends a RADIUS Access-Request containing the user's credentials to one of the AAA

servers. In turn, the AAA server accesses user and policy information from the repository

specified for the user's realm. The repository can be in flat text files associated with the

AAA Server, an external database or LDAP Server, or an HP-UX Unix user repository.

When authenticating users stored in replicated LDAP directory servers or databases,

the server can be configured to perform load balancing and failover to achieve greater

scalability and availability.

34 Overview: The HP-UX AAA Server