HP-UX AAA Server A.08.
Copyright © 2002–2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license required from HP for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document ..................................................................................................................27 Intended Audience.............................................................................................................27 New and Changed Information in This Edition.................................................................27 Document Organization...............................................................................................
To Install the HP-UX AAA Server...........................................................................54 To Uninstall the HP-UX AAA Server Software.......................................................55 HP-UX AAA Server File Locations ..............................................................................56 Securing the HP-UX AAA Server..................................................................................63 Changing the Default HP-UX AAA Server Settings .............................
Loading and Saving Your Configuration Using RMI Server...................................95 Enhancing Loading and Saving Performance Using Secure Copy Protocol...........96 Setting up Key-Based Authentication......................................................................97 Creating a Public-Private key set with ssh-keygen........................................97 Sharing the Public key with Remote Hosts........................................................98 Verifying Key-Based Authentication......
Deleting a User Profile.................................................................................................131 To Delete a User Profile From the Default users File..........................................132 To Delete a User Profile in a Local Realms File......................................................132 11 Modifying Server Properties..............................................................................................133 Navigating the Server Properties Screen.................
The Secure LAN Advisor.......................................................................................159 Preparing Your LAN ...................................................................................................160 Determining the EAP Authentication Method to Use................................................161 Securing WLANs with the HP-UX AAA Server.........................................................164 Digital Certificate Administration..........................................
Attributes for Configuring OTP Authentication.........................................192 Advanced Deployment Scenarios.....................................................................199 Validating OTP Alone..................................................................................200 Configuring Two-Factor Authentication.....................................................202 OTP or Password Validation at External RADIUS Server...........................
Guidelines to Write EAP-SIM and EAP-AKA Fast Re-Authentication Database AATVs....................................................................................................................252 Fast Re-Authentication Database Update AATV.............................................253 Update AATV Inputs...................................................................................253 Update AATV Outputs................................................................................
Adding a Server................................................................................................280 Modifying a Server...........................................................................................284 Deleting a Server...............................................................................................284 Cloning a Server................................................................................................
IV Integrating the HP-UX AAA Server With External Services..........................................................332 21 LDAP Authentication.........................................................................................................335 LDAP Server Compatibility ........................................................................................335 Related LDAP Documentation ...................................................................................335 Authentication with LDAP ...
Global Definitions.............................................................................................369 Advanced SQL Mapping Configuration................................................................369 Developing Custom Functions.........................................................................369 Null SQL Statements.........................................................................................370 Null Source and Target Mapping.................................................
Creating New Names ............................................................................................403 Actions ........................................................................................................................403 FSM Tables.............................................................................................................405 Custom State Tables ....................................................................................................
User Policy........................................................................................................436 Invoking Policy from User Profiles.............................................................437 Reply Egress Policy...........................................................................................437 Proxy Egress Policy...........................................................................................438 Proxy Ingress Policy..............................................
External Service Problems......................................................................................467 Protocol Limitations...............................................................................................468 RADIUS Client and Supplicant Considerations....................................................468 30 Troubleshooting Procedures..............................................................................................469 Troubleshooting Flowchart..........................
EAP Related Information............................................................................................514 Clients.....................................................................................................................515 Access Points..........................................................................................................515 VII Reference.............................................................................................................................
Realm Configuration .............................................................................................537 The vendors File .......................................................................................................538 Syntax of a vendors File.......................................................................................538 The log.config File .................................................................................................539 Syntax of a Stream Entry...........
Attribute-Value Pair Format .......................................................................................578 D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK........................................579 Header Files and Data Structures in the SDK...................................................................579 APIs in the HP-UX AAA Server SDK...............................................................................579 A-V Pair APIs.....................................
DAC.grp for Dynamic Access Control.......................................................................600 Glossary of Terms......................................................................................................................603 Index........................................................................................................................................
List of Figures 1-1 1-2 1-3 1-4 1-5 1-6 4-1 4-2 4-3 5-1 6-1 6-2 6-3 6-4 6-5 6-6 6-7 7-1 7-2 7-3 8-1 8-2 8-3 8-4 9-1 9-2 9-3 9-4 10-1 10-2 10-3 10-4 11-1 12-1 12-2 12-3 12-4 12-5 13-1 13-2 14-1 20 Typical AAA Network Topology................................................................................36 Client-Server RADIUS Transaction.............................................................................37 Authentication Process......................................................................
14-2 14-3 15-1 15-2 15-3 15-4 16-1 16-2 16-3 16-4 17-1 18-1 18-2 18-3 18-4 18-5 18-6 18-7 18-8 18-9 18-10 19-1 20-1 20-2 20-3 20-4 20-5 20-6 20-7 20-8 20-9 20-10 20-11 20-12 20-13 20-14 20-15 20-16 20-17 20-18 20-19 20-20 22-1 22-2 Example Return for a Sessions Search ......................................................................170 Example of a Session’s Attributes..............................................................................170 The Users Screen.....................................
-3 22-4 22-5 22-6 22-7 22-8 26-1 27-1 27-2 27-3 27-4 27-5 28-1 29-1 29-2 30-1 C-1 C-2 22 The User Database Administration Manager ..........................................................375 The Add User Screen.................................................................................................376 The Token Validate Screen........................................................................................379 The Enroll Token Screen........................................................
List of Tables 1 2 1-1 1-2 3-1 3-2 3-3 4-1 4-2 4-3 6-1 6-2 7-1 8-1 8-2 8-3 9-1 9-2 9-3 10-1 11-1 11-2 11-3 11-4 11-5 11-6 11-7 12-1 12-2 12-3 12-4 13-1 13-2 16-1 16-2 16-3 16-4 16-5 16-6 17-1 17-2 HP-UX AAA Server Administrator’s Guide Printing History...................................28 HP-UX 11i Releases.....................................................................................................30 Commands, Utilities, and Daemons...................................................................
17-3 17-4 17-5 17-6 17-7 17-8 17-9 17-10 17-11 17-12 17-13 17-14 17-15 17-16 17-17 17-18 17-19 17-20 18-1 18-2 19-1 19-2 19-3 20-1 20-2 20-3 21-1 22-1 22-2 22-3 22-4 22-5 22-6 22-7 22-8 22-9 22-10 22-11 22-12 22-13 22-14 22-15 26-1 24 The aaa.config Configuration Block Parameters.................................................235 AKA Vector Parameters............................................................................................240 EAP.authfile Configuration Parameters........................
26-2 26-3 27-1 27-2 27-3 27-4 27-5 27-6 27-7 27-8 27-9 27-10 30-1 30-2 30-3 30-4 30-5 30-6 30-7 31-1 33-1 33-2 33-3 34-1 34-2 35-1 A-1 A-2 A-3 C-1 C-2 D-1 D-2 D-3 D-4 E-1 E-2 Available Actions.......................................................................................................403 Predefined FSM Tables..............................................................................................405 Examples Illustrating the Use of the delete Command.........................................
List of Examples 22-1 22-2 22-3 22-4 22-5 22-6 22-7 22-8 22-9 22-10 27-1 27-2 27-3 27-4 27-5 27-6 27-7 28-1 33-1 33-2 33-3 33-4 33-5 33-6 26 Define the Oracle Database Connection Parameters................................................352 Define the MySQL Database Connection Parameters...............................................352 User and Password Input and Output Mappings.....................................................359 SQL Statement to Delete a Row.........................................
About This Document This document provides an overview of the HP-UX AAA Server and describes how to configure, administer, and troubleshoot the product. This document does not cover installing the product. The document printing date and part number on the cover indicate the document’s current edition. The printing date and part number changes when a new edition is printed. Minor changes can be made at reprint without changing the printing date.
• • • • • • • • • • Part III — Advanced Configuration Information provides information on advanced topics, such as securing LAN access using EAP, session management, assigning IP addresses, configuring OTP and two-factor authentication, configuring for EAP-SIM and EAP-AKA authentication methods, configuring for scalability and high-availability, configuring for the client functionality, and configuring for the dynamic authorization capability of the HP-UX AAA Server.
Table 1 HP-UX AAA Server Administrator’s Guide Printing History (continued) Document Part Number Document Release Date (month/year) Supports Software Version Supported OS T1428–90064 09/07 A.07.00 HP-UX 11i v1, 11i v2, 11i v3 5991-6434 09/06 A.07.00 HP-UX 11i v1, 11i v2 T1428-90061 11/05 A.06.02 HP-UX 11i v1, 11i v2 T1428-90050 01/04 A.06.01.x HP-UX 11.00, 11i v1, 11i v2 T1428-90042 10/03 A.06.01.x HP-UX 11.00, 11i v1 T1428-90025 04/03 A.06.00.08 HP-UX 11.
{} The contents are required in formats and command descriptions. If the contents are a list separated by |, you can choose one of the items. ... The preceding element can be repeated an arbitrary number of times. | Separates items in a list of choices. HP-UX Release Name and Release Identifier Each HP-UX 11i release has an associated release name and release identifier. The uname(1) command with the -r option returns the release identifier.
Part I Introduction This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 1: “Overview: The HP-UX AAA Server ” (page 34) • Chapter 2: “Upgrading to Version A.08.
Table of Contents 1 Overview: The HP-UX AAA Server .............................................................................................34 RADIUS Topology .............................................................................................................35 Establishing a RADIUS Session..........................................................................................36 Product Structure.................................................................................................
Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration.........................................................................................................64 Creating a Tomcat Identity Specifically for the HP-UX AAA Server .....................66 Running the HP-UX AAA Server on Hosts with System Hardening Software......67 Running the HP-UX AAA Server as a Non-Root User............................................
1 Overview: The HP-UX AAA Server The Remote Authentication Dial In User Service (RADIUS) protocol defines a standard for information exchange between a network device or software application and an authentication, authorization, and accounting (AAA) server to manage and track user access to network services.
RADIUS Topology The RADIUS protocol follows the client-server architecture. The client sends user information to the AAA server using Access-Request or accounting-Request messages. The AAA server processes the request locally, or, if acting as a proxy server, forwards (proxies) the request to a secondary RADIUS Server. When processing a RADIUS request locally, the AAA server can utilize additional external services (LDAP, external database access, DHCP, and so on.) to service the request.
Figure 1-1 Typical AAA Network Topology Establishing a RADIUS Session A RADIUS session tracks the life of a user session through a series of message exchanges. RADIUS sessions are used to limit simultaneous access to a resource for users who share the same credential, and to manage the allocation and release of IP addresses acquired on behalf of the user by the AAA server.
Figure 1-2 Client-Server RADIUS Transaction When the user's device connects to the client, the client sends a RADIUS Access-Request to the AAA server. When the server receives the request, it validates the sending client. If the client is permitted to send requests to the server, the server then takes information from the Access-Request and attempts to match the request to a user profile.
Product Structure The HP-UX AAA Server is based on the client-server architecture.
IMPORTANT: For the most recent product documentation, see http:// www.docs.hp.com. HP-UX AAA Server Architecture The HP-UX AAA Server architecture consists of the following components: • Configuration files. Files to provide the information necessary for the server to perform authentication, authorization, and accounting requests for your system. In most cases, these files can be modified by using the Server Manager. • AATV plug-ins.
Figure 1-3 Authentication Process Configuration Files For detailed information on the server configuration files, Chapter 33: “Configuration Files ” (page 519). AATV Plug-Ins An AATV plug-in defines the actions that perform a variety of functions, including authenticating requests, authorization, and logging. Built-in actions support authentication of users using information from several different repositories, and accounting requests using several different polices and storage formats.
more information on the Finite State Machine, see Chapter 26: “Customizing the HP-UX AAA Server Using the Finite State Machine” (page 396). HP-UX AAA Server Commands, Utilities and Daemons Table 1-1 provides an overview of the HP-UX AAA Server commands, utilities, and daemons. Table 1-1 Commands, Utilities, and Daemons Command Description radcheck Sends RADIUS status and protocol requests to a AAA server and displays the replies. Receiving the reply confirms that the HP-UX AAA Server is operational.
Figure 1-4 Default Action Sequence Authentication to Verify the Client and User The authentication of an access request has a number of distinctive steps, as shown in Figure 1-5 (page 43). The rounded rectangles represent configuration files that the HP-UX AAA Server uses and the ovals represent one or more authentication types.
Figure 1-5 Authentication Steps Authentication Steps Following lists the authentication steps followed by the HP-UX AAA Server: 1. After the HP-UX AAA server receives an Access-Request, it attempts to match the client making the request to an entry in the clients file. The server attempts to authenticate a request only if a match can be made.
2. The iaaaUsers action checks the local users file. In this step, the User-Name attribute value from the Access-Request is used to find an entry for the user in the /etc/opt/aaa/users file. • If User-Name matches an entry, the server retrieves that profile and then authentication moves to step 5. • If User-Name does not match an entry, authentication moves to step 3. 3. If the iaaaUsers action does not find a matching user profile in the users file, the FSM calls the iaaaRealm action.
Figure 1-6 Authorization Steps Authorization Steps 1. 2. 3. The server receives the Access-Request. The server evaluates the request-ingress policy. This is the first step in the FSM, before the request is despatched for processing. The request ingress policy can be used to alter the request in one of the following ways: • A-V pairs may be added, changed, or removed. • The request classification may be altered. • The request may be rejected immediately.
Table 1-2 How Requests are Altered Using the proxy-egress and proxy-ingress Policies Use of the proxy-egress Policy Use of the proxy-ingress Policy A-V pairs can be added, modified, or removed. A-V pairs can be added, modified, or removed. The request may be rejected immediately. The reply type may be altered. The request may be dropped entirely and no reply is sent. The request may be dropped entirely and no reply is sent. The proxy target host may be changed.
a local realm configured in the las.conf file, the LAS module performs the following actions: • Checks the user profile for a Simultaneous-Session attribute-value pair, which determines the maximum number of active sessions the user can have. Default value is 1. • Authorizes or denies service based on Service-Class. The POSTLAS action performs Simultaneous Access Token (SAT) control, which is used to implement realm-based simultaneous session control.
Session Logs For Accounting During operation, the HP-UX AAA Server processes information received in an Accounting-Request from the client. By default, session logging information is written to a file following a predefined format, such as Merit or Livingston. You can modify how and where the server generates the logs by editing the log.config file. You can also schedule logging by editing the FSM.
2 Upgrading to Version A.08.01 This chapter explains how to upgrade to the HP-UX AAA Server A.08.01 from previous versions. The HP-UX AAA Server Upgrade Process The following process describes the HP-UX AAA Server A.08.01 product installation on a system where a previous version of the HP-UX AAA server is currently installed: 1. The contents of the existing configuration in /etc/opt/aaa/ are copied to /etc/ opt/aaa.old/. If any files with the same names exist in /etc/opt/aaa.old/, they will be overwritten.
recommends that you set up your HP-UX AAA Server to interact with the Oracle database using the SQL Access feature. If you have configured a realm for ORACLE authentication, remove the realm entry from the /etc/opt/aaa/authfile and /etc/opt/aaa/EAP.authfile and re-configure the realm. For Database via SQL using the HP-UX AAA Server Manager, see Chapter 8 “Configuring Realms”. For information on how to implement SQL Access, see Chapter 22 “SQL Access”. Starting with HP-UX AAA Server A.08.
-DEFAULT ProLDAP "" { Filter-Type CIS Directory "directory_name" { Host Port Administrator Password Searchbase Authenticate } } Additions have been made to the vendors file in this version of the HP-UX AAA Server. If you have modified the vendors file, you must merge the vendors file. For information on merging the vendors file, see“Merging the vendors File” (page 53).
5. Copy your legacy users files from /etc/opt/aaa.old/ to /etc/opt/aaa/ (including the default users file and all files with the .users extension). Update the users files as follows: • Remove all DEFAULT, dumbuser, pppuser, and slipuser entries. The following shows example entries for each: DEFAULT DEFAULT Authentication-Type = Realm Filter-Id = "unlim" • dumbuser dumbuser Authentication-Type = None Service-Type = Login, Login-Service = Telnet, Login-IP-Host = 255.255.255.
7. 8. If you are using a Netscape Directory server, update the RADIUS schema file for the directory server. Copy /opt/aaa/examples/proldap/ 55iaaa-radius.ldif to the Netscape Directory server. Stop and restart slapd after copying the schema file to the Netscape server. If you are using an OpenLDAP server, update the RADIUS schema file for the directory server. Copy /opt/aaa/examples/proldap/iaaa-radius.ldif to the OpenLDAP server.
3 Installing and Securing the HP-UX AAA Server This chapter explains how to acquire, install, and secure the HP-UX AAA Server product. Always refer to the HP-UX AAA Server Release Notes for important information specific to each version of the product, including requirements and dependencies. Acquiring the HP-UX AAA Server Software You can get the most recent version of the HP-UX AAA Server product at the HP Software Depot: http://www.hp.com/go/softwaredepot.
NOTE: Check the Release Notes for the HP-UX AAA Server version you are installing to verify patch requirements. 4. 5. Download the AAA Server depot file from http://www.software.hp.com and move it to /tmp Verify that you have downloaded the file correctly: # swlist -d -s /tmp/.depot 6. Stop any active Tomcat processes: /opt/hpws22/tomcat/bin/shutdown.sh 7. Install the AAA Server: # swinstall -s /tmp/.
7. As root user, enter swremove HPUX-AAAServer or swremove at the command prompt to invoke the standard HP-UX GUI to select HPUX-AAAServer bundle for removal. Refer the swremove manpage for more information on this command. HP-UX AAA Server File Locations Although HP-UX AAA Server can be run as root user, HP recommends running it as a non-root user. A user and group, both named aaa, is created during installation.
Table 3-1 File Locations Upon Installation (continued) Directory File /opt/aaa/examples/config Finite state machine, sample policy files: • *.fsm: Sample FSM tables • sqlaccess-acct.fsm: Sample FSM required to implement accounting without session management using SQL Access • sqlaccess-acct-sess.fsm: Sample FSM required to implement accounting with session management using SQL Access • *.grp: Sample decision files • OTP sample reference implementation files: — oath-request-ingress.
Table 3-1 File Locations Upon Installation (continued) Directory File /opt/aaa/examples/sqlaccess/userdb userdb: Contains the files required for management of users profile and tokens in SQL compliant database 58 Installing and Securing the HP-UX AAA Server
Table 3-1 File Locations Upon Installation (continued) Directory File /opt/aaa/examples/examples/sdk Sample AATVs and plug-ins: • /opt/aaa/examples/sdk/ace/samplesc.c: Sample Challenge-Response Authentication AATV • /opt/aaa/examples/sdk/cis/checkCSI.c: Sample Pre-Authentication AATV • /opt/aaa/examples/sdk/sim_a3a8/ sample_sim_a3a8.c: Sample EAP-SIM A3 or EAP-SIM A8 algorithm plug-in module • /opt/aaa/examples/sdk/aka_algo/ sample_aka_algo.
Table 3-1 File Locations Upon Installation (continued) Directory File • sqlaccess.config.dynauth_server_group: Sample configuration files that define SQL actions required for implementing the dynamic authorization functionality when multiple HP-UX AAA Servers are configured as a group. • dbsetup.sql: Script that creates the database tables for the sample configuration and inserts a test user in a database table • dbsetup.sql.
Table 3-1 File Locations Upon Installation (continued) Directory File /opt/aaa/lib/dbcon/alternate Connector libraries that enable HP-UX AAA Server to communicate with supported database clients: • libdbcon_oci.so: OCI client connector library • libdbcon_odbc.so: MySQL Unix ODBC client connector library NOTE: Refer to Chapter 22: “SQL Access” (page 338) for details on using the client connector libraries.
Table 3-1 File Locations Upon Installation (continued) Directory File /etc/opt/aaa Configuration files: • aaa.config: runtime and tunneling configuration file • authfile: realm to authentication-type mapping file • clients: client to shared secret mapping file • dictionary: definition file required by the radiusd daemon • las.conf: authorization and accounting configuration file • log.config: session logging configuration file • radius.
Table 3-2 Files Generated During Operation Directory File /acct/session.yyyy-mm-dd.log Default session accounting logs, Merit style /data/session.las Currently active sessions log file /ipc/*.sm Shared memory files related to the interface used for some authentication types. IMPORTANT: You must not alter or delete the shared memory (*.sm) files. The server does not operate correctly if the files are changed or removed from the ipc directory. /logs/logfile The server log file /logs/logfile.
Changing the Default RMI Objects Secret HP recommends changing the default RMI Objects secret. Complete the following steps to change the default RMI objects secret: 1. Open/opt/hpws22/tomcat/webapps/aaa/WEB-INF/gui.properties. 2. Look for the following entry: rmi.config.secret = "secret" 3. 4. 5. Change the “secret” portion to a new value Open the /opt/aaa/remotecontrol/rmiserver.properties file. Look for the following entry: rmi.config.secret = "secret" 6.
1. Generate a certificate for Tomcat to establish the SSL connection. Use the following steps to create a self-signed certificate with the Java command line keytool utility: 1. Remove $HOME/.keystore if it already exists 2. Enter the following command: $ export JAVA_HOME=/opt/java1.5 3. Enter the following command: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA 4. 5. 6. 2. Enter a password for the key store when prompted. Enter the certificate information (company, contact name, etc.
Creating a Tomcat Identity Specifically for the HP-UX AAA Server If several applications use Tomcat, you can configure Tomcat to have a user name and password specifically for the AAA Server. All other applications using Tomcat will have a different user name and password. Complete the following steps to create a Tomcat identity specifically for your HP-UX AAA Server: 1. Search for the following line in/opt/hpws22/tomcat/conf/server.
/opt/aaa/remotecontrol/rmistart.sh 10. Point your web browser to: http://:8081/aaa 11. Login with the new AAA Server-specific user name and password Running the HP-UX AAA Server on Hosts with System Hardening Software If you are setting up the HP-UX AAA Server on a system that is being hardened using lock-down software such as Bastille, you must ensure that the ports used by the HP-UX AAA Server are kept open.
