HP-UX AAA Server A.08.00.01 Administrator's Guide

still be required if the user does not belong to a realm. The Simultaneous-Use

attribute can be used in a user entry for LAS functions.

Simultaneous-Use Attribute

This attribute’s value determines the maximum number of active sessions the user can

have. The default is 1 (if the LAS is enabled for the user’s realm, but no

Simultaneous-Use attribute value is specified for the user or the user’s realm). A

value of -1 disables the feature—providing no limit to number of simultaneous sessions

for a user in a realm enabled to use the LAS.

NOTE: Simultaneous session control is based on the inner identity (realm) for

tunneled-EAP authentications.

Attributes Concerning OTP Authentication

These attributes are used for configuring OTP authentication and customizing the

feature to suit various deployments. For information on these attributes, see “Attributes

for Configuring OTP Authentication” (page 188).

Check (and Deny) Items

A user entry can include check, configuration-only, and reply items to implement

simple policy decisions. Check items are A-V pairs that are compared to pairs in a

RADIUS Access-Request data packet. Reply items are A-V pairs that are included in

an Access-Accept, Access-Challenge, or Access-Reject messages to provide instruction

to the NAS for authorizing the user.

There are two types of check items:

• Regular check items

• Deny items

A check item is used to authenticate a user by matching the attribute value in a request

to the attribute value specified as a check item. A deny item is a regular attribute,

identical to a check item, except the value is not matched to the attribute as being equal

to a value but by being not equal (indicated by !=). In other words, a deny item causes

an Access-Request to be rejected if the deny item's value matches the corresponding

attribute value in the request.

Check (and Deny) Items 541