HP-UX AAA Server A.08.00.01 Administrator's Guide
Figure 27-2 Flow of the User Policy
Invoking Policy from User Profiles
In the user profile (can be local users file, LDAP, or SQLAccess), add a Policy-Pointer
as a check or reply item with the full pathname of the decision file containing the group
authorization policies. Enclose the pointer in single or double quotes. The Policy-Pointer
string cannot be more than 63 characters in length. For example:
carl Password = carl, Policy-Pointer = “decisionfile://path-to-file”
or
fred Password = fred
Policy-Pointer = “decisionfile://path-to-file”
Reply Egress Policy
Reply egress policy can be defined in the reply-egress.grp decision file in the
server's configuration directory. The reply egress policy is applied as the final step in
the FSM, just before the RADIUS reply message is created and sent. The reply egress
policy can be used to alter the request in one of the following ways:
• A-V pairs may be added, modified, or removed
• The reply type may be changed
• The request may be dropped entirely and no reply is sent.
NOTE: If the client is defined as type=NAS or type=PROXY+PRUNE (possibly
including vendors), the pruning rules specified in the dictionary file are applied
according to the reply type that was in effect before the reply-egress policy is evaluated.
Figure 27-3 (page 429) illustrates the flow of information in the reply egress policy.
428 Customizing the HP-UX AAA Server Using Policies