Running the HP-UX AAA Server as a Non-Root User Some organizations require network server processes to run as the non-root user. Complete the following steps to run the AAA server as a non-root user: 1. Login to the system as the root user. 2. Add the user name www to the aaa group. NOTE: Before starting and stopping the Remote Method Invocation (RMI) server, the JAVA_HOME environment variable must be set to appropriate path. For example, to use Java6, export JAVA_HOME to the /opt/java6 path.
echo "$DAEMONNM started with <$retval>" if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1 fi 5. Change the then statement to start the RMI objects as the aaa user after reboot: Change: if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1 fi To: if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then /usr/bin/nohup /usr/bin/su - aaa -c /opt/aaa/remotecontrol/rmistart.
10. Look for the following entry: /opt/aaa/bin/rad_admin.sh stop all > /dev/null 2>&1 11. To stop all the HP-UX AAA Servers as the aaa user during shutdown, modify the statement as follows: /usr/bin/su - aaa -c /opt/aaa/bin/rad_admin.sh stop all >/dev/null 2>&1 12. If you are implementing the SQL Access feature, add the following environment variable settings in the user’s .profiles file in the home directory: (For ODBC only) export ODBCINI=path/odbc.
4 Enabling the HP-UX AAA Server for GUI-based Administration This chapter explains how to enable your HP-UX AAA server software to begin administration.
5. Point your web browser to the following URL to manage the HP-UX AAA Server with the Server Manager interface: http://:8081/aaa 6. To access the Server Manager, enter your user name and password. NOTE: The default Server Manager username is tomcat. The default Server Manager password is tomcat. Starting and Stopping the RMI Objects Before starting and stopping the Remote Method Invocation (RMI) server, the JAVA_HOME environment variable must be set to appropriate path.
3. In the Add Connection screen that opens, enter the values for you server as shown in the following format: Name The identifying string of a remote server. Domain Name or IP Address The IP address (traditional IPv4 address in dotted-quad notation, or IPv6 address in IPv6 literal format notation), or valid Domain Name System (DNS) host name of the AAA server that the connection maps to. Example: IPv4 address- 192.0.2.0 IPv6 address- fedc:ba98:7654:3210 Domain Name- example.org 4. 5. 6. 7. 8.
11. Verify that your HP-UX AAA Server is installed and operating correctly by using the testing user (named test_user) created during installation. After test_user is authenticated and the AAA server sends an Access-Accept, the client sends an Accounting-Request to start the session. After the session is terminated, the client sends an Accounting-Request stop message to stop the session logging and the AAA server writes the session information to a file. a.
NOTE: Server commands will only be executed on servers selected in the Server Status frame. 3. Click Start. Figure 4-1 shows the return value in Server Manager’s message frame when a server is successfully started. Figure 4-1 Return Value After Successfully Starting a AAA Server AAA Server Start Options Select the Start button’s corresponding icon to display the Start Options screen shown in Figure 4-2. Table 4-1 describes the start options you can use.
Table 4-1 Server Start Options (continued) Option Description Dynamic Authorization Specifies the UDP port number to listen for the dynamic authorization requests. The default value is 3799. Authentication Relay Specifies the UDP port number to relay authentication requests. This option is useful when proxying requests to a AAA server that is not listening on the default port. Accounting Relay Specifies the UDP port number to relay accounting requests.
• • • • • • • • • • • • engine.config (all values except the certificate properties, which require you to stop and restart the server to be refreshed) las.conf EAP.authfile aaa.config.license sqlaccess.config request-ingress.grp reply-egress.grp proxy-egress.grp proxy-ingress.grp client-request-init.grp client-request-egress.grp client-reply-ingress.grp In order for other configuration changes to take effect, you must stop and restart the server.
Table 4-2 radiusd Options (continued) Option Description -d Config-directory Specifies the directory where the configuration files are located. If omitted, the default directory is /etc/opt/aaa. -da AATV-directory Specifies the directory where the AATV libraries are located. If omitted, the default directory is /opt/aaa/aatv. -dl Logfile-directory Specifies the directory where the log and debug files are located. If omitted, the default directory is /var/opt/aaa/logs.
Table 4-2 radiusd Options (continued) Option Description The log_level parameter specifies the log level to be set for the msg_type and msg_sub_type parameters. The log_level parameter should be one of the following: • suppress: Suppresses all the log messages for the msg_type and msg_sub_type parameters. • low: Provides minimal information in the log messages for the msg_type and msg_sub_type parameters.
Table 4-2 radiusd Options (continued) Option Description -x Adds to debug flag value. -cp Specifies the port on which the CLIENT AATV must listen. -dp Specifies the port on which the HP-UX AAA Server must listen for proxied Dynamic Authorization messages. -sn Specifies the SNMP context name that the HP-UX AAA Server SNMP subagent uses to register with the master agent. If the context name is not specified, it is omitted.
• Set the RADIUSD variable in/etc/rc.config.d/radiusd.conf to 1. The default setting is 0. CAUTION: Modifying the content in the /sbin/init.d/radiusd.rc file other than radiusd options can disallow booting of the system. NOTE: You can also start the Server Manager interface after reboot. In the /etc/ rc.config.d/hpws22_tomcatconf file, set HPWS22_TOMCAT_START to 1, and set JAVA_HOME to/opt/java1.5.
Adding an HP-UX AAA Server to Your Network Multiple servers can be configured and run using the AAA Server Manager graphic interface. You must establish at least one connection before you begin configuration. Only one connection can be local to the Server Manager program. You can install a server to any machine that meets the system requirements and that can establish a UDP connection to the machine hosting the Server Manager. To add an HP-UX AAA Server to your network, complete the following steps: 1.
Table 4-3 New Server Connection Screen Fields (continued) Field Value to Enter Domain or IP Address Full DNS name or IP address (traditional IPv4 or IPv6 address) of an HP-UX AAA server Examples: IPv4 address- 192.0.2.0 IPv6 address- fedc:ba98:7654:3210 Domain name- example.org 3. Click Create. If the client program successfully connects to the server, the name you specified must appear in the Status Frame displayed in the lower left corner of the programs interface.
Part II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 5: “The HP-UX AAA Server Manager Interface” (page 88) • Chapter 6: “Managing HP-UX AAA Servers” (page 90) • Chapter 7: “Configuring RADIUS Clients Using the Access Devices Screen” (page 100) • Chapter 8: “Configuring Realms” (page 105) • Chapter 9: “Configuring Proxies” (page 117) • Chapter 10: “Configuring Users” (page 127) • Chapte
Table of Contents 5 The HP-UX AAA Server Manager Interface..................................................................................88 Commonly Used Icons in the GUI......................................................................................89 6 Managing HP-UX AAA Servers..................................................................................................90 Using the Server Connections Screen.................................................................................
Forwarding Requests to Alternate RADIUS Ports......................................................123 Forwarding Accounting Requests....................................................................................124 Proxying Authentication and Accounting Messages to the Same Server........................124 Proxying Accounting Requests to a Central Server..........................................................125 Deleting a Proxy.......................................................................
Time-Based Values.................................................................................................147 Client A-V Pairs......................................................................................................148 User Entry A-V Pairs..............................................................................................148 Session Tracking.....................................................................................................
5 The HP-UX AAA Server Manager Interface HP-UX AAA Server Manager (Server Manager) is a browser-based application. It uses the HP-UX Tomcat-based Servlet Engine to provide a configuration interface between a web browser and one or more AAA servers. The Server Manager is used to start, stop, configure, and modify the servers. In addition, Server Manager can retrieve information about logged server sessions and accounting information for an administrator.
NOTE: The Default (Server Connections) group, including a server, called localhost, is present by default. This group is compatible with the Server Connections present in releases earlier than HP-UX AAA Server A.08.01. All Server Connections managed by the HP-UX AAA Server Manager in the earlier versions of HP-UX AAA Server are moved to the Default (Server Connections) group during migration.
6 Managing HP-UX AAA Servers Your server configuration can be synchronized and controlled across one or more server installations. These server installations can be on the same machine as the Server Manager program, or on different machines. Server Manager identifies each AAA installation as a server connection and maps a hostname to the IP address (both traditional IPv4, and IPv6 address formats are supported) or DNS name of a remote machine where a AAA server is installed.
Figure 6-1 Server Manager’s Connected Server Screen Adding a New Server Connection To add a new server connection, complete the following steps: 1. Click to display the Add Connection screen. The Add Connection screen appears as shown in Figure 6-2. Figure 6-2 The Add Connection Screen 2.
3. Click Create to create the server connection. Click Cancel to return to the Managed Servers screen without creating a new server connection. IMPORTANT: When adding a connection to a new remote server, you must start the RMI objects on that host to allow Server Manager to administer the server. Before starting and stopping the RMI server, the JAVA_HOME environment variable must be set to appropriate path. For example, to use Java6, export JAVA_HOME to the /opt/java6 path.
HP-UX AAA Server Properties section of the form includes a list of pathnames that cannot be modified. These pathnames must match the installation directories of the remote server. IMPORTANT: When setting an option to a given directory, the directory must exist and be editable on the machine. You must specify the logfile directory to access session logs through the maintenance functions listed in the navigation tree menu.
Figure 6-5 Server Manager’s Server Status Frame When your network includes multiple HP-UX AAA Servers, click the check box that precedes each listed connection to specify whether a command applies to the corresponding server. When a server command, such as Start, is submitted, it will only be sent to checked servers. When you retrieve server logging, statistics, active sessions, or account information, only information from the checked servers will be displayed.
• • “Setting up Key-Based Authentication” (page 97) “Verifying Key-Based Authentication” (page 99) Loading and Saving Your Configuration Using RMI Server AAA configuration files consist of one or more entries. While accessing these files through the Server Manager interface, the initial screen lists each existing entry and provides controls to open HTML forms. You can add or modify the AAA server’s configuration files by entering values in these forms. You must then submit these values to the program.
displays a prompt (shown in Figure 6-7). Using this prompt, you can select the servers on which the settings must be saved. CAUTION: Clicking Save saves the entire server configuration settings (access device, proxies, local realms, users, and server properties) on the specified servers. Figure 6-7 Server Manager’s Save Configuration Screen NOTE: If you do not wish to save changes that have been made, you can revert to the previous settings by loading the original configuration.
to start the RMI Server on the remote host, the default : aaa, rmiserver.aaa.user property in the rmiserver.properties file can be modified to change the default aaa value. NOTE: If you do not choose to use SCP, RMI Server is used by default.
5. To create the SSH key pair, complete the following steps: 1. Enter the following command at the HP-UX prompt: # ssh-keygen -t rsa The SSH key pair is created. 2. 3. Enter the file in which you want to save the key. Click Enter to select the default path (/.ssh/id_rsa). Enter the passphrase. If you do not want a passphrase, click Enter. The identification is saved in (/.ssh/id_rsa) if the default path is selected. The public key is saved in (/.
6. Change the permissions of the directory as follows: # chmod 644 .ssh/authorized_keys 7. Log out of the system. NOTE: You must repeat this procedure for all the user accounts on all the remote RMI servers with which you want to share the public key.
7 Configuring RADIUS Clients Using the Access Devices Screen The server configuration must include all the clients (NASs, access points and other network devices) that can communicate with the HP-UX AAA Server. If an access device is not included in the configuration, the server will not handle requests from, or send requests to the client. The Access Devices screen allows you to add a new client, and modify, or delete an existing client in the server configuration.
1. In the Access Devices screen, click list. corresponding to the New Access Device The Add Access Device Screen appears as shown in Figure 7-2. Figure 7-2 Server Manager’s Access Device Attributes Screen 2. In the Access Device Attributes form, enter information according to the information in Table 7-1.
Table 7-1 Add Access Device Configuration Form Options Option Function Name Enter the network location of the network device. This may be an IPv4 address (in dotted-quad notation), an IPv6 address (in colon-separated notation), or a valid DNS host name. When specifying Name as a DNS host name, you must use the name returned by thehostname command. Notes: • Ensure that your DNS is configured correctly (with both forward and reverse entries) for your AAA server.
Table 7-1 Add Access Device Configuration Form Options (continued) Option Function Vendor Enter the vendor-specific attributes that must be returned to the access device in a reply. In most applications, you can select the hardware vendor of the device or Generic if the device is not listed. You can make multiple selections by holding down the control key as you select vendor names.
1. In the Access Device screen, click you want to edit. corresponding to the client whose properties The Modify Access Device screen appears similar to the one shown in Figure 7-2. 2. 3. Edit the fields in the Access Device Attributes form. See Table 7-1 for more information on how to fill the form. Click Modify to save changes. Click Cancel to return to the Access Devices screen without saving any changes. Deleting a RADIUS Client To delete a RADIUS client, complete the following steps: 1.
8 Configuring Realms A realm is a group of users who share a common characteristic, such as being customers of the same Internet Service Provider (ISP). All users of a given realm are handled in the same way, either proxied to a remote server or locally authenticated using a specified method according to the authentication type assigned to the realm.
Figure 8-2 Server Manager’s Local Realm Attributes Screen 3. Complete the form on the Local Realm Attributes screen according to the information given in Table 8-1. Table 8-1 Fields in the Local Realm Attributes Form 106 Option Function Name Name of the realm that must be mapped. This name does not have to be a DNS host name. However HP recommends that the realm name match a domain name. The user will then be able to recognize the user@realmsyntax that resembles their email address.
Table 8-1 Fields in the Local Realm Attributes Form (continued) Option Function User Authentication Identifies the authentication method used for the realm: • Enable EAP: Select this option if user authentication by an EAP challenge is required. Select one or more EAP types.At least one authentication method must be selected. For PEAP (EAP-GTC), you must configure the NULL realm. The PEAP version ‘0’ only checkbox is displayed if you select PEAP(EAP-GTC), PEAP(EAP-MSCHAP), or PEAP(EAP-MD5).
Table 8-1 Fields in the Local Realm Attributes Form (continued) Option Function Filter ID Optional. Allows the specification of a packet filter name to be associated with authentication through this realm name. It overrides any explicit filter name specified in a user profile. Session Tracking Optional. Determines if session tracking is enabled for a realm.
2. Click the modify. icon corresponding to the realm whose properties you want to The Modify Local Realm screen appears similar to the screen shown in Figure 8-2. 3. 4. Modify the properties on the Local Realm Attributes screen according to the information given in Table 8-1. To submit changes to the realm entry to the Server Manager, click Modify. To return to the Realms screen without making any changes to your server configuration, click Cancel.
Table 8-2 Special Entries Special Entries When to Use Wildcard Entries When specifying the primary realm for an entry, you can use a wild card syntax such as *.realm. This syntax provides a shorthand for associating several related realms with a single authentication type. For example, a company may have several branches, eastern.company.com, western.company.com, and central.company.com. The wild card entry for that company would define *.company.com as the realm.
1. In the Local Realms screen, click the want to delete. icon corresponding to the realm you The Delete Local Realm screen appears as shown in Figure 8-3. This screen allows you to preview the realm attributes before you confirm deletion. Figure 8-3 The Delete Local Realm Screen 2. Click Delete to delete the realm. Click Cancel to return to the Local Realms screen without deleting the realm.
3. In the Name field, enter the name of the realm for which the user profiles are stored in a database and accessed using the SQL Access feature. The name does not have to be a DNS host name. However, HP recommends that you set the realm name to correspond with the domain name. This enables the user@realm syntax to resemble the e-mail address for all the users in the domain. 4. In the User Profile Storage field, select Database Access via SQL.
Chapter 21: “LDAP Authentication” (page 335) for information on setting up an LDAP server. To configure each realm using LDAP, you must specify the directory server, search base, and other parameters necessary to find profiles for the users in the realm. Complete the following steps to configure realms for LDAP: 1. From the navigation tree, click Local Realms. 2. On the Local Realms screen, click New Local Realm to open the Local Realm Attributes screen. 3.
Table 8-3 Values for Configuring Realms for LDAP (continued) Value Description Host Name of the host on which the LDAP directory server runs. The value must be a fully qualified DNS name, although an IP address also works. Both traditional IP (IPv4) and IPv6 address formats are supported. The HP-UX AAA Server can resolve DNS name format entries to IPv4 and IPv6 addresses. Enter an IPv4 address in dotted-quad notation. Enter an IPv6 address in IPv6 Literal format notation. For example: IPv4 address — 192.
Table 8-3 Values for Configuring Realms for LDAP (continued) Value Description Filter Filter flag allows authentication to be based either on the LDAP uid attribute, which normally is CIS, or on the AAA Server User-Id attribute, which is normally BIN. User-Id is a AAA Server-specific RADIUS attribute. This optional flag defaults to uid. IMPORTANT: With multiple LDAP directory servers, the Filter used for lookups must be consistent across all directories specified for a particular realm.
1. 2. On the Local Realms screen, select the name of the directory definition you wish to delete. Click Delete. Tuning the AAA Server to LDAP Server Connection The AAA server to LDAP server connection can be modified by adding the following entry to /etc/opt/aaa/aaa.config and then stopping and starting the server: aatv.
9 Configuring Proxies AAA proxy is an entity that acts as both a client and a server. When a request is received from a client, the proxy acts as a AAA server. When the same request needs to be forwarded to another AAA entity, the proxy acts as a AAA client. Figure 9-1 illustrates both ends of a proxy configuration relative to the local host. When the local host receives a request that it will authenticate, the server that forwarded the request is called the proxy server.
Figure 9-2 Server Manager’s Proxy Screen Changing the Default localhost Proxy Settings The HP-UX AAA Server includes a preconfigured proxy entry named localhost for use in loop-back testing. You must change the default shared secret value for the localhost proxy, or delete it if you do not plan to use loop-back testing. To change the shared secret for the default localhost proxy, complete the following steps: 1. From the navigation tree, click Proxies. 2. On the Proxies screen, click the localhost link. 3.
1. From the navigation tree, click Proxies, and then click New Proxy if you are creating a new proxy. If you are modifying an existing proxy, select the proxy you want to modify. The Proxy Attributes screen appears as shown in Figure 9-3. Figure 9-3 Server Manager’s Proxy Attributes Screen 2. Fill up the form on the Proxy Attributes screen according to the information given in Table 9-1.
Table 9-1 Proxy Configuration Options Option Function Name Enter the network location of the proxy server. The name can be an IPv4 address (in dotted-quad notation), an IPv6 address (in colon-separated notation), a valid fully qualified DNS name, or an IP (IPv4 or IPv6) address that contains a wildcard pattern. When specifying Name as a DNS host name, you must use the name returned by the hostname command.
Table 9-1 Proxy Configuration Options (continued) Option Function Response Options Select any of the check boxes to specify additional message-handling options. The following options are valid: RAD_RFC Verifies that the Access-Request conforms with the RADIUS RFC. Nonconforming messages are dropped. ACCT_RFC Verifies that the Accounting-Request conforms with the Accounting RFC. Nonconforming messages are dropped.
Table 9-2 Options for Forwarding Requests Option Description Realms to forward All requests originating from the realm listed in this drop-down list will be forwarded to the remote server. To add a realm to the list, select Add Realm from the list. To modify or delete a listed realm, select the realm name from the drop-down list. When you add or modify a realm, you specify the realm name and whether its accounting messages should be forwarded to the remote server.
1. 2. 3. 4. 5. 6. Follow the steps listed in “Creating or Modifying a Proxy” (page 118). In the Realms to Forward field, select the Add Realms option. Complete the Proxy Realm screen that appears by entering the name of the realm. Select Yes if accounting requests are not to be forwarded to the proxy server. On the Proxy Realm screen, click Save. Repeat steps 2 to 4 for each realm that must be forwarded to the remote server.
4. From the navigation tree, click Save Configuration. CAUTION: Clicking Save Configuration saves the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify. Forwarding Accounting Requests The HP-UX AAA Server forwards accounting start and stop messages to the remote proxy server. The server can be configured to suppress forwarding of accounting start and stop messages by local session logging.
4. 5. 6. In the Proxy Realm window, click Save. Click Create. From the navigation tree, click Save Configuration. CAUTION: Clicking Save Configuration saves the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify. NOTE: By default, accounting messages are forwarded to the remote proxy server. Select Yes for Use Local Session Tracking to Suppress Forwarding of Accounting Requests to record accounting start and stop messages locally.
1. In the Proxies screen, click corresponding to the proxy you want to delete. The Delete Proxy screen appears as shown in Figure 9-4. This screen allows you to preview the proxy attributes before you confirm deletion. Figure 9-4 The Delete Proxy Screen 2. 126 Click Delete to delete the displayed proxy entry. Click Cancel to return to the Proxy screen without deleting the entry.
10 Configuring Users User profiles associate information with a user name for authentication and authorization. This information is defined by attribute-value pairs. The server configuration must include profiles for all the users that can access services through the AAA server. If a user profile is not included in the configuration, the server will reject the users access request. Profiles are stored in flat text files or in an external source. This section covers user profiles stored in a text file.
1. 2. From the navigation tree, click Users to access the Users screen shown in Figure 10-1. Select test_user by clicking the Edit icon corresponding to it. The Modify Users pane appears similar in appearance to the Add Users pane shown in Figure 10-2. 3. 4. Change the default password and confirm it by entering it again. Click Modify.
Table 10-1 General Attributes in the Add User Screen Attribute Name Description User Name Value to compare to the User-Name attribute value in the request. It must be less than 64 characters. &, “, ~, \, /,%, $, ‘, and space characters cannot be used. Authentication Type Use this field to supersede the Authentication type specified in the user’s realm. Selecting Local will use the authentication method specified by the user’s realm.
Table 10-1 General Attributes in the Add User Screen (continued) 4. 5. 6. Attribute Name Description Service Type: Check/Reply Indicates a type of provided service. When used as a reply item, the server returns the value to the access device as an instruction to determine the service to provide. When used as a check item, the server will reject an Access-Request that does not include a hint for the specified service type.
3. Click Create if you are adding a new user profile. Click Modify if you are modifying an existing user profile. Click Cancel to return to the Users screen without making any changes. If each field contains a valid value, the profile will be created or modified; otherwise, an error message is displayed. Modifying User Profiles Complete the following steps to modify a user’s properties: 1. From the navigation tree, click Users. The Users screen appears as shown in Figure 10-1. 2.
