Manualshelf

HP-UX AAA Server A.08.00.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software
41424344454647484950
2. The iaaaUsers action checks the local users file. In this step, the User-Name
attribute value from the Access-Request is used to find an entry for the user in the
/etc/opt/aaa/users file.
If User-Name matches an entry, the server retrieves that profile and then
authentication moves to step 5.
If User-Name does not match an entry, authentication moves to step 3.
3. If the iaaaUsers action does not find a matching user profile in the users file,
the FSM calls the iaaaRealm action. The iaaaRealm action parses the User-Name
attribute value for a realm name, and searches authfile to determine the data
store where the user profiles for the parsed realm are located. A default entry can
be used to handle any realms that are not explicitly configured in authfile.
NOTE: If no realm is specified in the NAI, the server assigns the value NULL for
the realm. You can configure NULL realm behavior in the same manner as named
realms.
4. The iaaaRealmaction calls another action that attempts to retrieve a matching
user profile from the data store for the realm, as indicated by authfile:
A realm-specific AAA users file;
An external data store, such as LDAP or a database;
A Unix user profile service via the getpwent() system call.
If the realm is defined as a proxy, the RADIUS request is forwarded to the target
RADIUS server defined for this realm.
5. The user is authenticated according to the protocol established by the
Access-Request. If a password-based protocol (PAP,CHAP, MSCHAP) is specified,
the user's password is verified. If an EAP method is used, mutual authentication
is carried out according to the EAP type (PEAP, TLS, TTLS, or PEAP).
If User-Name matches no entry, either in a local text file or an external data source, the
authentication fails.
Authorization to Control Sessions and Access to Services
The HP-UX AAA server can authorize users using one of the following methods:
Provisioning on a user-by-user basis with check items and by adding reply items
to an Access-Accept message (simple policy)
Through Local Authorization Server (LAS) functions based on realms
Through stored policy decisions based on other logical groups that can add check
and reply items to the request
Like authentication, the authorization of an access request has a number of distinctive
steps, as shown in Figure 1-6 (page 44). The rounded rectangles represent configuration
files and the ovals represent one or more actions called by the FSM.
Handling an Access Request 43