To Delete a User Profile From the Default users File To delete a user profile in the default users file, complete the following steps: 1. In the Users screen, click the icon corresponding to the user profile you want to delete. The Delete User screen appears as shown in Figure 10-4. This screen allows you to preview the user attributes before you confirm deletion. Figure 10-4 The Delete Users Screen 2. Click Delete to delete the displayed user profile.
11 Modifying Server Properties You can modify server variables to override built-in defaults. Server startup options override a corresponding server property setting. You can modify server variables using the Server Properties screen. Enter values for the given parameters to modify a server variable. Navigating the Server Properties Screen The Server Properties screen can be accessed by selecting the Server Properties link the Server Manager Navigation tree.
Table 11-1 DHCP Relay Properties (continued) Option Function Send User Class Determines which attribute in the DHCP message will carry the IP address pool name. If set to Yes, the pool name is sent in the User-Class option. If set to No, the pool name is sent in the Vendor-Class-Identifier option. Initial Retransmission Interval (optional) The time in seconds before the initial retransmission of a request to the DHCP server. If no value is specified, 4 is used.
Message Handling Properties Clicking the Message Handling Properties link takes you to the Message Handling Properties screen where you can modify the properties described in Table 11-3. Table 11-3 Message Handling Properties Option Function Hold Replies (optional) The time in seconds to store requests (and the associated replies) in the retransmission queues. The Hold Replies time is calculated from the time when the replies were initially sent. If no value is specified, 6 will be used.
Table 11-3 Message Handling Properties (continued) Option Function Max. Authentication Requests The maximum number of simultaneous authentication requests to be stored in a retransmission queue. When this limit is exceeded, all new authentication requests are discarded. HP recommends that this value matches the value used for Max. Accounting Requests. If no value is specified, 1000 will be used. NOTE: When this authentication queue limit is exceeded, the server stops responding to the Status command.
Tunneling Reply Items (Optional) Use the drop-down menu to specify the behavior when the HP-UX AAA Server receives an Access-Request that does not contain any Tunnel Hint attributes (like Tunnel-Type). The options are as follows: • Return-Configured-Tunnel-Attributes: Allows the return of tunnel attributes in the authentication reply. • Return-No-Tunnel-Attributes: Does not return any tunnel attributes in the authentication reply.
Table 11-4 Certificate Path Properties (continued) Option Function Client User Name Attribute For TLS only. Identifies the attribute in the user digital certificate to retrieve the user's name. This attribute must match the user name configured on the supplicant (client) software. The AAA server will check the user name in the certificate against the user name supplied in the EAP-TLS authentication request.
Local Users File Properties Enable (Yes) to enable case-insensitive searching in the default users file. The default setting is No (case sensitive search is disabled by default). ProLDAP Properties Clicking ProLDAP Properties takes you to the ProLDAP Properties screen where you can modify the properties described in Table 11-5. Table 11-5 ProLDAP Properties Option Description Debug Determines whether OpenLDAP debug messages must be logged in the HP-UX AAA Server radius.debug file.
AAA Server As A Client Properties Clicking AAA Server As A Client Properties takes you to the AAA Server As A Client Properties screen where you can modify the properties described in Table 11-6. Table 11-6 AAA Server As A Client Properties Option Description Max Client Requests Specifies the maximum number of client requests that can be stored in the client queue. Client requests exceeding the specified limit are discarded. The default value is 25000.
Table 11-7 Client Action Properties Option Description Action Name Specifies a string used to identify a client action. Timer Value Specifies the frequency (in seconds) at which requests are created for a client action. The default value is 1 second. Maximum Requests Specifies the maximum numbers of requests that will be created each time the client action is invoked. By default, an unlimited number of requests is generated.
12 Logging and Monitoring This chapter covers the server's diagnostic functions that allow you to search and display information related to the server's operation and usage. Overview You can view the log files that record the details of each AAA transaction or the session logs that record information about each user's session. You can also access information for active sessions and manually terminate a session if necessary.
Figure 12-1 Server Manager’s Logfile Screen Search Parameters You can filter what dates and times to retrieve from the logfile. Table 12-1 Filter Parameters for Searching Logfiles Option Description Begin (server time) The date and time of the first record in the range of data to retrieve. End (server time) The date and time of the last record in the range of data to retrieve. User Limits the result of the search command to messages related to a specific user.
Message Types You can filter what data to retrieve according to the type of messages. For each message type, you indicate whether the message type should or should not be retrieved by selecting the Yes or No radio buttons. The different message types are: • Server Failure This type of message indicates a server internal error or a problem with the configuration files. • Warning This type of message indicates a problem with the server, but the server is still able to process RADIUS requests.
Figure 12-2 Server Manager’s Statistics Screen Table 12-2 Statistic Search Parameters Option Description Begin (server time) The date and time of the first record in the range of data to retrieve. End (server time) The date and time of the last record in the range of data to retrieve. The AAA server statistics are displayed in a bar graph similar to the example in Figure 12-3.
NOTE: If the logfile exceeds its size limit (as configured in the File Size Property in the Server Properties link), a new logfile for that day will be created and identified by a part<01-09> portion of the logfile file name string. For example, /var/opt/aaa/ acct/session.yyyy-mm-dd_part<01-09>.log By default, the radius.fsm (logall.fsm) state table calls the LAS_ACCT module when the server receives an Accounting-Request to start or stop the session.
Figure 12-5 Detailed Accounting Record for a Selected User Format of Accounting Records in the Default Merit Style RADIUS accounting records store both the users account information and the users historical session information. Each record begins with a tab-delimited line of values that represent the default AAA server session information. This information includes time-based values, as well as HP-UX-specific and standard RADIUS A-V pairs.
Log-time: This is the difference between the time on the machine where and when this log was written, and the start-time. This field is used to compress the data. Connect time: How long (in seconds) the session was known to the local AAA Server host. Client A-V Pairs Represent attribute values that describe the client used for authentication and authorization.
Table 12-4 Reasons Why The Record Was Generated (continued) Reason Integer Billed/Info Description AC_AUTHORIZED 10 Info Session authorized: This record is intended for statistics only. AC_NASREBOOT 11 Info The session is released due to NAS reboot. AC_REMOTE 12 Info The session is for a remote server, failed to forward. AC_DUPLICATE 13 Info Duplicate accounting record received: This record is intended for statistics only.
Livingston CDR Session Record Format Each record of a user’s session begins with Date and Time and a list of Attribute-Value pairs, one below the other. This information includes time-based values as well as specific and standard RADIUS A-V pairs.
Changing the Accounting Log Rollover Interval The log rollover interval (how often a new log file is created to store accounting records) is determined by the timestamp portion of the filename. To change the interval follow the steps in “Changing the Accounting Log Filename” (page 150). The logging interval will change to the smallest unit of time in the timestamp portion of the filename. For example,%Y-%m-%d-%H, will change the rollover interval to hourly.
message type for which the log level should be set. msg_type should be one of the following: • auth: Authentication messages. • acct: Accounting messages. • disconn: Disconnect messages. • coa: Change-Of-Authorization messages. • all: All the above messages. msg_sub_type specifies the sub type of msg_type for which the log level should be set. msg_sub_type should be one of the following: • req: Request messages. • resp: Response messages. • ack: Ack response messages. • nak: Nak response messages.
Part III Advanced Configuration Information This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 13: “Securing LAN Access With EAP” (page 159) • Chapter 14: “Managing Sessions” (page 169) • Chapter 15: “Assigning IP Addresses” (page 174) • Chapter 16: “OATH Standards-Based OTP Authentication” (page 179) • Chapter 17: “Configuring EAP-SIM and EAP-AKA Authentication Methods” (page 224) • Chapter 18: “Configuring HP-UX AAA Server for Scalability and High-Availabili
Table of Contents 13 Securing LAN Access With EAP.............................................................................................159 Overview...........................................................................................................................159 The Secure LAN Advisor............................................................................................159 Preparing Your LAN .............................................................................................
Basic or Typical Configuration....................................................................................186 Advanced Configuration.............................................................................................187 Advanced OTP Authentication Configuration Concepts......................................187 Attributes for Configuring OTP Authentication..............................................192 Advanced Deployment Scenarios...........................................................
Sample EAP.authfile Configuration for Fast Re-authentication.................250 Configuring for Fast Re-Authentication in aaa.config File..............................251 Sample aaa.config Configuration for Fast Re-authentication.....................251 Guidelines to Write EAP-SIM and EAP-AKA Fast Re-Authentication Database AATVs.........................................................................................................................252 Fast Re-Authentication Database Update AATV............
Adding a Group.....................................................................................................278 Modifying a Group................................................................................................279 Deleting a Group....................................................................................................279 Adding a Server.....................................................................................................280 Modifying a Server..................
The sqlaccess.config.dynauth Sample File......................................................327 The sqlaccess.config.dynauth_server_group Sample File.........................329 The dbsetup.sql.dynauth_server_group Sample File....................................
13 Securing LAN Access With EAP IMPORTANT: The EAP-LEAP authentication method is obsolete in this release of the HP-UX AAA Server. The EAP-LEAP authentication method is replaced by the EAP-PEAP authentication method. HP recommends that you use EAP-PEAP in place of EAP-LEAP for improved security. Unlike EAP-LEAP, EAP-PEAP supports mutual authentication and uses an encrypted tunnel to transmit the user's credentials. This chapter provides information about securing LANs with EAP using the HP-UX AAA Server.
Figure 13-1 The Secure LAN Advisor For Securing WLANs Preparing Your LAN A LAN requires you to synchronize items on the supplicant, access point, and AAA server. The following table lists the items you need to synchronize on each node and provides notes on configuring each item.
Table 13-1 LAN Configuration Items Item Nodes Notes Shared Secret • Access Device • AAA Server The shared secret configured on the access device and AAA server must match for the two to communicate. Use the Access Devices link to configure this item on AAA servers. EAP Support • Access Device Most access devices require you to enable EAP. You do not need to specify an EAP method, but you must enable support for EAP.
software for each EAP method (LAN access devices must only support EAP). For wireless clients, you must use supplicants that support the hardware platforms, operating systems, and WLAN cards in your environment. Ideally, you should try to use client hardware and software that allows you to use one EAP method for all your clients. This may mean avoiding solutions that are proprietary or support only a small variety of clients. Next, determine which of the following features are important to you: 1.
NOTE: The HP-UX AAA Server supports only the following EAP authentication methods for OTP authentication: • PEAP (EAP-GTC) • TTLS (PAP and MS-CHAP v2) The HP-UX AAA Server also supports EAP-SIM and EAP-AKA for mobile communication networks. For information on EAP-SIM and EAP-AKA, see Chapter 17 (page 224) The following table lists the EAP methods the HP-UX AAA Server supports and which of the above features each method offers.
NOTE: If you are using TLS, TTLS, or PEAP, be sure you configure the required digital certificates after you configure all you r realms. Securing WLANs with the HP-UX AAA Server The following is the list of the steps for securing WLANs with the HP-UX AAA Server. Use the Secure LAN Advisor and refer to each specific section in this guide for more information on each step. 1. Access Server Manager. See “Accessing the Server Manager” (page 71) for more information. 2.
• • Client certificate—if clients will be authenticated by digital certificates (EAP-TLS), install a certificate on each client and add the client CA to the AAA server’s CA list. Client CA certificate—a copy of the certificate for the authority that issued the client certificate. NOTE: If you are supporting multiple realms, configure digital certificates after you add all of your realms.
2. Copy/etc/opt/aaa/security/demouser.p12 to user the certificate storage on the supplicant: • the pass phrase for demouser.p12 is: 1234 • the user name fordemouser.p12 is: demouser@eap.realm 3. Configure a TLS realm for eap.realm on the AAA server Installing Your Own Digital Certificates and Keys You can use your own certificates if your organization has a PKI and you don’t want to use the self-signed certificates included with the HP-UX AAA Server.
Installing Client Certificates and Keys 1. 2. 3. Copy the server CA certificate to the client. Copy the client certificate to the client (for TLS only). Use your supplicant’s utility to install and configure the certificates. Defining Certificate Locations on the HP-UX AAA Server The HP-UX AAA Server uses its self-signed certificates by default. If you want to use your own certificates, you must define where the required certificates reside on the AAA server.
3. Define the locations to certificates by entering the path, and clicking Create. Following list explains how to enter the path names in these fields: • Server Certificate Path: For TLS, TTLS, and PEAP. Enter the fully-qualified file name to the AAA server certificate in .pem or .cer format. • Server Private Key Path: Enter the fully-qualified file name to a file in .pem or .cer format that contains the private key used to generate the AAA server certificate. This file cannot be encrypted.
14 Managing Sessions NOTE: This chapter does not apply to session management using the SQL Access feature. See Chapter 22: “SQL Access” (page 338) for more information on session management using the SQL Access feature. This chapter covers two procedures: reading records of active sessions, and manually stopping sessions. Session Logs After a user is successfully authenticated and the AAA server sends an Access-Accept, the access device will send an Accounting-Request message to start the session.
Figure 14-2 Example Return for a Sessions Search 4. Select a session. The AAA server manager will display the attributes for the selected session similar to the example shown in Figure 14-3. Figure 14-3 Example of a Session’s Attributes 5. Click OK when you are done reading the session. Stopping a Session This procedure is intended for sessions that were terminated on the access device but are maintained as active by the AAA server. 1.
on the network. Session limits are defined through A-V pairs. These limits can be enforced on a user-by-user or global basis. Setting Limits on a User-by-User Basis If the user profile does not currently exist, follow the appropriate procedure to create a new profile. If the user profile does exist, access the user profile from the text file or database that stores the profile. Setting Timeout Values If the user profile is stored in a AAA server flat file: 1.
If the user profile is stored in a AAA server users file (grouped by realm or the default file), assign values to the User Attributes fields that can limit access: • Assign a NAS Port value (under the NAS/Login tab) to limit access to a specific dial-in connection identified by port. • Assign a NAS ID value (under the NAS/Login tab) to limit access to a specific dial-in connection identified by NAS.
5. Access the user profile and set the simultaneous session limit. • If the user profile is stored in a AAA server users file, select the Free tab from the User Attributes screen and then enter the following in the Check text box according to the limits you want to set.
15 Assigning IP Addresses The following information explains how the HP-UX AAA Server can be used to assign static or dynamic IP addresses to users. IMPORTANT: Currently, only static IPv6 addresses and prefixes can be assigned using the HP-UX AAA Server. Dynamic assignment of IPv6 addresses is not supported. Assigning Static IP Addresses The procedure for assigning the static IP (IPv4 and IPv6) addresses depends on where the user profile is stored.
Figure 15-2 The Framed User Attributes Form 5. 6. Enter the static IP for the user in the Framed IP Address field. Click Modify. To Assign a Static IPv6 Address to a Profile in Flat Files To assign a static IPv6 address to a user profile stored in AAA server flat files, complete the following steps: 1. From the navigation tree, click Local Realms. 2. Choose the users icon for the realm the user is in. The Users screen appears as shown in Figure 15-3.
Figure 15-3 The Users Screen 3. Click the Edit icon next to the user whose static IP address you want to modify. The Modify Users screen appears. 4. Click the Framed tab. The Framed User Attributes form is displayed on the screen as shown in Figure 15-4.
Figure 15-4 The Framed User Attributes Form 5. 6. Enter the static IPv6 Interface Id for the user in the Framed Interface ID field. Enter the static value for the prefix that needs to be assigned to the user in the Framed IPv6 Prefix field. NOTE: See “Syntax of IPv6 Attributes” (page 528) for more information on IPv6 attributes. 7. Click Modify.
To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF File To assign static IPv6 addresses to a user profile stored in an LDAP LDIF file, complete the following steps: 1. From the command line, open the LDIF file the user profile is stored in. 2. Add the following lines to the user profile: aaaReply: Framed-IPv6-Prefix = aaaReply: Framed-Interface-Id = 3. Save the file. Assigning Dynamic IP Addresses Using DHCP You can assign dynamic IP (traditional IPv4) addresses using DHCP.
16 OATH Standards-Based OTP Authentication IMPORTANT: The SecurID authentication is obsolete in this release of the HP-UX AAA Server. The SecurID authentication can be replaced by Open AuTHentication (OATH) standards-based One-Time Password (OTP) authentication. OATH is an industry-wide collaboration to develop open-reference architecture for strong authentication. The OATH standards-based OTP authentication solution supports hardware and software tokens from multiple vendors.
OATH is an industry-wide collaboration to develop open-reference architecture for strong authentication. OATH consortium has developed a set of open royalty-free algorithms for one-time passwords. The OATH standards-based OTP authentication solution uses the HMAC-based One-Time Password (HOTP) algorithm to generate an OTP using a shared secret and sequence counter. The HOTP algorithm is a sequence-based algorithm.
Figure 16-1 OATH Standards-Based OTP Authentication Flow and the HP-UX AAA Server. Following is the OTP authentication process flow: 1. The user requests access to a protected resource by sending the user credentials (password or OTP, or password and OTP), which is encrypted with the shared secret, to the authenticator. The OTP can contain either six, seven, or eight digits. 2. 3. The authenticator forwards the request to the HP-UX AAA Server. The HP-UX AAA Server validates the OTP and password locally.
Based on the success or failure of authentication, the HP-UX AAA Server sends an Access-Accept or Access-Reject message to the user. Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAP v2 OTP support for MS-CHAP v2 is compatible with RFC 4226. Table 16-1 describes the supported functions for PAP and MS-CHAP v2.
The following components required to configure OTP authentication are not provided with the HP-UX AAA Server: • SQL database • OTP generators (typically, token devices or software that generates OTP) with their inventory files (files that contain the shared secret and other token information) Configuring OTP Authentication on the HP-UX AAA Server The HP-UX AAA Server uses SQL Access, the FSM, and policy actions to support OTP authentication.
Notes: 1. 2. The HP-UX AAA Server supports only the token information that is stored in the SQL database. The HP-UX AAA Server supports only the following EAP authentication methods for OTP authentication: • PEAP (EAP-GTC) • TTLS (PAP and MS-CHAP v2) IMPORTANT NOTES: • After using the sample reference implementation and before deploying your implementation in a production environment, you must change the default passwords for database user, test user, and the shared secret of the test user.
Figure 16-2 OTP Authentication Configuration Flowchart for RADIUS Standard Password Configuring OTP Authentication on the HP-UX AAA Server 185
Figure 16-3 OTP Authentication Configuration Flowchart for MS-CHAP v2 Basic or Typical Configuration A basic or typical scenario involves configuring the HP-UX AAA Server to provide two-factor authentication when user and token information is stored in different tables in the same SQL database.
IMPORTANT NOTES: • After using the sample reference implementation and before deploying your implementation in a production environment, you must change the default passwords for database user, test user, and the shared secret of the test user. • If the shared secret provided by the token vendor is in ASCII format, edit the /etc/opt/aaa/sqlaccess.config file to change the following entry in the RetrieveUserAndToken SQL action: DBC(RAD_TOKENS_TABLE.
“Attributes for Configuring OTP Authentication” (page 192). Table 16-2 lists the bit masks that can be used to configure the HP-UX AAA Server to perform various tasks. Table 16-2 Bit Masks to Configure OTP Authentication Tasks 188 Task Bit Mask Support for RADIUS Standard Password Splits the incoming password in to password and OTP.
Table 16-2 Bit Masks to Configure OTP Authentication Tasks (continued) Task Bit Mask Support for RADIUS Standard Password Removes the OTP 2 Yes No The HP-UX AAA Server removes the OTP from the incoming password and replaces the User-Password attribute with password. This bit mask must be used if the User-Password attribute contains the password and OTP. Sets the proxy event 1 code Yes No The HP-UX AAA Server returns a proxy event to the FSM.
Figure 16-4 Usage of Bit Masks to set OTP Authentication Actions The OTP-ActionId attribute is set at 112 by converting the binary value 01110000 into decimal. Table 16-3 lists some common actions along with the bit masks that must be used for configuration.
Table 16-3 Common OTP Authentication Actions (continued) RADIUS Standard Password OTP-ActionId Value MS-CHAP v2 OTP-ActionId Value Bit Mask Set Validates only the OTP, 83 replaces User-Password with the incoming password and sets the proxy event to proxy the request to the configured proxy target server in the proxy-egress.grp policy file, for password validation, if the incoming request contains password and OTP. Not applicable 01010011 Validates only the OTP if the 80 OTP is sent with the password.
Table 16-3 Common OTP Authentication Actions (continued) RADIUS Standard Password OTP-ActionId Value MS-CHAP v2 OTP-ActionId Value Bit Mask Set 40 40 00101000 Validates only the password 32 when the incoming request contains only the password. This action is equivalent to the configuration for password authentication. HP recommends using the default configuration for better performance. 32 00100000 Validates the OTP if the 16 incoming request contains only the OTP.
Table 16-4 Attributes for Configuring OTP Authentication (continued) Attribute Name Configuration Type Description recalculate the next OTP values and check against the received OTP to synchronize the sequence counter. If this attribute is not specified, the value of system wide configuration entry otp_lookup_window is used as the default value. Default Value 10 Value Type integer HOtp-Seq-Counter User level configuration only Specifies an eight-byte counter value.
Table 16-4 Attributes for Configuring OTP Authentication (continued) Attribute Name Configuration Type Description system-wide configuration item otp_token_length is used as the default value. Default Value 6 Value Type Otp-ActionId 194 Realm level configuration only OATH Standards-Based OTP Authentication integer Specifies the OTP actions to be processed.
Table 16-4 Attributes for Configuring OTP Authentication (continued) Attribute Name Configuration Type Description Otp-Add-Checksum User, realm, or system-wide level configuration Specifies the action to add the checksum while validating the OTP. If this attribute value is yes, the HP-UX AAA Server calculates the checksum for the generated OTP. While validating the OTP, if the calculated checksum is identical, the HP-UX AAA Server continues with the OTP validation.
Table 16-5 System-Wide OTP Configuration Items Configuration Item Description otp_lookup_window Specifies the size of the look ahead window. This enables the HP-UX AAA Server recalculate the next OTP values and check against the received OTP to synchronize the sequence counter. Default Value 10 otp_token_length Specifies the OTP length. Tokens can generate OTPs having six, seven, or eight digits. Default Value 6 otp_token_lock_counter Specifies the lock counter.
Configuring OTP Authentication for Tunneled EAP Mechanisms If you have created EAP tunneled realms using the Server Manager for PEAP (EAP-GTC) or TTLS (PAP or MS-CHAP v2) , refer to the following rules for specifying the realms when configuring OTP authentication: If you have configured the same inner and outer realms • If you are using PEAP (EAP-GTC) as the authentication mechanism, replace the variable with the configured inner realm name, using the following syntax in the request-ingress.
authentication mechanism, specify the realm name in the request-ingress.grp as follows: if ( (count (User-Name) > 0) && (substr (User-Name after "@" ) = "otprealm" ) ) Specify the realm name in the reply-egress.grp file as follows: if ( (count (User-Realm) > 0) && (User-Realm = "otprealm")) NOTE: Creating different inner and outer realms for OTP authentication is supported only for TTLS (PAP and MS-CHAP v2). For information on creating tunneled EAP realms, see “Adding a Realm” (page 105).
SQLAction RetrieveToken { { input RAD(User-Id, REPLY) DBP(userid, 253, CHAR) output DBR(100:*) DBR(-1:*) DBC(serial_number, 128, CHAR) DBC(token_status, 128, CHAR) DBC(seq_counter, 38, CHAR) DBC(shared_secret, 128, CHAR) DBR(0:0) DBR(*:*) SQLStatement db_oci { SELECT FROM WHERE RET(RETRIEVE_ERROR) RET(ERROR) RAD(Otp-Token-Serial-Number, REPLY) FUNC(AAATokenStatusCheck) RAD(HOtp-Seq-Counter, REPLY) FUNC(AAASetConvertedHexToBinaryString) RET(RETRIEVE_SUCCESS) RET(RETRIEVE_ERROR) serial_number, token_stat
Notes: • The scenarios described in this section are applicable whether you are using RADIUS standard password authentication or EAP authentication. • The HP-UX AAA Server supports only the following EAP authentication methods for OTP authentication: — PEAP (EAP-GTC) — TTLS (PAP and MS-CHAP v2) • Creating different inner and outer realms for OTP authentication is supported only for TTLS (PAP and MS-CHAP v2). For information on creating tunneled EAP realms, see “Adding a Realm” (page 105).
If you have configured... Then … Tunneled realms with different inner and outer realms for EAP authentication Replace the variable in the following syntax with the inner realm name configured in Step 1: if ((count (User-Name) > 0) && (substr (User-Name after "@") = "")) { insert Otp-ActionId = 16 exit "ACK" } Tunneled 1. Delete the following (default) condition in the request-ingress.
If you have configured … Then… Tunneled realms with the same inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 using the following syntax: • PEAP (EAP-GTC): /peap Or • TTLS (PAP) or TTLS (MS-CHAP v2): /ttls 5. Reload the configuration changes by selecting Reload from the Administration screen of the Server Manager. If the server is not running, start the HP-UX AAA Server to read the configuration information.
If you have configured...
4. In the /etc/opt/aaa/reply-egress.
3. Modify the following stored procedures in the SQL database for the combined table: • update_seq_and_success_count • update_failedcount_tokenstatus 4. If not appended, append the contents of the sample OTP reference implementation policy files (located in /opt/aaa/examples/config) to the default policy files (located in /etc/opt/aaa) using the following commands: # cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp # cat /opt/aaa/examples/config/oath-reply-egress.
If you have configured... Then … Tunneled 1. Delete the following (default) condition in the request-ingress.grp file: realms with if ((count (User-Name) > 0) && (substr (User-Name after "@") = "")) { same inner insert Otp-ActionId = 112 and outer exit "ACK" realms for } EAP authentication 2. Based on the EAP authentication method you have configured, add one of the following conditions in the /etc/opt/aaa/request-ingress.
If you have configured … Then… Tunneled realms with the same inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 using the following syntax: • PEAP (EAP-GTC): /peap Or • TTLS (PAP) or TTLS (MS-CHAP v2): /ttls 7. Reload the configuration changes by selecting Reload from the Administration screen of the Server Manager. If the server is not running, start the HP-UX AAA Server to read the configuration information.
If you have configured...
If you have configured... Then … Tunneled realms with different inner and outer realms for EAP authentication Replace the variable in the following syntax with the inner realm name configured in Step 1: if ((count (User-Name) > 0) && (substr (User-Name after "@") = "")) { insert Otp-ActionId = 112 insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK" } Tunneled 1. Delete the following (default) condition in the /etc/opt/aaa/ realms with request-ingress.
Use the following rules while replacing the variable, with the realm name: If you have configured … Then… The realm for RADIUS standard password authentication Replace with the realm name configured in step 1 Tunneled realms with different inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 Tunneled realms with the same inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 usin
1. 2. 3. Configure the realm using the Realms Screen of the Server Manager. Based on the user profile, configure the realm for the local users file, LDAP, Oracle or MySQL database using SQL database. For more information on configuring the realm, see “Adding a Realm” (page 105). Configure the proxy target server using the Server Manager and save the configuration.
If you have configured... Then … Tunneled 1. Delete the following (default) condition in the /etc/opt/aaa/ realms with request-ingress.grp file: same inner if ((count (User-Name) > 0) && (substr (User-Name after "@") = "")) and outer { insert Otp-ActionId = 112 realms for exit "ACK" EAP } authentication 2. Based on the EAP authentication method you have configured, add one of the following conditions in the /etc/opt/aaa/request-ingress.
If you have configured … Then… Tunneled realms with the same inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 using the following syntax: • PEAP (EAP-GTC): /peap Or • TTLS (PAP): /ttls 6. 7. Reload the configuration changes by selecting Reload from the Administration screen of the Server Manager. If the server is not running, start the HP-UX AAA Server to read the configuration.
Validating OTP on the Local Server and Forwarding Password to Another RADIUS Server To configure the HP-UX AAA Server to validate the OTP and forward the password to another RADIUS server for validation, complete the following steps: 1. Configure the realm using the Realms Screen of the Server Manager. While configuring the realm, use the procedure listed in “Configuring Realms for Database Access via SQL” (page 111).
If you have configured... Then … Tunneled realms with different inner and outer realms for EAP authentication Replace the variable in the following syntax with the inner realm name configured in Step 1: if ((count (User-Name) > 0) && (substr (User-Name after "@") = "")) { insert Otp-ActionId = 83 exit "ACK" } Tunneled 1. Delete the following (default) condition in the /etc/opt/aaa/ realms with request-ingress.
If you have configured … Then… Tunneled realms with the same inner and outer Replace with the inner realm name realms for EAP authentication configured in step 1 using the following syntax: • PEAP (EAP-GTC): /peap Or • TTLS (PAP): /ttls 6. In the proxy-egress.
Forwarding OTP and Password to Another RADIUS Server for Validation To forward the OTP and password (complete request) to another RADIUS server, HP recommends that you use the Server Manager to forward the complete request to the RADIUS server. For more information on forwarding requests, see “Configuring Proxies” (page 117).
RAD_TOKENS_TABLE serial_number user_name manufacturer token_status seq_counter shared_secret otp_length lookup_window checksum activation_code success_auth_count failed_auth_count failed_lock_count locktime The SQL actions and stored procedures listed in Table 16-6 are added in the sqlaccess.config file to support OTP authentication.
Table 16-6 SQL actions and Stored Procedures that Support OTP Authentication (continued) SQL action Table Operated On UpdateFailedAuthCountAnd RAD_TOKENS_TABLE TokenStatus Operation A stored procedure that is created using dbsetup.sql. This procedure increments the failed authentication count after a failed authentication. This stored procedure also increments the lock counter for each failed authentication.
IMPORTANT NOTES: • After using the sample reference implementation and before deploying your implementation in a production environment, you must change the default passwords for database user, test user, and the shared secret of the test user. • If the shared secret provided by the token vendor is in ASCII format, edit the /etc/opt/aaa/sqlaccess.config file to change the following entry in the RetrieveUserAndToken SQL action: DBC(RAD_TOKENS_TABLE.
The oath-request-ingress.grp Sample File The oath-request-ingress.grp file is the primary sample reference implementation file for configuring OTP authentication. You can configure OTP authentication-related actions by setting the bitmask in the Otp-ActionId attribute, and configuring the OTP-specific attributes listed in “Attributes for Configuring OTP Authentication” (page 192).
if ( (count (User-Realm) > 0) && (User-Realm = "") ) { In the case of successful authentication, the following sample inserts the Reply-Egress-ActionId attribute with the SQL action UpdateSeqenceCounterAndSuccessAuthCount and returns the POST_REPLY_EGRESS event to update the sequence counter and success authentication count using SQLAccess.
modify Interlink-Proxy-Target = "" exit "ACK" } Configuring OTP Authentication on the HP-UX AAA Server 223
17 Configuring EAP-SIM and EAP-AKA Authentication Methods This chapter introduces you to Extensible Authentication Protocol (EAP) for Global System for Communications (GSM) Subscriber Identity Module (SIM) and EAP for Universal Mobile Telecommunications System (UMTS) Authentication and Key Agreement (AKA) authentication methods.
EAP-SIM Authentication Using HP-UX AAA Server Each mobile device that is authorized to use the network has a unique identifier, called International Mobile Subscriber Identity (IMSI), which identifies the subscriber contained in the SIM. The SIM is also embedded or burnt with a unique secret (subscriber) key, Ki, which is pre-shared with the HP-UX AAA Server user storage (also referred to as Authentication Center, AuC). This forms the basis for securing the access to the network.
Kc). Typically, n=2 or n=3. The HP-UX AAA Server also allows adding a customized plug-in using the Software Development Kit (SDK) to contact any AuC in the network, to directly retrieve the ‘n’ triplets. After calculating the triplets, the HP-UX AAA Server responds with an EAP request challenge containing each of the random numbers (RAND), and their respective message authentication codes (AT_MAC). 7.
either using an optional internal cache or using an external storage like an SQL-compliant database with the mapping information. Features The EAP-SIM authentication method is fully compliant with RFC 4186. It offers the following features: • International Mobile Subscriber Identity (IMSI) permanent identities on a per realm basis. • Non-IMSI permanent identities on a per realm basis. • Protected success indications on a per realm basis. • Fast re-authentication on a per realm basis.
Benefits EAP-SIM offers the following benefits: • Offers more reliable security than the GSM mechanisms. • Supports protection of the subscriber identity based on pseudonyms or temporary identifiers. • Supports a fast re-authentication procedure. Configuring EAP SIM The configuration files must be edited manually, because EAP-SIM cannot be configured using the HP-UX AAA Server Manager.
Algorithms” (page 268). The server uses the following AVPs as input to generate authentication vectors: — Subscriber's key is a string attribute that contains the binary encoded 128-bit user secret key, Ki. The encoding must be in the network byte order (big-endian). — A3 algorithm is a string attribute that indicates the name of the A3 algorithm to be applied in GSM triplet generation. The value is case-sensitive.
If user-specific plug-in is added for user lookup, the AATV name is replaced with the plug-in name. The following section describes configuration of HP-UX AAA Server user, flat file, LDAP directory server and SQL-compliant database for credential lookup (subscriber key). The HP-UX AAA Server receives GSM triplets directly when the external storage (typically an AuC) generates the triplets. An AATV must be written for this.
Subscriber-Key = "\x01\x47\x17\x49\x11\xe3\x96\xc9\x63\x1a\xc1\xb9\x22\x86\xf0\x1f" 123456789000000 Subscriber-Key = "\x11\x1a\xf1\xc7\x11\x20\x26\x08\x4a\x58\xc7\xd8\x22\xe7\xca\x55" 123456789000000 Subscriber-Key = "\x11\x48\xf2\xd4\x68\x71\x59\x11\x3c\x81\x27\xe6\x14\xfb\x64\x66" PROLDAP Authentication Type The PROLDAP AATV is enhanced to support the Request-Attribute-For-Search attribute. The Request-Attribute-For-Search attribute indicates the search attribute to use for a user lookup.
SQLAction RetrieveSIMUser { { input RAD(Real-Username, REPLY) output DBR(100:0) DBR(-1:*) DBC(subscriber_key, 64, CHAR) DBR(0:0) DBR(*:*) SQLStatement SELECT FROM WHERE } } DBP(runame, 253, CHAR) RET(RETRIEVE_ERROR) RET(ERROR) FUNC(StoreInSubscriberKey) AAAHexToBinaryString RET(RETRIEVE_SUCCESS) RET(RETRIEVE_ERROR) db_oci { subscriber_key RAD_USERS_TABLE user_name=:runame } NOTE: The subscriber_key column must be added in RAD_USERS_TABLE.
Table 17-2 EAP.authfile Configuration Parameters Parameter Description A3 Algorithm Specifies the default A3 algorithm for the realm. If an A3 algorithm is needed to produce the GSM triplets for this user's authentication, then the A3 algorithm specified in this field is used. There is no default value. For information on available algorithms, see “Generating Authentication Vectors Using A3, A8, and AKA Algorithms” (page 268). A8 Algorithm Specifies the default A8 algorithm for the realm.
Table 17-2 EAP.authfile Configuration Parameters (continued) Parameter Description minimum length of an IMSI. Therefore, the check made is as follows: 6 <= Minimum-Length-IMSI <= Maximum-Length-IMSI <= 15 The default values are 6 and 15. Number-Of-Triplets-For-Authentication Indicates how many GSM triplets are needed for authentication. EAP-SIM RFC 4186 indicates this value must be 2 or 3. The default value is 2. Protected-Success-Indications Protected success indications are an optional EAP-SIM feature.
NOTE: The comment field in realm configuration must not have spaces. Global EAP-SIM Configuration in aaa.config The aatv.EAP-SIM{} configuration block, located within the aaa.config file contains global EAP-SIM configuration information. These parameters represent global default values, which do not correspond to any realm-based parameter. The following rules apply to the aatv.EAP-SIM{} configuration block parameters: • The parameter names are case-insensitive.
EAP-AKA This section discusses the EAP-AKA authentication method and its configurations. This section addresses the following topics: • “Overview” (page 236) • “EAP-AKA Authentication Using HP-UX AAA Server” (page 236) • “Features” (page 237) • “Benefits” (page 238) • “Configuring EAP-AKA” (page 239) Overview EAP AKA is an authentication and session key distribution mechanism used in the third generation mobile networks: UMTS and CDMA2000.
7. 8. 9. the result parameter (RES) generated using the RAND and the pres-hared secret key. It also includes a message authentication code for integrity protection. The AAA Server on receiving the EAP Response message compares the result parameter with XRES parameter in corresponding authentication vector.
• • • • • • • • • • • • Protected Identity Exchanges using AT_CHECKCODE is supported on a per realm basis. Authentication Management Field (AMF) is supported on a per realm basis. Algorithmically or randomly generated pseudonyms are supported on a per realm basis.
Configuring EAP-AKA The configuration files must be edited manually, because EAP-AKA cannot be configured using the HP-UX AAA Server Manager. This section addresses the following topics: • “EAP-AKA Client Configuration” (page 239) • “EAP-AKA User Credential Lookup Configuration” (page 239) • “EAP-AKA Realm-Based Configurations” (page 240) • “Global EAP-AKA Configuration in aaa.config” (page 247) NOTE: Subsequently, you must restart the RADIUS Server for the configurations to take effect.
are limited to 1023 characters, which places a limit on the length of this string. The value is case-sensitive. • The second form is the configuration of an AKA vector. An AKA vector is a fixed length binary string (octets) attribute, which holds an EAP-AKA authentication vector. The attribute value is a 576-bit binary string (72 bytes) partitioned as described in Table 17-4. Table 17-4 lists the AKA Vector parameters.
The HP-UX AAA Server receives AKA vector directly when the external storage (typically an AuC) generates the vector. An AATV must be written for this. For information on how to write an AATV, see Chapter 28 (page 446) NOTE: The xstring field in the realm configuration must not have spaces. SQL Access Authentication Type To use the SQL Access authentication type, you must include the following entry in the authfile : eapakarealm.
Realm-Based EAP-AKA Configuration Information in EAP.authfile The EAP.authfile entry for a realm that supports EAP-AKA can contain an optional {} configuration block following the EAP-Type AKA specification. This block contains realm-specific EAP-AKA configuration information, such as the algorithm to use for the realm users, Fast-Reauth and Psueodnym parameters discussed later in the chapter. For more information on Fast-Reauth and Psueodnym, see “Pseudonym Identities” (page 256).
Table 17-5 EAP.authfile Configuration Parameters (continued) Parameter Description EAP-AKA RFC 4187 indicates that the permanent identity must be derived from the IMSI. However, an implementation may choose a permanent identity that is not based on the IMSI. The server supports both options. The valid values are Enabled and Disabled. The default value is Disabled. Minimum-Length-IMSI and Maximum-Length-IMSI Specify the minimum and maximum length of IMSIs that the server accepts.
Table 17-5 EAP.authfile Configuration Parameters (continued) Parameter Description improve readability. The encoding must be in the network byte order (big-endian). For more information, see the example following Table 17–9. The EAP-AKA protocol requires support for two features related to the management of sequence numbers (SQN). The Resync-Update parameter specifies an AATV, which provides one of the features and an Xstring parameter for this AATV.
Auth-Result-Update SQLAccess ActionId=UpdateSQN ############################################################ # Following are optional parameters ############################################################# Prefixed-IMSI-Permanent-IDs "Enabled" Generic-Permanent-IDs "Enabled" Minimum-Length-IMSI 6 Maximum-Length-IMSI 15 AKA-Mode 0x12ab Protected-Identity-Exchanges No Protected-Success-Indications "Enabled" } } NOTE: The comment field in realm configuration must not have spaces.
output DBR(100:*) RET(NAK) DBR(-1:*) RET(ERROR) DBC(aka_sequence_number, 64, CHAR) FUNC(IncAkaSeqNum) AAAHexToBinaryString DBR(0:0) RET(ACK) DBR(*:*) RET(ERROR) SQLStatement db_oci { SELECT FROM WHERE aka_sequence_number RAD_USERS_TABLE user_name=:runame } } { input RAD(AKA-Sequence-Number, REPLY) RAD(Real-Username, REPLY) output DBR(-1:*) DBR(0:0) DBR(*:*) SQLStatement DBP(seqnum, 253, CHAR) DBP(runame, 253, CHAR) RET(ERROR) RET(ACK) RET(NAK) db_oci { UPDATE RAD_USERS_TABLE set aka_sequence_number=:se
SQLStatement db_oci { UPDATE RAD_USERS_TABLE set aka_sequence_number=:seqnum where user_name=:runame } } } NOTE: The above SQL actions require the subscriber_key and the aka_sequence_number columns to be added in the RAD_USERS_TABLE as string type. The mapping functions mentioned in the above example are for demonstration purposes only. You must customize the mapping functions based on the requirements. For more information on SQL Access Mapping functions, see Chapter 22 “SQL Access”.
# Enabled or Disabled } Fast Re-Authentication Fast re-authentication is a an optional EAP-SIM and EAP-AKA feature. This feature is used to refresh the previous authentication periodically. A fast re-authentication, if applicable, occurs shortly after a full authentication or an earlier fast re-authentication. The Fast-Reauth-Id-Lifetime parameter specifies a lifetime for a fast re-authentication identity, in seconds.
Table 17-7 EAP.authfile Configuration Parameters Parameter Description Fast-Reauth-Lookup The Fast-Reauth-Lookup parameter specifies an AATV and an Xstring parameter for this AATV. This AATV is invoked to map a fast re-authentication identity to the user's real identity and full authentication context. If this parameter is not configured, fast re-authentication support is disabled for the realm. HP-UX AAA Server provides an AATV, SIMAKA-ReauthCacheLookup, for this function. There is no default value.
Table 17-7 EAP.authfile Configuration Parameters (continued) Parameter Description re-authentication identity must be generated with no realm name, it is configured as NULL. The empty string entry, using just two quotes, indicates that the server must generate a fast re-authentication identity with the same realm name as the permanent identity. Fast-Reauth-Id-Lifetime The Fast-Reauth-Id-Lifetime parameter specifies a lifetime for a fast re-authentication identity, in seconds.
EAP-Type AKA { #Configure other realm-specific parameters, if required . . # Following are the mandatory parameters: Fast-Reauth-Lookup SIMAKA-ReauthCacheLookup “” Fast-Reauth-Update SIMAKA-ReauthCacheUpdate “” # Following are the optional parameters: Fast-Reauth-Realm “” Max-Number-Of-Reauths-Before-Full-Auth-Is-Required Fast-Reauth-Id-Lifetime 1800 } 5 } Configuring for Fast Re-Authentication in aaa.
#Configure other global parameters, if required . . Maximum-Fast-Reauth-Cache-Size 4096 } Guidelines to Write EAP-SIM and EAP-AKA Fast Re-Authentication Database AATVs This section describes the EAP-SIM and EAP-AKA requirements that the Fast Re-authentication Database AATVs must meet in addition to the basic AATV requirements. For information on AATV writing, compiling, installing, and debugging, see Chapter 28 (page 446).
Fast Re-Authentication Database Update AATV As a result of a full authentication, the database may require a new record for the fast re-authentication information. If the database includes an existing set of fast re-authentication information, the information needs to be updated or made invalid with each full authentication or a fast re-authentication.
Table 17-9 Vendor-Specific Attributes for Fast Re-Authentication Database Update AATV (continued) Attribute Description If the value of the Fast-Reauth-Username value is an empty string, this attribute is not present. Fast-Reauth-Expiration-Time A Unix epoch date attribute that contains the UTC time at which this fast re-authentication information expires. If the fast re-authentication information in the database is made invalid instead of being updated, this attribute has no significance.
Table 17-10 Vendor-Specific Attributes for Fast Re-Authentication Database Lookup AATV (continued) Attribute Description Fast-Reauth-Realm. The realm can also be a realm that the NAS created to facilitate routing of the Fast Reauth Request to the HP-UX AAA Server, which performed the last full authentication. The realm is used for the database lookup, and is used by the HP-UX AAA Server to invoke EAP-SIM or EAP-AKA only.
Lookup AATV Functionality and Return Events The fast re-authentication lookup AATV attempts to retrieve the full authentication details of the Fast-Reauth-Username attribute from its database. • If the information is available, the lookup AATV updates the AUTHREQ_REPLY_QUEUE list of the authreq with the specified output and a RETRIEVE_SUCCESS message is returned • If the information is not available, a RETRIEVE_ERROR message is returned.
because it is impossible to reverse engineer the permanent identity. However, a database to store and retrieve the mapping of pseudonym to permanent identity is required. Algorithm-Based Pseudonyms The HP-UX AAA Server generates a pseudonym by encrypting the real user name using an algorithm and the SIMAKA-PseudonymDecrypt AATV that decrypts a pseudonym to reproduce the real user name.
algorithm. In this case, the length of the pseudonym varies, depending on the length of the permanent identity, as follows: • 24 characters, if the permanent user name is 1-8 characters. • 45 characters, if the permanent user name is 9-24 characters. • 66 characters, if the permanent user name is 25-40 characters. • 88 characters, if the permanent user name is 41-56 characters. • 109 characters, if the permanent user name is 57-72 characters. • 130 characters, if the permanent user name is 73-88 characters.
Table 17-12 EAP.authfile Configuration Parameters (continued) Parameter Description The HP-UX AAA Server provides the SIMAKA-PseudonymDecrypt AATV for algorithm-based pseudonym identity support. The following conditions apply if this AATV is configured: • The server forces non-random pseudonym generation for this realm. • If no Pseudonym-Algorithm-Key-* parameters are defined in the aatv.SIMAKA{} block of the aaa.config file, pseudonym support is disabled.
To use algorithm-based pseudonym identity support, the aatv.SIMAKA {} block in the aaa.config file must specify the parameters described in Table 17-13. Table 17-13 The aaa.config Parameters for Algorithm-based Pseudonym Identity Parameter Description Pseudonym-Algorithm-Key-n The HP-UX AAA Server can generate pseudonyms as an encrypted form of the permanent identity, which can be subsequently decrypted to reproduce the permanent identity.
Pseudonym-Update "” Generate-Random-Character-Pseudonyms Yes Pseudonym-Lifetime 604800 # Following are the optional parameters: Pseudonym-Lifetime 604800 } } ################################################################# ### Add the following in /etc/opt/aaa/EAP.authfile for EAP-AKA ################################################################# eapaka.com -EAP EAP "comment" { EAP-Type AKA { #Configure other realm-specific parameters, if required . .
# Following are the optional parameters: Pseudonym-Lifetime 604800 } } ################################################################# ### Add the following in /etc/opt/aaa/EAP.authfile for EAP-AKA ################################################################# eapaka.com -EAP EAP "comment" { EAP-Type AKA { #Configure other realm-specific parameters, if required . .
information on AATV writing, compiling, installing, and debugging, see Chapter 28 (page 446). You can configure EAP-SIM and EAP-AKA to support pseudonyms. To perform a full authentication using pseudonym, you must map an assigned pseudonym to the real identity. EAP-SIM and EAP-AKA can manage the pseudonym mapping internally. Alternatively, using customer-supplied plug-ins, they can store the mapping in an external database using SQL Access and retrieve, when required.
Pseudonym Database Update AATV As a result of a full authentication, the database may require a new record for the pseudonym information. If the database includes an existing set of pseudonym information, the information needs to be updated or made invalid each time the HP-UX AAA Server assigns a new pseudonym. Update AATV Inputs The input to the Update AATV is the set of VSA on the AUTHREQ_REPLY_QUEUE list of the authreq. Table 17-14 describes the Pseudonym Database Update AATV attributes.
Table 17-14 Vendor-Specific Attributes for Pseudonym Database Update AATV (continued) Attribute Description the database which maps the pseudonym to the Real-Username attribute returns a Pseudonym-Expiration-Time VSA. Update AATV Outputs None of the attributes are returned by Update AATV. AATV Functionality and Return Events The pseudonym update AATV updates its database with the pseudonym information available in the AUTHREQ_REPLY_QUEUE list of the authreq.
Table 17-15 Vendor-Specific Attributes for Pseudonym Database Lookup AATV (continued) Attribute Description Number-of-Triplets-Requested An integer attribute that contains the number of requested triplets, such as, RAND, Kc, and SRES. In accordance with RFC4186, the number of triplets required for authentication is two or three. The number of triplets required for authentication is present to enable the lookup AATV to generate GSM Triplets, if required.
Table 17-17 Lookup AATV Attributes for EAP-SIM Attribute Description GSM-Triplet(s) A fixed-length binary string (octets) attribute that can occur twice or thrice, and can contain an EAP-SIM authentication vector. The parameter value is a 224-bit binary string (28 bytes). The value constitutes the following: • RAND = The first 128-bits (16 bytes) of the value. • Kc = The next 64-bits (8 bytes) of the value. • SRES = The last 32-bits (4 bytes) of the value.
Table 17-18 Lookup AATV Attributes for EAP-AKA (continued) Attribute Description AKA-Algorithm An optional string attribute that contains the name of the AKA algorithm used to authenticate the user. This attribute is optional if a default value is configured for the realm. The value is case-sensitive. AKA-Sequence-Number A fixed-length binary string (octets) attribute that contains the 48-bit sequence number, which is used to authenticate the user.
GSM A3 and A8 algorithms are used in EAP-SIM. GSM-03.20 specifies the general GSM authentication procedure and the external interface of the A3 and A8 algorithms. The operation of these functions are specific to each network operator. Therefore, the functions are not generalized, but are specified by each operator. The GSM-MILENAGE algorithm, specified publicly in 3GPP-TS-55.205, is an example algorithm set for A3 and A8 algorithms.
Table 17-19 3GPP Milenage Parameters (continued) Parameter Description C1-C5 128-bit values used to compute f1, f1*, f2, f3, f4, f5, f5* R1-R5 Integer rotation constants used to compute f1, f1*, f2, f3, f4, f5, f5* The Ek kernel function specified by 3GPP Milenage is 128-bit AES (Rijndeal). The 3GPP Milenage A3 algorithm has two variants corresponding to recommended SRES derivation function #1 and recommended SRES derivation function #2.
Table 17-20 Configuration Parameters of aatv.3GPP-Milenage{} Block (continued) Parameter Description warning message in the logfile. Milenage specifies the default value. If not explicitly configured, the default value is 0x00000000.00000000.00000000.00000002. C4 128-bit computation constant. C4 must have odd parity. Use of a value with even parity generates a warning message in the logfile. Milenage specifies the default value. If not explicitly configured, the default value is 0x00000000.00000000.
NOTE: The Ci,Ri pairs must be unique. The condition, Ci=Cj and Ri =Rj is not allowed, because i≠j. For instance, C2=C4 and R2=R4 is not allowed. The following is an example of aatv.3GPP-Milenage block in aaa.config file: aatv.3GPP-Milenage { # OP 128-bit operator-specific constant ==> CONFIGURATION RECOMMENDED. OP 0x00000000.00000000.00000000.00000000 # C1 128-bit computation constant ==> CONFIGURATION OPTIONAL. C1 0x00000000.00000000.00000000.
18 Configuring HP-UX AAA Server for Scalability and High-Availability This chapter describes how to configure the HP-UX AAA Server for scalability and high-availability. Starting with the HP-UX AAA Server A.08.01 release, HP-UX AAA Server supports configuring for scalability and high-availability.
Scalability and High-Availability Concepts This section describes the Scalability and High-Availability concepts. It discusses the following topics: • “Grouping HP-UX AAA Servers” (page 274) • “HP-UX AAA Server Attributes” (page 274) Grouping HP-UX AAA Servers To manage multiple HP-UX AAA Servers on a single or multiple hosts with ease, the HP-UX AAA Server Manager supports configuring and administering groups of HP-UX AAA servers.
Figure 18-1 HP-UX AAA Server Deployment for Scalability and High-Availability In Figure 18-1, the HP-UX AAA Server Manager manages multiple HP-UX AAA Servers on three remote hosts (Host 1, Host 2, and Host 3). Each remote host is running more than one HP-UX AAA Server. Running multiple HP-UX AAA Servers on the same host ensures better utilization of system resources, thus ensuring greater scalability.
Server S2 to ensure load is evenly balanced. Therefore, client requests are processed faster to provide desired optimum performance. Group B is a group with a set of four HP-UX AAA Servers, S1 and S2 running on Host 2, and S3 and S4 running on Host 3. HP-UX AAA Servers S1 and S3 are cloned servers providing authentication services and S2 and S4 are cloned servers providing accounting services.
The section also describes how to administer the HP-UX AAA Servers using the HP-UX AAA Server Manager.
1. Enter the following URL: http://:/aaa Replace system name and port number with appropriate values. NOTE: For secured remote Server Manager administration, see “Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration” (page 64). 2. Enter the username and password. The HP-UX AAA Server Manager Administration page is displayed. Click Server Connections in the left panel. The Groups and Server Connections tables are displayed, as shown in Figure 18-2.
3. Enter the name of the group in the Name field and click Create. A new group is created. Figure 18-4 displays a sample group name, called group1. Figure 18-4 Sample Group Created Modifying a Group To modify a group name, complete the following steps: 1. Click Server Connections on the top left window. 2. Select the group you want to modify in the drop-down menu, under Select a group for administration. 3. Click against the group. The Groups: Modify Group window is displayed, as shown in Figure 18-5.
3. Click against the group and confirm. The group is deleted. Adding a Server To add a server to a group, complete the following steps: 1. Click Server Connections on the top left window. 2. Select the group in the drop-down menu to which you want to add the server, under Select a group for administration. 3. Click New Server under Servers. The Servers: Add Server page is displayed, as shown in Figure 18-6. Figure 18-6 Adding a Server 4. 280 Enter the values of the server attributes.
Table 18-1 Server Attributes Option Description Authentication Port number to listen to authentication requests. The default Authentication port number is 1812. Accounting Port number to listen to accounting requests. The default Accounting port number is 1813. Dynamic Authorization Specifies the UDP port number to listen for the Dynamic Authorization requests. The default port number is 3799. Authentication Relay Port number to relay authentication requests.
Table 18-1 Server Attributes (continued) 282 Option Description IPC Directory Specifies the directory where the files generated for shared memory operation are located. The default directory is /var/opt/aaa/ipc. Livingston Accounting Directory Specifies the directory where the Livingston style accounting log files are located. The default directory is /var/opt/aaa/radacct. Accounting Directory Specifies the directory where Merit style accounting log files (session logs) are located.
NOTE: If the Listen IP address is not specified, all addresses configured on the host are considered. Default Authentication, Accounting, and Dynamic Authorization port values are displayed. However, you can modify those values, if required. Following are the conditions that must be considered while configuring the server attributes: • • • • • The combination of the Listen IP address and the Administration port values must be unique. The combination of the server name and the group name must be unique.
NOTE: Selecting Save the above Server Attributes to the configured server (specified in the 'Domain Name' field) on clicking the 'Create' button saves the server attributes to the server. You must perform this step to enable the HP-UX AAA Server Admin Tool for administration tasks. For more information on HP-UX AAA Server Admin Tool, see “Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool (Command Line)” (page 287).
NOTE: To perform a cloning operation, the target server must already exist with configured values. After the successful completion of the cloning operation, the source and the target servers will have the same configuration files. You can reduce the time required to load a configuration from a HP-UX AAA Server or to save a configuration to multiple HP-UX AAA Servers by using the Secure Copy Protocol (scp).
5. 6. Modify the configuration files using the options under Edit Configuration in the left window, if required. Click Save Configuration in the left window. The list of servers in the group is displayed, as shown in Figure 18-9. Figure 18-9 Cloning Server 7. Select the target server, and click Save. The configurations files and the server attributes are copied to the selected servers. NOTE: Selecting server2 and server1 ensures that the modified configuration files are saved on both servers.
NOTE: Although loading and saving configurations are required to clone HP-UX AAA Servers, you can perform those tasks independently, without associating them with cloning. To perform any administration tasks, such as loading, saving, and maintenance, you must select the servers within the group that is administered. Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool (Command Line) You can administer the HP-UX AAA Servers running on a host using HP-UX AAA Server Admin Tool (rad_admin).
NOTE: server_list all | groupname:all... | groupname:list... — server_list denotes the list of HP-UX AAA Servers to be administered. To select all the HP-UX AAA Servers on the local host use keyword "all". To select all the HP-UX AAA Servers within a group, specify the group name followed by the keyword "all", as :all.
2. To start the HP-UX AAA Server using the HP-UX AAA Server Admin Tool, enter the following command at the HP-UX prompt: # /opt/aaa/bin/rad_admin.sh The interactive mode starts. 3. 4. 5. Enter the group ID. Enter the HP-UX AAA Server ID. Specify the operation you want to perform. The operation starts. NOTE: It is recommended that you use the HP-UX AAA Server Manager to manage multiple HP-UX AAA Servers.
where, the variables are described as follows: • - host on which the configuration files are backed up • - location on the to store the configuration files • - the user account with privileges to store files under on the 2. Enter the password for the on the , if prompted. The configuration files are now available in the desired path , on the .
19 Configuring the HP-UX AAA Server for Client Functionality This chapter describes the client functionality of the HP-UX AAA Server. The chapter discusses the following topics: • “Overview” (page 291) • “CLIENT AATV” (page 292) • “Supported APIs” (page 294) Overview Currently, the HP-UX AAA Server works in the server mode. It receives requests from clients, processes them, and sends out appropriate responses, based on the request type.
CLIENT AATV This section describes how to configure the CLIENT AATV and how the CLIENT AATV works. Configuring CLIENT AATV The CLIENT AATV is a generic AATV, which you can use to generate empty RADIUS requests at specified intervals. You can use these RADIUS requests to perform the required client functions. You must configure the CLIENT AATV in the aatv.CLIENT block within the aaa.config file. You can configure multiple CLIENT actions in the aatv.CLIENT block.
2. 3. 4. invoke the SQL Access AATV to enter values based on the information stored in a database table. The CLIENT AATV is invoked through the FSM, and the action function of the CLIENT AATV is executed. The action function of the CLIENT AATV performs two major functions. One, it places the current client request in the message queue for client messages. Two, it generates another empty RADIUS request and places it in the initial state of the FSM.
Figure 19-1 CLIENT AATV Flowchart Supported APIs This section lists the Application Programming Interfaces (APIs) included in the Software Development Kit (SDK), to support the client functionality. New APIs are included or existing APIs are modified to support the client functionality. Table 29–1 describes the APIs supporting the client functionality. Table 19-1 APIs Supporting Client Functionality API Description sdk_authreq_allocate Generates a new request.
For more information on the Finite State Machine (FSM), see Chapter 26 (page 396). For more information on the Advanced Policy actions, see Chapter 27 (page 411). Internal Attributes and Mapping Functions This section describes the internal attributes and pre-defined mapping functions included for client functionality. Table 19-2 describes the pre-defined mapping functions for Client Functionality.
Table 19-2 Pre-defined Mapping Functions for Client Functionality Mapping Type Mapping Function Description Target set_radius_msg_type Sets the RADIUS message type for client requests. Target set_target_host Sets the target host to which a client request must be sent. Source get_from_host Returns the hostname from which a RADIUS request was received. Source get_cur_timestamp Returns the current timestamp.
20 Configuring the HP-UX AAA Server for Dynamic Authorization This chapter discusses the Dynamic Authorization capability of the HP-UX AAA Server. The Dynamic Authorization capability is based on the client functionality of the HP-UX AAA Server.
Figure 20-1 illustrates how the HP-UX AAA Server performs Dynamic Authorization. Figure 20-1 HP-UX AAA Server Performing Dynamic Authorization Operation In the following process flow, step 1 to step 5 (highlighted in blue in the figure) are related to creating RADIUS sessions and step 6 to step 10 (highlighted in green in the figure) are related to the Dynamic Authorization operation: 1. A client requests for access to a protected resource by sending user credentials to the authenticator. 2.
1. The client-request-init policy is invoked. In this step, the policies configured in /etc/opt/aaa/client-request-init.grp are executed. The following things must be set through this policy. a. The SQL action to be executed for creating the dynamic authorization request should be set in the attribute Client-Request-Create-ActionId. b. The SQL action to be executed for updating the database to indicate that the row has just been processed should be set in the attribute Client-Request-Update-ActionId. c.
8. 9. If a response is received for the dynamic authorization request, the client reply ingress policy is invoked. In this step the policies configured in /etc/opt/aaa/ client-reply-ingress.grp are executed. Through this policy the SQL action to be used to update the database table based on the response type, must be set in the attribute Client-Request-Cleanup-ActionId. SQL Access AATV is invoked. The SQL Access AATV executes the SQL action configured in the attribute Client-Request-Cleanup-ActionId.
Figure 20-3 Flowchart for Basic and Advanced Configuration Basic Configuration A basic implementation of the Dynamic Authorization capability for initiating and processing the Disconnect and CoA requests is available with the SQL Access reference implementation.
For more information on the advanced configurations, see “Advanced Configuration” (page 302). Advanced Configuration Advanced configuration typically requires some extra customization of a feature to suit your needs.
2. To insert values in the new columns while creating a session, modify the StartSession SQL action. Following is the list of new columns in the session table, and their corresponding values: 1. session_timeout — Specifies the value configured in the Session-Timeout attribute. You can configure the Session-Timeout attribute using either the user profile or through policy.
If the StartSession SQL action was not modified earlier, you can directly substitute with the StartSession SQL action in the latest reference implementation sqlaccess.config file. The file is available in the following paths: For Oracle, /opt/aaa/examples/sqlaccess/oracle-1/sqlaccess.config For MySQL, /opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config If StartSession was modified to suit your environment, the changes must be merged with the changes in the latest sqlaccess.config file. 3.
Figure 20-4 Multiple HP-UX AAA Servers in a Group for Dynamic Authorization In Figure 20-4, sessions in the database that must either be disconnected or changed are distributed among the live HP-UX AAA Servers within the group. Each HP-UX AAA Server within the group subsequently, initiates Disconnect or CoA message exchanges with the authenticator for the sessions assigned to it.
procedures determine the list of sessions to which Disconnect and CoA requests must be sent, and ensure that the requests are distributed among the live HP-UX AAA Servers. The RAD_SERVER_TABLE is used to determine the list of live HP-UX AAA Servers. For more information on these stored procedures and tables, see the following: • For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/ dbsetup.sql.dynauth_server_group • For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/ dbsetup.sql.
$ sed "s//test_group/g" /opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config.dynauth_server_group >> /etc/opt/aaa/sqlaccess.config 5. To create sessions using the new SQL action, modify the FSM as follows: Replace the following line in /etc/opt/aaa/radius.fsm: *.*.ACK SQLAccess Tunneling xstring="ActionID=StartSession" with *.*.
insert Client-Request-Timeout-ActionId = "TimeoutDisconnectReqServerGroup" • Replace the following line: insert Client-Request-Create-ActionId = "CreateCOAReq" with insert Client-Request-Create-ActionId = "CreateCOAReqServerGroup" • Replace the following line: insert Client-Request-Update-ActionId = "UpdateCOAReq" with insert Client-Request-Update-ActionId = "UpdateCOAReqServerGroup" • Replace the following line: insert Client-Request-Timeout-ActionId = "TimeoutCOAReq" with insert Client-Request-Ti
NOTE: You must perform this step only if you want the Disconnect functionality. Otherwise, you can ignore this step. 1. 2. Log in to HP-UX AAA Server Manager. Click Server Properties. The Server Properties window is displayed as follows: Figure 20-5 Server Properties 3. Click AAA Server as a Client Properties. The Server Properties (CLIENT) window is displayed as follows: Figure 20-6 Server Properties (CLIENT) 4. Click Client Action Properties.
Figure 20-7 Server Properties: Modify Property 5. Select New Action. The Client Action Properties window is displayed as follows: Figure 20-8 Client Action Properties 6. Enter the following values in the respective fields, within the Client Action Properties window: Action Name: Disconnect Timer Value: 1 Max Requests: 0 9. To enable the CoA functionality, complete the following steps: NOTE: You must complete this procedure only if you want the CoA functionality.
Dedicated HP-UX AAA Servers for Dynamic Authorization Within a group, you can dedicate a set of HP-UX AAA Servers for the dynamic authorization operation. If you want to dedicate a set of HP-UX AAA Servers within a group for dynamic authorization, you need not perform all the mentioned steps on all the HP-UX AAA Servers. This section describes the procedures to dedicate HP-UX AAA Servers within a group for authentication and for dynamic authorization.
SQL> @ /tmp/dbsetup.sql.dynauth_server_group For MySQL, enter the following command at the mysql prompt: mysql> source /tmp/dbsetup.sql.dynauth_server_group 3. Copy sqlaccess.config. For Oracle, enter the following command at the prompt: $ cp /opt/aaa/examples/sqlaccess/oracle-1/sqlaccess.config /etc/opt/aaa/sqlaccess.config For MySQL, enter the following command at the prompt: $ cp /opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config /etc/opt/aaa/sqlaccess.config 4.
NOTE: If some policies have already been configured in the /etc/opt/ aaa/client-request-init.grp and /etc/opt/aaa/ client-reply-ingress.grp files, you must append the policies instead of copying. 7. To use the new SQLActions, modify the policy files as follows: In /etc/opt/aaa/client-request-init.
insert Client-Request-Cleanup-ActionId = "SuspendDisconnectedSessionServerGroup" • Replace the following line: insert Client-Request-Cleanup-ActionId = "UpdateCOASession" with insert Client-Request-Cleanup-ActionId = "UpdateCOASessionServerGroup" • Replace the following line: insert Client-Request-Cleanup-ActionId = "SuspendCOASession" with insert Client-Request-Cleanup-ActionId = "SuspendCOASessionServerGroup" NOTE: The following requirement is applicable for Oracle only.
Figure 20-10 Server Properties (CLIENT) 4. Click Client Action Properties. The Server Properties: Modify Property window is displayed as follows: Figure 20-11 Server Properties: Modify Property 5. Select New Action.
6. Enter the following values in the respective fields, within the Client Action Properties window: Action Name: Disconnect Timer Value: 1 Max Requests: 0 9. To enable the CoA functionality, complete the following steps: NOTE: You must complete this procedure only if you want the CoA functionality. Otherwise, you can ignore this procedure. 1. 2. 3. 4. 5. 6. Log in to HP-UX AAA Server Manager. Click Server Properties. Click AAA Server as a Client Properties. Click Client Action Properties.
2. 3. 4. Authorize Only. In addition to the Service-Type attribute, the CoA-Request includes session identification attributes, a State attribute, and NAS identification attributes. The CoA-Request does not contain any other attribute. If the NAS supports the Authorize Only mode, it responds with a CoA-NAK containing the Service-Type and Error-Cause attributes. The value of the Service-Type attribute is Authorize Only and the value of the Error-Cause attribute is Request Initiated.
Add the following lines in the /etc/opt/aaa/client-request-egress.grp file: if( count(Service-Type) != 0 && Service-Type = "Authorize-Only" && Client-Action-Name = "COA") { ## Delete the Filter-Id attribute. delete Filter-Id } 4. To handle a response to CoA-Request, whose Service-Type attribute value is Authorize-Only, modify the client-reply-ingress.grp file. Add the following lines at the beginning of the /etc/opt/aaa/ client-reply-ingress.
} } NOTE: The following requirement is applicable for Oracle only. If DHCP is enabled, replace the following line in the /etc/opt/aaa/ client-reply-ingress.
acts as a Dynamic Authorization Server (DAS). If the same request must be forwarded to another AAA entity, the proxy acts as a DAC. Requests are sent based on the configuration. For example, using advanced policy, you can configure on the basis of user-realm or target NAS. The proxy HP-UX AAA Server listens to Disconnect and CoA requests on a port that can be configured. The configuration settings of this port are the same as that of authentication and accounting proxy ports. The default port is 3799.
{ if( (count(User-Name) > 0) && substr(User-Name after "@") = "" ) { modify Interlink-Proxy-Target = "" } } Configuring on the Basis of NAS To configure routing tables based on NAS (authenticator), add the following lines in the /etc/opt/aaa/proxy-egress.
file. For more information on the attribute, see “Dynamic Authorization-Related Configuration Items” (page 525). By default, the Event-Timestamp attribute checking is not enforced. The verification of the Event-Timestamp attribute occurs only if the attribute is present in the incoming message. If an Event-Timestamp attribute is not present, the attribute is ignored. To enforce Event-Timestamp attribute checking, add the following lines in the /etc/ opt/aaa/client-reply-ingress.
Figure 20-15 Server Properties 3. Click AAA Server as a Client Properties. The Server Properties (CLIENT) window is displayed as follows: Figure 20-16 Server Properties (CLIENT) 4. Click Global Event Timestamp Window .
Figure 20-17 Server Properties: Modify Property (Event Timestamp) 5. Enter the time window (in seconds) for which the incoming Event-Timestamp attribute is valid. Message-Authenticator The Message-Authenticator attribute provides additional protection to RADIUS messages from fraudulent messages and message tampering. You can use the Message-Authenticator attribute to authenticate and integrity-protect the Dynamic Authorization messages.
screen in the HP-UX AAA Server Manager. If the request is not from an authorized source, the request is discarded. This feature is disabled by default. You can enable the feature using the enable_rpf_check attribute in the aaa.config file. For more information on the attribute, see “Dynamic Authorization-Related Configuration Items” (page 525).
Figure 20-19 Server Properties (CLIENT) 4. Click Enable Reverse Path Forwarding Check. The Server Properties: Modify Property window is displayed as follows: Figure 20-20 Reverse Path Forwarding Check 5. Click Yes to enable RPF. Sample Configuration Files This section describes the sample configuration files that are used to configure the HP-UX AAA Server for Dynamic Authorization. This section addresses the following topics: • “The client-request-init.grp.
The client-request-init.grp.dynauth Sample File The client-request-init.grp.dynauth is the sample client request init policy file. The following actions are performed in this sample policy file: 1. The SQL actions, to be used to generate Disconnect and CoA requests, are set in the attribute Client-Request-Create-ActionId. 2. The SQL actions, to be used to generate the session entry to indicate that it has just been processed for Disconnect and CoA, are set in the attribute Client-Request-Update-ActionId. 3.
Table 20-1 SQL Actions that Support Dynamic Authorization (continued) 328 SQL action Description CleanupDisconnectedSession Removes the session entry after receiving Disconnect-ACK. CleanupDisconnectedSession-DHCP Removes the session entry after receiving Disconnect-ACK. Also, releases the IP address of the first session entry that was removed. SuspendDisconnectedSession Updates the status of the session entry after receiving a Disconnect-NAK.
The sqlaccess.config.dynauth_server_group Sample File The sqlaccess.config.dynauth_server_group file contains the SQL actions required to implement the dynamic authorization functionality for Disconnect and CoA requests when multiple HP-UX AAA Servers are configured as a group. You can modify these SQL actions based on requirements. Table 20-2 lists the SQL actions listed in the sqlaccess.config.dynauth_server_group file to support Dynamic Authorization.
Table 20-2 SQL Actions that Support Dynamic Authorization in Groups (continued) SQL Action Description only when multiple HP-UX AAA Servers are configured as a group. DistributeCoASessions Distributes the list of sessions for which CoA requests must be sent, among the live HP-UX AAA Servers in the group. This SQL action is used only when multiple HP-UX AAA Servers are configured as a group. CreateCoAReqServerGroup Creates CoA requests to change data filters.
The dbsetup.sql.dynauth_server_group Sample File The dbsetup.sql.dynauth_server_group sample file contains the SQL commands required to create tables and stored procedures in the database server. Table 20-3 lists the stored procedures and tables. Table 20-3 Tables and Stored Procedures in the dbsetup.sql.dynauth_server_group File Tables and Stored Procedures Description RAD_SERVER_TABLE Contains information related to the HP-UX AAA Servers that are sharing the same database tables.
Part IV Integrating the HP-UX AAA Server With External Services This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 21: “LDAP Authentication” (page 335) • Chapter 22: “SQL Access” (page 338) • Chapter 23: “Simple Network Management Protocol (SNMP) Support” (page 386) • Chapter 24: “VPN Tunneling” (page 388) • Chapter 25: “Using DHCP” (page 390) 332
Table of Contents 21 LDAP Authentication..............................................................................................................335 LDAP Server Compatibility .............................................................................................335 Related LDAP Documentation ........................................................................................335 Authentication with LDAP ..........................................................................................
SQL Result Mapping..............................................................................................364 Result Handling for Retrieval Requests...........................................................366 Global Definitions..................................................................................................369 Advanced SQL Mapping Configuration.....................................................................369 Developing Custom Functions.........................................
21 LDAP Authentication The Lightweight Directory Access Protocol (LDAP) authentication type provides a method for storing user profiles on an LDAP server. LDAP servers are useful when managing a large number of user profiles. NOTE: You can download Red Hat/Netscape Directory Server for HP-UX from www.software.hp.com. LDAP Server Compatibility The HP-UX AAA Server is designed to interoperate with LDAP Version 3 compliant directories. Refer to the HP-UX AAA Server Release Notes at http://docs.hp.
NOTE: The following procedures are required if your user entries are using attributes defined in the aaaPerson object class. If you are only storing user profiles based on the core LDAP inetOrgPerson object class (to retrieve the user ID and password), the following procedures are not necessary. The HP-UX AAA Server LDAP Schema The HP-UX AAA Server LDAP schema consists of the aaaPerson object class and a set of LDAP attributes utilized by aaaPerson.
To Configure Netscape Directory Server v6 1. Copy /opt/aaa/examples/proldap/55iaaa-radius.ldif to the LDAP server schema directory: (/var/opt/netscape/servers/slapd-/config/schema). 2. 3. Restart the directory server. Create an LDIF file for your user profiles and import to the directory. To Configure iPlanet Directory Server v5 1. 2. 3. Copy /opt/aaa/examples/proldap/55iaaa-radius.ldif to the LDAP server schema directory (/var/opt/iplanet/servers/slapd-/ config/schema).
22 SQL Access IMPORTANT: The Oracle authentication module is obsolete in this release of the HP-UX AAA Server. The Oracle authentication module is supported using SQL Access. HP recommends that you set up your HP-UX AAA Server to interact with the Oracle database using the SQL Access feature. This chapter introduces the SQL Access feature, describes how it works and how to configure the HP-UX AAA Server for SQL Access.
Figure 22-1 SQL Access Components When the AAA Server receives a RADIUS request to perform an action (for example, authentication), it calls the SQL Access AATV if SQL Access is configured. The SQL Access AATV maps RADIUS attributes to database columns and prepares user defined SQL statements for execution. The connector libraries pass the SQL statements to vendor supplied database client libraries, which in turn communicate with the database.
RADIUS Attribute to SQL Statement Mapping You can use SQL mappings to define how to associate or "map" RADIUS attributes to and from the input and output of your SQL statement . The execution of the SQL statement and associated mappings occur in three steps: 1. Input Mappings 2. SQL statement execution 3. Output mappings In the typical case, you map RADIUS attributes (input source) to SQL statement placeholders (input target).
Figure 22-2 RADIUS Attribute to SQL Statement Mapping During input mapping, the value for the RADIUS attribute User-name is passed to the SQL statement SELECT as a search value into the database table USERTABLE using the SQL placeholder to bind to the data value John. The output mapping entry tells the SQL Access AATV that the database column db_passwd maps to the RADIUS attribute password, with a returned value of Johnpass in the attribute-value pair.
SQL Action Processing and Result Handling The SQL Access AATV processes all mapping entries of an SQL action in the order in which they are defined in the sqlaccess.config file. It first processes all input mapping entries in order, then executes the SQL statement, and finally processes the output mapping entries in order. SQL actions start with an event of ACK and mapping entries usually return an event of ACK.
• for detailed information on how to install your sample SQL Access implementation for Oracle. /opt/aaa/examples/sqlaccess/mysql-1: files to set up a sample implementation for MySQL and Unix ODBC driver. See the README in that directory for detailed information on how to install your sample SQL Access implementation for MySQL. NOTE: The database server and client are not provided with the HP-UX AAA Server.
Table 22-1 The sqlaccess.config Sample File (continued) SQL Action Table Operated On UpdateFailedAuthCount RAD_TOKENS_TABLE AndTokenStatus Operation A stored procedure that is created using dbsetup.sql. This procedure increments the failed authentication count after a failed authentication. This stored procedure also increments the lock counter for each failed authentication.
dbsetup.sql Sample File The dbsetup.
login_service RAD_SESS_TABLE sess_start_time session_id user_name nasid nasport assigned_framed_ip client_hw_address client_identifier varchar2(100), session_timeout number(11), from_host varchar2(253), session_status varchar2(253), sess_mod_time TIMESTAMP, filter_id varchar2(253) In addition, the dbsetup.sql script for OCI creates a stored procedure to first retrieve the IP address for a session ID and then to delete it from the session table RAD_SESS_TABLE.
You must consider the following while selecting and setting up your database environment: Database Security Secure communication between the database client and the database server is controlled by the database server and client software. Therefore, choose your database environment based on your organization's security requirements.
Shared Library Path Configuration The shared library path to the database client libraries must be set depending on the vendor's library path requirements and how the AAA Server is started: • For startup using the Server Manager, modify the /opt/aaa/remotecontrol/ rmistart.sh startup script • For startup at system boot, modify the /sbin/init.d/radiusd.
4. Configure SQL Access execution based on your implementation: • If SQL Access is used to retrieve user profiles, configure the SQL action for the desired realm on the Local Realm screen in the Server Manager. See “Adding a Realm” (page 105) for more information. • If SQL Access is used for more advanced implementations, such as accounting and session management, modify the Finite State Machine (FSM) radius.fsm file to specify the execution of specific SQL actions for particular events.
/* Global Definition*/ [SQLMapConvLibs “path_to_lib:path_to_lib:…:path_to_lib”] /*Database Connection Definition*/ DBID instance { DBClient [DBUser [DBPassword [ReconnectWaitTime [ReconnectErrorCodes [OracleSID [ODBCDatastore db_client_library_interface db_user] db_user_password] reconnect_wait_time] reconnect_err_code] Oracle_db_instance] ODBC_db_instance] } /*SQL Action Definition*/ SQLAction action_ID { [TimedEvent [QueryType timed_event] multi_row] /* repeat as needed */ { [input [source . .
DBID instance { DBClient [DBUser [DBPassword [ReconnectWaitTime [ReconnectErrorCodes [OracleSID [ODBCDatastore } Where: instance db_client_library_interface db_user] db_user_password] reconnect_wait_time] reconnect_err_code] Oracle_db_instance] ODBC_db_instance] Identifies a unique instance of the AAA Server as a database client. Note that the database connection parameters for a particular instance must be defined before the SQL actions for that particular database instance in the sqlaccess.config file.
Table 22-2 Database Access Parameters (continued) Database Access Variable Description Oracle_db_instance Required for OCI only. Identifies the Oracle database instance to connect to. The supported format for this parameter is determined by the OCI client software. ODBC_db_instance Required for ODBC only. Identifies the database instance to connect to. The supported format for this parameter is determined by the ODBC driver software.
SQLAction action_ID { [TimedEvent timed_event] [QueryType multi_row] /* repeat as needed */ { [input [source target [conversion_function]] . . [source target [conversion_function]]] [output [source . . [source target [conversion_function]] target [conversion_function]]] [SQLStatement instance } /* end repeat * Where: action_ID {sql_statement}] Required. Specifies a unique instance of an SQL action.
Table 22-3 (page 354) and Table 22-4 (page 354) show the source and target data types that can be mapped depending on input or output mapping: • RAD: identifies a RADIUS attribute in a mapping, • DBP: identifies SQL placeholder mapping, • DBC: identifies the database column mapping, • DBR: handles return values from the SQL statements. See “SQL Result Mapping” (page 364) for more information on the use of DBR mapping.
NOTE: You must store the values of tagged attributes in raw format, in the SQL Access database. Following are the syntax and sample values of the tagged attributes: • Tagged Integer — The syntax for the Tagged Integer attribute is ::. The value must always comprise four octets, of which the tag value must comprise one octet and the attribute value must comprise three octets. For example, the value :3:32 must be stored as 03000020.
Table 22-5 RAD Mapping Parameters (continued) Parameter Description attr_type Optional. Specifies the type of RADIUS attribute, and is used to determine the queue where the attribute is located. A set of attribute queues is associated with each RADIUS request. You can specify one of the following queues: • REQUEST: Attributes from the inbound request. • REPLY: Attributes to be included in the reply. Also typically used for temporary attributes used for local processing.
Table 22-6 DBC Mapping Parameters Parameter Description db_column Mandatory. Specifies the column name of the database table. db_width Mandatory. Specifies the column width as defined in the database schema. Used by the database client library to determine the length of data to reserve for processing the column. db_type Mandatory. Used by the database column library to specify the type conversion to be performed on the data.
Table 22-7 DBP Mapping Parameters Parameter Description placeholder Mandatory. • For OCI: Any string value. Passed to the OCIBindByName function. Binds the mapping to a placeholder in the SQL statement as defined by the OCI syntax based on string matching. • For ODBC: Integer value. Identifies the order or position of the DBP parameter in the SQL statement. Passed to the SQLBindParameter function. Binds the mapping to a placeholder in the SQL statement as specified by the ODBC syntax.
Example 22-3 User and Password Input and Output Mappings For OCI: input RAD(User-ID, REPLY) DBP(userid,64,CHAR) output DBC(user_password,128,CHAR) RAD(Password, CHECK) DBC(address_pool, 128, CHAR) RAD(Address-Pool, REPLY) For ODBC: input RAD(User-Id, REPLY) DBP(1, 254,CHAR) output DBC(user_password, 128, CHAR) DBC(address_pool, 128, CHAR) RAD(Password,CHECK) RAD(Address-Pool,REPLY) The input mapping locates the RADIUS attribute User-Id in the reply queue and associates a data pointer to the local valu
Table 22-8 Pre-defined Mapping Functions Mapping Type Mapping Function Description Source AAALocalHost Returns the AAA Server hostname. It uses the RADIUS Server host name stored in aaa.config or the result of the gethostname() system call when hostname is not configured. Source AAALocalIP Returns the local IP address in binary format as returned by getaddrinfo() for AAALocalHost. Source AAALocalIPv6 Returns the local IPv6 address in binary format as returned by getaddrinfo() for AAALocalHost.
Conversion Functions A conversion function is executed between the source and target mapping and can be used to convert or modify data. You can identify a conversion function in the conversion_function variable for each mapping entry. conversion_function is the name of the function to execute. It can either be a pre-defined function included in the AAA Server, or a user-defined function. See “Advanced SQL Mapping Configuration” (page 369) for more information on user-defined conversion functions.
SQL Statement The SQLStatement section defines the SQL statement using standard SQL statement syntax to execute on the input data. Following is the syntax of the SQLStatement data structure: SQLStatement instance {sql_statement} Where: instance sql_statement Database instance identified by the DBID structure. User defined SQL statement. Passed unmodified to the database client library.
Example 22-4 SQL Statement to Delete a Row For OCI: SQLAction StopSession { { input RAD(Class) DBP(sessid, 254, CHAR) output DBR(DBretCode) FUNC(ACKonZero) SQLStatement db_oci { DELETE FROM RAD_SESS_TABLE WHERE session_id=:sessid } } } For ODBC: SQLAction StopSession { { input RAD(Class) DBP(1, 254, CHAR) output DBR(DBretCode) FUNC(ACKonZero) SQLStatement db_odbc { DELETE FROM RAD_SESS_TABLE WHERE session_id=sessid } } } The following example is the equivalent replacement of the above examples for the n
For ODBC: SQLAction StopSession { { input RAD(Class) output DBR(-1:*) DBR(0:0) DBR(*:*) SQLStatement DBP(1, 254, CHAR) RET(ERROR) RET(ACK) RET(NAK) db_odbc { DELETE FROM WHERE RAD_SESS_TABLE session_id=sessid } } } SQL Result Mapping The SQL Access AATV does not check the result of the SQL statement execution.
DBRetCode Returns the SQL result from the SQL statement as defined by the database client library. HP provides the following pre-defined mapping functions useful with a DBR mapping: — ACKonAll — ACKonZero — NAKonZero — RETRIEVEonZero See “Mapping Functions” (page 341) for more information on the event handling functions. • DBR (return code:error code) RET (return event) Where values are described as follows: return code Integer return value from ODBC or OCI APIs. For example, 0 or 100.
NOTE: You can use wildcard to represent the return code and error code. For more information on event names, see “Event Names ” (page 399). NOTE: The DBR (ret code:error code) RET (ret event) is a new syntax. It offers more options to customize your SQL result mapping. Result Handling for Retrieval Requests The default FSM expects an ACK event to indicate success with the exception of retrieving user entries, where RETRIEVE_SUCCESS is expected.
Example 22-5 SQL Statement with Result Mapping - OCI SQLAction RetrieveUser { { input RAD(User-Id,REPLY) DBP(userid, 254, CHAR) output DBC(user_password, 128, CHAR) DBC(address_pool, 128, CHAR) DBR(DBretCode) SQLStatement db_oci { SELECT FROM WHERE RAD(Password,CHECK) RAD(Address-Pool,REPLY) FUNC(RETRIEVEonZero) user_password, address_pool RAD_USERS_TABLE user_name=:userid } } } Implementing SQL Access 367
Example 22-6 SQL Statement with Result Mapping - OCI Using the New Syntax SQLAction RetrieveUser { { input RAD(User-Id, REPLY) DBP(userid, 253, CHAR) output DBR(100:*) DBR(-1:*) DBC(user_password, 128, CHAR) DBC(address_pool, 128, CHAR) FUNC(get_sid) DBR(0:0) DBR(*:*) RET(RETRIEVE_ERROR) RET(ERROR) RAD(Password, CHECK) RAD(Address-Pool, REPLY) RAD(Class, REPLY) RET(RETRIEVE_SUCCESS) RET(RETRIEVE_ERROR) SQLStatement db_oci { SELECT FROM WHERE user_password, address_pool RAD_USERS_TABLE user_name=:useri
NOTE: In the above example, few entries have wild card “*” code configured which would match any error codes. This can be replaced with the explicit values that database returns. In case RET is configured to ACK and DBR entry matches the same, then all the mapping entries of the current mapping would be skipped and the next SQL mapping, if configured, would be executed whereas for other return events it would return from the SQL action.
radrequest Pointer to the RADIUS request currently processed. data For source mapping: Address where to store the result. For target mapping: Address from where to copy data. len For source mapping: Address of the maximum permissible length for the data buffer. The function returns the actual length of data copied to target buffer. For target mapping: Address of actual length of data in the data buffer. Return Values Custom or pre-defined event code.
Example 22-7 SQL Action with Null Source and Target Mappings SQLAction CleanupExpiredSessions { TimedEvent 120 ## Invoke the action every 120 seconds.
Example 22-8 Timestamp Synchronization For OCI: SQLAction UpdateAcct { { input RAD(Class) output DBR(-1:*) DBR(0:0) DBR(*:*) SQLStatement DBP(sessid, 254, CHAR) RET(ERROR) RET(ACK) RET(NAK) db_oci { UPDATE RAD_ACCT_TABLE SET update_time=current_timestamp WHERE session_id=:sessid } } } Finite State Table Configuration in the FSM SQL Access for user profile retrieval requires no modification to the FSM. Use the Local Realm screen in the Server Manager to configure the SQL action for the desired realm.
Example 22-9 FSM with Accounting Log via SQL Access ##################################### ## Start Accounting via SQL Access ## AcctLog: *.*.ACCT_START SQLAccess ReplyHold *.*.ACCT_STOP SQLAccess ReplyHold *.*.ACCT_ALIVE SQLAccess ReplyHold *.*.ACCT_MSTART SQLAccess ReplyHold *.*.ACCT_MSTOP SQLAccess ReplyHold *.*.ACCT_CANCEL SQLAccess ReplyHold *.*.ACCT_ON SQLAccess ReplyHold *.*.
Example 22-10 Remove Session Stored Procedure Definition create or replace procedure remove_session(sessid IN varchar2, ipaddr OUT NUMBER) IS BEGIN select ASSIGNED_FRAMED_IP into ipaddr from RAD_SESS_TABLE where session_id=sessid; delete from RAD_SESS_TABLE where session_id=sessid; END; Run Stored Procedure Call to remove_session in SQL Action: SQLAction StopSession-DHCP { { input RAD(Class) DBP(sessid, 254, CHAR) output DBR(-1:*) RET(ERROR) DBP(ipaddr, 11, INT) FUNC(AAAFreeIP DBR(0:0) RET(ACK) DBR(*:*)
This section discusses the following topics: • “Managing Users” (page 375) • “Managing Users Using OTP to Authenticate” (page 378) Managing Users This section discusses the following topics: • “Adding Users to an SQL Database” (page 375) • “Modifying User Credentials” (page 377) • “Viewing User and Token Statistics” (page 383) Adding Users to an SQL Database To add a user into the SQL database, complete the following steps: 1.
Figure 22-4 The Add User Screen 4. Enter the relevant information according to the guidelines stated in Table 22-11 Table 22-11 Fields in the Add Users Form Field Name Description User Name Assign a user ID for the user. A user ID can comprise alpha-numeric characters, '-', '_', '!' and '@'. A user ID cannot exceed 128 characters. First Name, Last Name Enter the first name and last name of the user. The names can comprise alpha-numeric characters, '_', '-', '.', and the space character.
Table 22-11 Fields in the Add Users Form (continued) Field Name Description Enter Token Serial Number or Allocate Enter the token number listed on the token device to assign a Free Token a specific token to a user. To randomly allocate a free token serial number, check the Allocate a Free Token checkbox. NOTE: This is an optional field. If you are not using OTP authentication, leave this field blank. Contact Info Enter the contact information in the corresponding fields.
2. Enter your login and password when prompted. The User Database Administration Manager launches, as shown in Figure 22-3. 3. 4. Search the database by entering data for any one of the following fields: • User Id • Email Id • L. Name or F. Name • Work Phone • Token Serial Number A list of matching users is displayed. Click Modify User or the matching user listed. The Manage User screen is displayed. 5. 6. Modify the relevant information.
information into SQL insert statements. The generated file can be executed on the database to populate the database with the token table. After the tokens are imported into the database, they are in an AVAILABLE state, indicating that it is free and can be assigned to any user. Assigning Tokens to Users Once tokens are imported into the database, they must be assigned to users.
4. If OTP validation is successful, assign the token to the user by clicking Add User or Modify User Info at the bottom of the screen. The token is assigned to the user and its status changes from AVAILABLE to ASSIGNED. Additionally, the User Database Administration Manager generates and e-mails an activation code to the user. 5. If you are using a token device, mail it to the user. Allocating Any Available Tokens to a User To allocate any available token to a user, complete the following steps: 1.
Figure 22-6 The Enroll Token Screen 4. Complete the form in the Enroll Token screen according to the information in Table 22-12. Table 22-12 Fields in the Enroll Token Device Form 5. Field Name Description User Name Enter the user name assigned to you by the administrator. User names cannot exceed 128 characters. Besides alpha numeric characters, '-', '_', '!' and '@' can also be used. Activation Code This code is provided to activate the token device or software associated for your identification.
Synchronizing Tokens (Procedure for Users) The HOTP algorithm is sequence-based; therefore the token and the user profile database share a counter value. The counter value of the token increments each time a request is sent to the server. The counter value in the user profile database increments each time a client request is successfully authenticated. As a result, the counter value of the token does not always correspond with that in the database.
Table 22-13 Fields in the Synchronize Token Form 5. Field Name Description User Name Enter the user name assigned to you by the administrator. User names cannot exceed 128 characters. Besides alpha numeric characters, '-', '_', '!' and '@' can also be used. OTP 1, OTP 2 Enter two consecutive OTPs generated by your token To synchronize or unlock the token, click Synchronize.
Table 22-14 Valid Token Status Values Token Status Description ASSIGN Indicates that the token has been assigned to a user, but has not yet been activated. Once the token is activated, the token status changes to ACTIVE. ACTIVE Indicates that the token is currently assigned to a user AVAILABLE Indicates that the token is free and can be assigned to a user. When tokens are initially loaded into the database, their token status is AVAILABLE.
Multi-Row Support For SQL Access Currently, SQL Access handles only one row returned by an SQL query. If an SQL query returns multiple rows of the database, only the first row is processed and the remaining ones are ignored. However, to support client functionality, SQL Access must handle multiple rows returned by an SQL query. For example, an SQL query checking the database for expired sessions can return multiple rows, and disconnect requests may have to be sent every second to all rows in the database.
23 Simple Network Management Protocol (SNMP) Support Simple Network Management Protocol (SNMP) Support provides a mechanism for a centrally located management workstation to monitor the activity of remote computers and network services.
4. 5. 6. 7. 8. 9. for a user name and password, you must enter the values specified during installation. From the navigation tree, click Server Properties. On the Server Properties screen that appears, select SNMP Properties. On the SNMP Server Properties screen that appears, select the Yes radio button and click Modify. From the navigation tree, click Save Configuration. From the navigation tree, click Administration. Click Start.
24 VPN Tunneling Tunneling involves access to a server that provides secure intranet or other network functionality through a dial-up or Internet connection from a client workstation. This process can be categorized as one of two types: voluntary or compulsory. Some applications, such as secure access to corporate intranets through the Internet, are characterized by voluntary tunneling, where users create the tunnel through client software at their workstation.
Tunnel-Type =:1:PPTP, Tunnel-Medium-Type =:1:IPv4, Tunnel-Client-Endpoint =:1:192.168.127.1, Tunnel-Server-Endpoint =:1:192.155.111.1, Tunnel-Password =:1:Michigan, Tunnel-Private-Group-Id =:1:engineering, Tunnel-Assignment-Id =:1:management, Tunnel-Preference =:1:first, Tunnel-Client-Auth-Id =:1:NET, Tunnel-Server-Auth-Id =:1:Michigan, Tunnel-Type =:2:L2TP, Tunnel-Medium-Type =:2:IPv4, Tunnel-Client-Endpoint =:2:192.168.127.1, Tunnel-Server-Endpoint =:2:192.170.130.
25 Using DHCP The HP-UX AAA server can act as a Dynamic Host Configuration Protocol (DHCP) relay to request IP address assignments from a DCHP server. Currently, only DHCPv4 is supported. To use DHCP, you must associate address pools with the AAA server’s incoming requests.
4. 5. Select the Free tab on top of the Modify Users screen. Enter the address pool for the user in the Reply Item field, for example: Address-Pool= 6. Click Modify. To Associate an Address Pool with a User Profile in an LDAP LDIF File 1. 2. From the command line, open the LDIF file the user profile is stored in.
Part V Customizing the HP-UX AAA Server This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 26: “Customizing the HP-UX AAA Server Using the Finite State Machine” (page 396) • Chapter 27: “Customizing the HP-UX AAA Server Using Policies” (page 411) • Chapter 28: “Customizing the HP-UX AAA Server Using the SDK” (page 446) 392
Table of Contents 26 Customizing the HP-UX AAA Server Using the Finite State Machine...........................................396 States ................................................................................................................................396 Using Xstring to call Policy .........................................................................................399 Using Xstring to Call an Alternate authfile ................................................................
Value Types..................................................................................................................430 Arithmetic Expressions...............................................................................................431 Arithmetic Operator Precedence and Association.................................................431 Supported Boolean Operators.....................................................................................432 Boolean Operator Precedence and Association....
Creating A3, A8 Plug-ins.......................................................................................455 AKA Algorithm Plug-in for EAP-AKA.......................................................................456 Creating AKA Plug-ins..........................................................................................
26 Customizing the HP-UX AAA Server Using the Finite State Machine The main component of the server’s software engine is the Finite State Machine (FSM) and a few associated routines. At server startup, the FSM reads instructions from a state table by loading and parsing a .fsm file. By default, it loads the radius.fsm file, unless it is missing or if you have specified another .fsm file using the radiusd -f command. The .
Figure 26-1 Default FSM State Transitions The actions triggered during this process read information from the server’s configuration, and from stored user profiles, and policy. Based on this information the actions perform the server’s authentication, authorization, and accounting functions. The server can be set up to do a variety of different functions by modifying existing or creating new FSM state tables.
State-name An arbitrary string to represent a state in the FSM. It can be any printable ASCII character except space, new line, carriage return, tab, and colon characters. • Every state except the Start state must be referenced by at least one event handler in any state as its next state. • Every state except the End must have at least one associated event handler. • Every state referenced in an event handler must be defined. A state is defined only once in the FSM.
Xvalue=integer An A-V pair (integer value) that may be passed to an Action as an argument. Only one integer argument may be specified for each event. Xstring=string An A-V pair (string value) that may be passed to an Action as an argument. Only one string argument may be specified for each event. Using Xstring to call Policy With the POLICY module, you can use the Xstring parameter to specify an URL where policy definitions are stored.
the server to return predefined or custom event names by using the Decision attribute in stored policy. Predefined Event Names Several event names that can be returned by an action are predefined in the server. Table 26-1 Predefined Event Names 400 Event Name Description ACCT The incoming request is an Accounting-Request. ACC_CHAL Access-Challenge message must be sent in response to an access challenge. ACCT_ALIVE The incoming Accounting-Request is an interim accounting message.
Table 26-1 Predefined Event Names (continued) Event Name Description ACT_TUNNEL_LINK_REJECT The incoming Accounting-Request that the user has been denied access to an established tunnel. AUTHEN The incoming request is an Access-Request. AUTH_ONLY Received Access-Request has a Status-Type of Authenticate-Only. CONTINUE The incoming Access-Request is a continuation of an in-progress EAP conversation. In general, you can allow the server to handle these events without any modification.
Table 26-1 Predefined Event Names (continued) Event Name Description POST_REPLY_EGRESS This event is returned by the reply-egress policy. This event handles post reply egress actions when OTP authentication is configured. NOTE: PROXY_CREDENTIAL Proxies OTP to the target proxy server when OTP authentication is configured. NOTE: 402 The default policy file uses SQLAccess. The default policy file uses RAD2RAD AATV.
Table 26-1 Predefined Event Names (continued) Event Name Description SIM_AUTH_BY_FAST_REAUTH_ID EAP-SIM Authentication needs to be done based on Fast Reauth Identity SIM_UPDATE EAP-SIM Pseudonym or Fast Reauth Identity database update AKA_AUTH_BY_PERMANENT_ID EAP-AKA Authentication needs to be done based on Permanent Identity AKA_AUTH_BY_PSEUDONYM EAP-AKA Authentication needs to be done based on Pseudonym Identity AKA_AUTH_BY_FAST_REAUTH_ID EAP-AKA Authentication needs to be done based on Fast Re
Table 26-2 Available Actions (continued) 404 Actions Description AUTHENTICATE Initial action to handle an Access-Request CHK_DNY Verifies check items in user profile CLEANUP Exits the FSM CLIENT Enqueues the CLIENT request in a message queue and spawns a new CLIENT request. CONTINUE Resume processing of an in-progress EAP conversation. EAP Performs EAP authentication iaaaUsers, iaaaFile Attempts to retrieve a user profile stored in a users file.
Table 26-2 Available Actions (continued) Actions Description ReplyDispatch Translates the Interlink-Reply-Status attribute to an FSM event. ReplyPrep Prepares to generate reply messages prior to reply-egress policy. ReplySend Generates reply messages after reply-egress policy. RequestDispatch Translates the Interlink-Proxy-Action attribute to an FSM event.
Table 26-3 Predefined FSM Tables (continued) Filename Function /opt/aaa/examples/config/ logall.fsm Logs all accounting messages in Merit-style session logs. /opt/aaa/examples/config/ proxyacct.fsm Template file that allows accounting messages to be logged at a remote proxy server. /opt/aaa/examples/config/ DNIS.fsm Template file that adds an example of DNIS routing to default.fsm /opt/aaa/examples/config/ DAC.fsm Template file that adds an example of dynamic access control (DAC) to default.
the user. Preprocessing requires that you write or obtain a plug-in that will parse the message and pass the processed A-V pairs to the iaaaUsers action. Modify the state table to call the preprocessing plug-in when the message is first received. Add a preprocessing state that calls the iaaaUsers action and transitions to the UsersCheck state.
1 START: 2 *.+AUTHEN.ACK 3 *.+AUTHENTICATE.ACK 4 Preauth: 5 *.PREPROC.ACK 6 *.PREPROC.NAK 7 . . . PREPROC PREPROC Preauth Preauth iaaaUsers REPLY UsersCheck Hold Lines 1-3 *.+AUTHEN.ACK or +AUTHENTICATE.ACK indicates that the received message is an Access-Request. PREPROC indicates the action, which calls the custom PREPROC software module. PREPROC is programmed to parse User-Name, strip out the extraneous information, and assign the result to the User-Id attribute.
defined in your plug-in. TheACCTLog state in the following example uses a logging format generated by MYLOG for an ordinary session and uses another format generated by TUNNELLOG for tunnel sessions. ACCTlog: *.*.ACCT_START *.*.ACCT_STOP *.*.ACCT_ALIVE *.*.ACCT_MSTART *.*.ACCT_MSTOP *.*.ACCT_CANCEL *.*.ACCT_ON *.*.ACCT_OFF *.*.ACCT_TUNNEL_START *.*.ACCT_TUNNEL_STOP *.*.ACCT_TUNNEL_REJECT *.*.ACCT_TUNNEL_LINK_START *.*.ACCT_TUNNEL_LINK_STOP *.*.
Lines 9 to 15 Handle the accounting response from the remote server and close the request. NOTE: This example appears in the AAA Server-provided template file, proxyacct.fsm.
27 Customizing the HP-UX AAA Server Using Policies This chapter explains how you can use policies to customize the HP-UX AAA Server. This chapter also discusses some sample policy implementations.
Notes: • Customers can also write their own policy decision files and invoke them from the FSM or the user profiles. • This chapter discusses only the new (and easier to use) format for creating decision files. The old format contains policy group entries that are still supported. However, the old format is not documented in this chapter. For information about the old syntax, see Appendix E (page 596). • You cannot create a single decision file using syntax from both formats.
Example 27-1 An example of a policy file that restricts Session-Timeout to one hour for guests, removes unwanted attributes, and provides administrative privileges to administrators # Guests have a session-timeout of one hour. Normal users # have 5 hours. if (substr (User-Name after "@") = "guest.example.com") { insert Session-Timeout = 3600 } else { insert Session-Timeout = 18000 } if( NAS-IP-Address = "192.168.0.1") { # Delete Filter-Id for NASes that do not support it.
The delete Command Syntax delete Parameters The parameter is an attribute specification. For more information on specifying attributes, see “Attribute Specifications” (page 422). Operation The delete command deletes the specified attribute instance(s) from the request. If , refers to an instance that is not present, no instance is deleted. Examples Table 27-1 discusses some examples that illustrate the use of the delete command.
Table 27-1 Examples Illustrating the Use of the delete Command (continued) Attributes in the Request Command Result NAS-Port = 2 Reply-Message = "Hello, world!" delete NAS-IP-Address[0] NAS-Port = 2 Reply-Message = " Hello, world!" NAS-Port = 2 Reply-Message = "Hello, world!" delete NAS-IP-Address[last] NAS-Port = 2 Reply-Message = " Hello, world!" The insert Command Syntax insert = Parameters • • : The parameter is an attribute specification.
Table 27-2 Behavior of the insert Command in Various Scenarios If Then The parameter refers to an instance that the attribute is inserted at the end of the list is not present The parameter refers to a tagged attribute the tag for the inserted attribute is set to 0 (tag-int or tag-str) and is not a tagged value The parameter refers to an attribute that the tag is ignored is not tagged and is a tagged value Examples Table 27-3 discusses some e
Table 27-3 Examples Illustrating the Use of the insert Command (continued) Attributes in the Request Command Result Reply-Message = "abc" insert NAS-Port = count( Reply-Message = "abc" NAS-Port = 1 Reply-Message[*] ) Idle-Timeout = 10 Xvalue = 20 insert Session-Timeout = Idle-Timeout = 10 Xvalue = 20 Idle-Timeout * Xvalue Session-Timeout = 200 For information on attribute functions (such as the count attribute function), see “Attribute Functions” (page 424).
Table 27-4 Examples Illustrating the Use of the modify Command Attributes in the Request Command Result Reply-Message = "123" Reply-Message = "456" modify Reply-Message = "abc" Reply-Message = "123" Reply-Message = "abc" Reply-Message = "123" Reply-Message = "456" modify Reply-Message = Reply-Message[0] Reply-Message = "123" Reply-Message = "123" NAS-Identifier = "abc.def.
NOTE: Event names are case-insensitive (MyEvent is considered identical with MYEVENT). Operation The exit command terminates the evaluation of the policy and returns the named event to the FSM. The use of an undefined event name results in an undefined-event load-time error. The log Command Syntax log "" "” log "" "”, log "" "”, , , ...
Examples Log “Warning” “This user should not come in through this User-Name, NAS-IP-Address NAS”, Results in the following logs in the logfile: : decisionfile://request-ingress.grp(line 100, character 1): This user should not come in through this NAS, RADIUS:User-Name[last]="test_user", RADIUS:NAS-IP-Address[last]=15.146.225.
Example 27-2 Examples Illustrating the Use of the if Command Example 1 The following if statement: if ( Session-Limit[1] < 30 ) { modify Session-Limit[1] = 30 } else { if ( Session-Limit[1] > 240 ) { modify Session-Limit[1] = 240 } } With the following input: Session-Limit[0] = 10 Session-Limit[1] = 300 Results in: Session-Limit[0] = 10 Session-Limit[1] = 240 Example 2 The following if statement: if ( (NAS-IP-Address = "192.168.1.2") && ((NAS-Identifier = .jack.
Idle-Timeout = 10 Session-Timeout = 90 Xvalue = 10 Results in: An ACK event is returned to the FSM. Attribute Specifications You can use the following keywords to specify an attribute: • “Attribute Names.” • “Vendor Names.” • “Attribute Instance Specifications.” • “No Instance Specification.” • “Numeric Instance Specification.” • “Keyword Instance Specification” (page 423) The following sections describe these keywords in detail.
Attribute instance specifications are provided using the [] syntax, after the attribute name. The instance of interest is indicated inside the square brackets ([]). You can specify an attribute instance in one of the following ways: • “No Instance Specification.” • “Numeric Instance Specification.” • “Keyword Instance Specification” (page 423) While specifying attribute instance specifications, ensure that there is no white space around and between the square brackets ([]).
This format is supported only by the delete command, the log command, and the count() attribute function. Using this format in unsupported contexts results in an invalid-instance-specification load-time error. For more information on the delete and log action commands, see “The delete Command” (page 414) and “The log Command” (page 419). For more information on the count() attribute function, see “The count Attribute Function” (page 424).
Parameters The parameter is an attribute specification. For more information on specifying attributes, see “Attribute Specifications” (page 422). Operation Returns an integer value that indicates the number of characters in the string attribute. For a tag-str attribute, the tag octet is not included. If refers to an instance that is not present, then a no-such-instance run-time error is generated.
Table 27-5 Examples of the strcat Attribute Function (continued) Attributes in the Request Command Result Reply-Message = "123" Tunnel-Password = :2:"abc" Reply-Message = "123ABC" modify Reply-Message = strcat ( Reply-Message, Tunnel-Password = toupper( Tunnel-Password :2:"abc"” ) ) Reply-Message = "123" Tunnel-Password = :2:"ABC" insert Tunnel-Password = Reply-Message = "123" Tunnel-Password = :2:"ABC" strcat ( tolower( Tunnel-Password ), Tunnel-Password = Reply-Message ) :0:"abc123" Reply-Message =
NOTE: If length is not present then the length defaults to the remainder of the string. Operation Returns the requested substring with same type as the source. If the offset is off the end of the string, then substr returns an empty string.
Parameters Following are the parameters for the before keyword: • • : The parameter is an attribute specification. For more information on specifying attributes, see “Attribute Specifications” (page 422). : Must be a quoted string constant. Operation Returns the requested substring with same type as the source. If is specified, the substring starts from the beginning of the string up to but not including the first occurrence of .
Parameters Following are the parameters for the after keyword: • : The parameter is an attribute specification. For more information on specifying attributes, see “Attribute Specifications” (page 422). • : Must be a quoted string constant. Operation Returns the requested substring with same type as the source. If is specified, the substring starts after the first occurrence of .
Parameters • : The parameter is an attribute specification. For more information on specifying attributes, see “Attribute Specifications” (page 422). Operation Returns the string value converted to lowercase with same type as the source. If refers to an instance that is not present, then a no-such-instance run-time error is generated.
NOTE: • String values can be used with string, tag-str, and octets type attributes. IP Address Values: IP address values are enclosed in double quotes ("), and specified using standard dotted-quad notation (in case of IPv4 addresses) and colons (in case of IPv6 addresses). Using an invalid IP address results in a syntax-error load-time error. NOTE: IP address values can be used only with attributes of type ipaddr, ipv6addr, ifid, and ipv6prefix.
— */ — +• Association Rules: Following are the association rules in decreasing order: — + - left-to-right — * / left-to-right — - (negation) non-associative The following example illustrates the use of arithmetic expressions.
Boolean Operator Precedence and Association When multiple operators appear in a Boolean expression, the following precedence and association rules are applied: • Precedence Rules: Following are the precedence rules in decreasing order: — () — ! — <, >, <=, >= — != — && — || — = • Association Rules: Following are the association rules: — && left-to-right — || left-to-right — ! right The following examples illustrate the rules of precedence: Defining a Policy in a Decision File 433
Example 27-7 Examples Illustrating Precedence Rules Example 1 The boolean expression: Reply-Message = "hello" && NAS-Port > 7 || Reply-Message = "goodbye" || Reply-Message = "nothing" is fully parenthesized as: ( ( (Reply-Message = "hello") && (NAS-Port > 7) ) || (Reply-Message = "goodbye") ) || (Reply-Message = "nothing") and is evaluated as: if ( Reply-Message = "hello" ) if ( NAS-Port > 7 ) return true if ( Reply-Message = "goodbye" ) return true if ( Reply-Message = "nothing" ) return true return fals
Table 27-8 Compatible Attribute Types Value Type Compatible Attribute Types Integer-value • • • • String-value • string • tag-str • octets Date-value • date IP-address-value • • • • integer tag-int short octet ipaddr ipv6addr ifid ipv6prefix You must not mix attributes from different value-type groups, because this can cause a type mismatch load-time error. Invoking a Policy You can invoke policy using one of the following methods: • “Invoking Policies Through Predefined Policy Hooks.
the first step in the FSM, before the request is dispatched for processing. The request ingress policy can be used to alter the request in one of the following ways: • A-V pairs may be added, changed, or removed. • The request classification may be altered. • The request may be rejected immediately. • The request may be dropped entirely and no reply is sent. Figure 27-1 (page 436) illustrates the flow of the request ingress policy.
Figure 27-2 Flow of the User Policy Invoking Policy from User Profiles In the user profile (can be local users file, LDAP, or SQLAccess), add a Policy-Pointer as a check or reply item with the full pathname of the decision file containing the group authorization policies. Enclose the pointer in single or double quotes. The Policy-Pointer string cannot be more than 63 characters in length.
Figure 27-3 Flow of the Reply Egress Policy Proxy Egress Policy Proxy egress policy can be defined in the proxy-egress.grp decision file in the server's configuration directory. The proxy egress policy is applied before the RADIUS proxy request message is created and sent. The proxy egress policy can be used to alter the request in one of the following ways: • A-V pairs may be added, modified, or removed. • The request may be rejected immediately. • The request may be dropped entirely and no reply is sent.
Figure 27-4 Flow of the Proxy Egress Policy Proxy Ingress Policy Proxy ingress policy can be defined in the proxy-ingress.grp decision file in the server's configuration directory. The proxy ingress policy is applied after the proxy response is received. The proxy ingress policy can be used to alter the request in one of the following ways: • A-V pairs may be added, modified, or removed. • The reply type may be altered. • The request may be rejected immediately.
Figure 27-5 Flow of the Proxy Ingress Policy Useful Attributes for Policy Conditions Table 27-9 lists and describes attributes that are typically used for policy group conditions or replies. Table 27-9 Attributes Typically Used in Policy Group Conditions and Replies 440 Attribute Description Interlink-Packet-Code This attribute contains the code from the RADIUS packet header. It can have an Access-Request or an Accounting-request value.
Table 27-9 Attributes Typically Used in Policy Group Conditions and Replies (continued) Attribute Description Interlink-Request-Type This attribute contains information about whether this is a normal request or a continuation of an in-progress EAP conversation. It can have a REQUEST or CONTINUATION value. Interlink-Reply-Status This attribute contains the reply status.
When a policy is evaluated, it can return an event to the FSM to direct the subsequent processing of a request. The policy can return events to the FSM in the following ways: • Exit Command: Using the Exit command terminates the evaluation of the policy. The specified event is returned to the FSM. • Default Event: If evaluation of a decision file reaches the end without encountering an Exit command, the default event is returned to the FSM. The default event is ACK.
1. Replace the radius.fsm file in the server's configuration directory with /opt/ aaa/examples/config/DAC.fsm. For example, if the server's configuration directory is /etc/opt/aaa/radius.fsm, then enter the following command: # cp /opt/aaa/examples/config/DAC.fsm /etc/opt/aaa/radius.fsm NOTE: Take a backup of /etc/opt/aaa/radius.fsm before replacing it. IMPORTANT: If you are using a different decision file than the supplied DAC.
DNIS Routing In a typical DNIS routing scheme, requests are handled according to the Calling Station-Id and Called-Station-Id attributes. The POLICY action matches the Calling-Station-Id and Called-Station-Id attribute values in the Access-Request to the conditions defined in the DNIS decision file, and returns the matching policy group reply items and the FSM events Forward and Abandon. The required events and states are defined in the DNIS.fsm file delivered with the server.
1. Edit the DNIS.grp decision file to reflect your station-based access policies. For example, to change the Calling-Station and Called-Station numbers in the Controlled Access condition, edit the DNIS.grp file as follows: # Controlled Access if ( (Calling-Station-Id = "7341234567") || (Called-Station-Id = "7341236543") ) { exit "Forward" } You can enter additional attributes to these access groups if your policies require that other conditions must be met.
28 Customizing the HP-UX AAA Server Using the SDK This chapter describes how to use the Software Developer's Kit (SDK) to customize the HP-UX AAA Server. This chapter addresses the following topics: • “SDK Overview.
Example 28-1 Example of a Pre-Paid Billing Application Using a Plug-in Created Using the HP-UX AAA Server SDK In this example, a service provider wants to implement a service where blocks of connect time are purchased in advance. In addition to being authenticated, each user must be authorized based on his or her account balance. Only those users with a positive balance are granted network access and their session is limited to the time equivalent of their balance at the time they are authenticated.
Migrating Plug-ins Created Using Previous Versions of the SDK Plug-ins created using previous versions of the SDK must be ported to use the new SDK and recompiled before using it with HP-UX AAA Server A.08.01. For information on recompiling your plug-in, see “Compiling and Loading a Plug-in” (page 452) Prerequisites for Using the SDK HP recommends installing the HP aC++ Compiler (# B3913DB) to compile plug-ins created using the HP-UX AAA Server SDK.
AATV Components An AATV is implemented as a shared library that contains specific functions. These functions are called from the HP-UX AAA Server. An AATV can contain the following functions: • “The init Function.” • “The action Function.” • “The timer or callback Function” (page 450) • “The cleanup Function” (page 450) NOTE: These functions are optional. However, you must implement at least one of these functions.
IMPORTANT: All common event codes and corresponding event names are defined in the sdk.h header file. You can also define new event codes, for example, in scenarios where the AATV action produces multiple results that need to be handled by an AATV separately. However, do not use the sdk.h file to define new event codes. Instead, use the FSM file radius.fsm to define new event codes.
The ACE AATV The ACE AATV is a sample challenge-response authentication AATV. At a high level, this plug-in performs the following functions: 1. Checks that the User-Id A-V pair is present in the request. If it is not present, an error is returned. 2. If the User-Id A-V pair is present, then it checks whether the State A-V pair is present. If the State A-V pair is present, it proceeds to step 3. If it is not present, it creates a State A-V pair with the User-Id value and appends a string .
3. Add the aatv_load function to register the AATV to the HP-UX AAA Server. The aatv_load function, shown below, initializes the global aatv_info_v2_t structure that contains the function pointer to the init(), action(), timer(), and cleanup() functions. int aatv_load (aatv_info_v2_t 4. **aatv_list, int * aatv_count) where: aatv_list is a list of all the AATVs that are loaded. aatv_count is the number of AATVs that are loaded.
6. To ensure that the AATV is loaded correctly, check the logfile for an entry similar to the following: read_dyn_cfg: Loaded shared object: , Testing and Debugging a Plug-in You must test the software module before you start using it in a production environment. You can use several different methods to debug any modules that you create. This section discusses testing the software module using the GNU Project Debugger (gdb).
7. Attach the radius pid, as follows: # gdb> attach An output similar to the following displays: Reading Reading Reading Reading Reading Reading Reading 8. symbols symbols symbols symbols symbols symbols symbols from from from from from from from /opt/aaa/aatv/proldap.so...done. /opt/aaa/aatv/securidAatv.so...done. /opt/aaa/aatv/snmpAgent.so...done. /opt/aaa/aatv/tacplus.so...done. /opt/aaa/aatv/tunneling.so...done. /opt/aaa/aatv/vlogit.so...done. /opt/aaa/aatv/samplesc.so...
An A3 or A8 plug-in may include zero or one A3 algorithm. If you write a plug-in for A3, an A8 plug-in with the same name must exist. Similarly, if you write a plug-in for A8, an A3 plug-in with the same name must exist. Creating A3, A8 Plug-ins You can create a plug-in using one of the sample plug-ins as a base. The procedure and the example described in this section use the sample_sim_a3a8.c file to create a plug-in. To create a plug-in using the sample_sim_a3a8.
c. If the (a3impl and a8impl) function names are modified, make the corresponding changes in the following code: sim_a3a8_info->a3 sim_a3a8_info->a8 = a3impl; = a8impl; d. Enter the value of plugin_array as described in the code. For example, for the second plug-in, modify the code as follows: plugin_array[0].type = SIM_A3A8; plugin_array[0].info = (void *)sim_a3a8_info; e. If there is more than one plug-in, modify the value accordingly in the following code: *plugin_count 5.
Creating AKA Plug-ins You can create a plug-in using one of the sample plug-ins as a base. The procedure and the example described in this section use the checkCSI.c file to create a plug-in. To create a plug-in using the sample_aka_algo.c file, which is available at /opt/ aaa/examples/sdk/aka_algo, complete the following steps: 1. Rename the sample_aka_algo.c file and open it for editing. 2. Include the following mandatory header files: #include #include #include "sdk.h" "plugin.h"
NOTE: Changing the function names is not mandatory. However, the parameters must not be modified. 4. Register the AKA algorithm plug-ins. 1. 2. If your plug-in includes more than one plug-in entry, modify the array size accordingly. To modify the array size, change the value within plugin_array[1] to the number of plug-ins to be written for this module. Modify the plugin_load function in the following code: aka_algo_plugin_info_t static const char * aka_algo_info; func[] = "plugin_load"; a.
On success, the f1() algorithm returns sdk_success. Otherwise, it returns sdk_failure. 6. To implement the sample f1x() algorithm, modify the following code in the f1ximpl function: unsigned int idx; for ( idx = 0; idx < 8; ++idx ) { maca[idx] = 0; } return SDK_SUCCESS; On success, the f1x() algorithm returns sdk_success. Otherwise, it returns sdk_failure. 7.
10. To implement the sample f5() algorithm, modify the following code in the f5impl function: unsigned int idx; for ( idx = 0; idx < 6; ++idx ) { ak[idx] = 0; } return SDK_SUCCESS; On success, the f5() algorithm returns sdk_success. Otherwise, it returns sdk_failure. 11. To implement the sample f5x() algorithm, modify the following code in the f5ximpl function: unsigned int idx; for ( idx = 0; idx < 6; ++idx ) { ak[idx] = 0; } return SDK_SUCCESS; On success, the f5x() algorithm returns sdk_success.
Part VI Troubleshooting This part of the HP-UX AAA Server A.08.01 Administrator’s Guide is organized as follows: • Chapter 29: “Troubleshooting Overview” (page 464): Describes the AAA environment and an overview of HP-UX AAA Server troubleshooting. • Chapter 30: “Troubleshooting Procedures” (page 469): Provides a troubleshooting flowchart followed by specific troubleshooting tables that enable you to identify the problem, and take the necessary corrective actions.
Table of Contents 29 Troubleshooting Overview.....................................................................................................464 AAA Environment Components......................................................................................464 HP-UX AAA Server Operation.........................................................................................465 Probable Causes for Failure..............................................................................................
32 Reporting Problems...............................................................................................................513 Server Set Up Information................................................................................................513 Server Manager Related Information...............................................................................514 External Components.......................................................................................................
29 Troubleshooting Overview This chapter of the HP-UX AAA Server Administrator's Guide provides an overview of HP-UX AAA Server troubleshooting with respect to the AAA environment.
Figure 29-1 AAA Environment Components HP-UX AAA Server Operation Figure 29-2 depicts the HP-UX AAA Server operation from the troubleshooting perspective.
Figure 29-2 HP-UX AAA Server Operation The HP-UX AAA Server operation consists of the following steps: 1. The user or device that requires authentication communicates with the RADIUS client and provides authentication credentials such as user name and password. At this stage, incorrect supplicant configuration or invalid credentials can lead to authentication failures or an unresponsive HP-UX AAA Server. NOTE: Troubleshooting the supplicant is outside the scope of this chapter.
a. The HP-UX AAA Server can contact an external service such as a database or LDAP directory server to retrieve user information and perform authentication. b. The HP-UX AAA Server can forward the request to a proxy HP-UX AAA Server for authentication. c. The HP-UX AAA Server can contact a DHCP server for IP address management.
information can be used to identify the external service accessed to process the RADIUS request. Some external service failures do not result in the HP-UX AAA Server recording a message in the server logfile. For example, if the HP-UX AAA Server times out on waiting on a busy database server, it does not record an error in the logfile. No reply is sent to the RADIUS client. Protocol Limitations The HP-UX AAA Server communicates with the RADIUS client using the RADIUS protocol.
30 Troubleshooting Procedures This chapter describes how to troubleshoot problems that you encounter while using the HP-UX AAA Server in the AAA environment. This chapter includes a diagnostic flowchart and troubleshooting tables that enable you to identify the problem and perform the appropriate corrective actions.
Figure 30-1 Troubleshooting Flowchart 470 Troubleshooting Procedures
Troubleshooting Flowchart Process This section describes the troubleshooting process that you can follow to troubleshoot and identify problems with the HP-UX AAA Server. Each step listed below maps to the problem that is depicted in Figure 30-1. 1. Can launch Server Manager and view all applets and icons? Launch the Server Manager administration and verify if all the applets and icons can be viewed.
3. HP-UX AAA Server responds to request? Check to see if the HP-UX AAA Server responds to access-requests from clients/supplicants. Problem Resolution Is the server not responding See “Troubleshooting an Unresponsive HP-UX AAA Server” to requests? (page 483). If you are able to resolve the problem using the suggestions listed in this section, but are facing other problems, proceed to step 4. If you are not facing any other problems, end the troubleshooting process.
Common Problems With the Server Manager Table 30-1 lists the common problems that you can encounter while using the Server Manager administration utility. Compare the problem you observe with those listed in this table and perform the corresponding corrective actions. Table 30-1 Common Problems with the Server Manager Problem Cause Solution Cannot launch the Server Manager Server Manager cannot be launched for the following reasons: • An unsupported browser is used.
Table 30-1 Common Problems with the Server Manager (continued) Problem Cause Can launch the Server Manager, Tomcat is not IPv6 enabled. but cannot start, stop, load or save or view statistics of the HP-UX AAA Servers configured with a IPv6 address in the ‘Domain Name or IP address field’. Solution 1. Stop tomcat. 2. Execute the following command: export JAVA_OPTS=”$JAVA_OPTS \ -Djava.net.preferIPv4Stack=false” 3.
Table 30-1 Common Problems with the Server Manager (continued) Problem Cause Solution correspond to the same host. Servers Using HP-UX AAA Server HP-UX AAA Server Manager Manager” has not validated theses values because the RMI object was not running when the server was configured. Can launch the Server Manager, Error while parsing the group but get ‘Parse Error’ in the HP-UX configuration file. AAA Server Status Frame. 1. Stop the HP-UX AAA Server Manager and Tomcat. 2.
If the Tomcat server is not running, export the Java path and then use the Tomcat startup script to start Tomcat, as follows: # export JAVA_HOME=/opt/java1.5 # /opt/hpws22/tomcat/bin/startup.sh Verify that the Tomcat server is running after running the startup script. If the Tomcat server is not running, check the Tomcat server logs, /opt/hpws22/ tomcat/logs/catalina.out. 5.
NOTE: Before starting and stopping the RMI server, the JAVA_HOME environment variable must be set to appropriate path. For example, to use Java6, export JAVA_HOME to the /opt/java6 path. If the JAVA_HOME environment variable is not set or set incorrectly, the default value /opt/java1.5 is used to start and stop the RMI Server. 3.
Troubleshooting HP-UX AAA Server Startup Problems This section describes how to troubleshoot problems encountered while starting the HP-UX AAA Server. To troubleshoot HP-UX AAA Server startup problems, complete the following steps: 1. Search for the failure error messages in the HP-UX AAA Server logfile using the Server Logfile screen in the Server Manager administration utility. For more information on using the Server Logfile screen, see “Using Server Manager to Retrieve Logfile Information” (page 142).
Table 30-2 Common Problems with HP-UX AAA Server Startup (continued) Problem Troubleshooting Incorrect permissions Log Message radiusd: Error '13' (Permission denied). Cannot launch radiusd daemon. User cannot open /var/opt/aaa/run/radiusd.pid. Verify read/write permissions for user on the file. Cause The radius.pid file does not have read-write permissions for the user who is trying to start the radiusd daemon.
Table 30-2 Common Problems with HP-UX AAA Server Startup (continued) Problem Troubleshooting Unable to load AATVs Log Message open_library: Cannot open shared object '': ‘'.
Table 30-2 Common Problems with HP-UX AAA Server Startup (continued) Problem Troubleshooting FSM-related problems Log Message doconfig: init_fsm() failed rad_fsminit: invalid action name: 'invalid' line Cause The FSM file /etc/opt/aaa/radius.fsm contains an invalid action specified at line . Solution Edit the /etc/opt/aaa/radius.fsm to specify a valid action name at line . See “Actions ” (page 403)for more information on specifying actions.
Table 30-2 Common Problems with HP-UX AAA Server Startup (continued) Problem Troubleshooting be removed from the /etc/opt/aaa/authfile and /etc/ opt/aaa/EAP.authfile. HP recommends that you use the SQL Access AATV instead of Oracle AATV, EAP-PEAP instead of EAP-LEAP, and OATH standard-based authentication instead of SecurID authentication. For information on how to configure SQL database based authentication, see Chapter 22 “SQL Access”.
and radacct respectively) are in the LISTEN state and used by the correct process. For example: # lsof -i : The authentication port (default, 1812) and accounting port (default, 1813) must be in the LISTEN state and used by the radius process. NOTE: The lsof tool is an open source tool and is not available by default on HP-UX operating systems. 3.
Troubleshooting Common Configuration Problems Table 30-3 lists the problems caused because of incorrect configuration on the RADIUS client or the HP-UX AAA Server. Compare the error recorded in the logfile with the following and perform the appropriate corrective actions. Table 30-3 Common Configuration Problems Problem Troubleshooting Request dropped Log Message Request from unknown client dropped.
Table 30-3 Common Configuration Problems (continued) Problem Troubleshooting Request dropped Log Message get_radrequest: Request dropped. Unknown RADIUS packet 'invalid(66)' received from client 'example.com:50390 Or get_radrequest: ill formed packet from [55421] code = 1, vers = 1, len(hdr) = 1000, len(rcvd) = 56 Or get_radrequest: NO a/v pairs from [55697] - access (type 1), len = 20 Or Request from 'example.com: port' dropped.
Table 30-3 Common Configuration Problems (continued) Problem Troubleshooting Request dropped Log Message The specified attribute instance 'RADIUS:State[10]' could not be found. Cause This error can occur if one of the policy files is using an attribute instance that is not present in the incoming request. Resolution If you are unsure whether the attribute used in the policy file will be present in all the incoming requests, verify that it is present in the request before actually using it.
Table 30-3 Common Configuration Problems (continued) Problem Troubleshooting AAASQL_aatv_action: No such attribute 'Client-Request-Timeout-ActionId' of vendor 'HP' found in the Authreq Cause The HP-UX AAA Server is not configured to set the SQL Access action IDs used for generation of client requests. Resolution Verify the policies configured in the client-request-init.grp file.
Troubleshooting External Services This section describes how to troubleshoot problems related to external services. External service failures cause the HP-UX AAA Server to be unresponsive. If the logfile records an error, see “Identifying External Service Failures using Logfile Error Messages” (page 488) to determine the problem and perform the necessary corrective actions. However, not all external service problems result in error messages being recorded in the logfile.
Table 30-4 External Service Failure Problems (continued) Problem Troubleshooting Unable to connect Log Message to the LDAP server as administrator get_open_result: Cannot connect to LDAP server '' as LDAP user (Keyword 'Keyword') 'cn=value,dc=value,dc=value,dc=com'. ERROR '49' (Invalid credentials). Access denied .
Table 30-4 External Service Failure Problems (continued) Problem Troubleshooting Solution Specify the correct server and port specified in the DBID structure of /etc/opt/aaa/sqlaccess.config.For more information on using the SQL Access feature with Oracle, see Chapter 17, SQL Access on page 221.If the sqlaccess.config configuration is correct, the OCI client is unable to resolve the database name. Ensure that the tnsnames.ora file contains all the databases that your OCI client can connect to.
Table 30-4 External Service Failure Problems (continued) Problem Troubleshooting Unable to connect to the MySQL database server Log Message wrong ODBCdatastore in sqlaccess.
Table 30-4 External Service Failure Problems (continued) Problem Troubleshooting Unable to connect Log Message to the DHCP server Authentication: 205/0 '' via from port Outbound (8 retries) - FAILED DHCP server not responding -- total 24, holding 0 Cause The DHCP server is busy or unavailable. Solution Verify if the DHCP server is running and can service IP address requests. Or, Specify an alternate DHCP server.
Identifying Unrecorded External Datastore Failures If your AAA environment uses one or more external datastores, a failure in a datastore can cause the HP-UX AAA Server to be unresponsive, but not record an error to the logfile. To determine if an unrecorded external datastore failure is causing the problem, complete the following steps: 1. Examine the Access-Request for the User-Name attribute value to determine the realm. 2. Select the realm from the Local Realms screen of the Server Manager, 3.
To determine if an unrecorded DHCP failure caused the problem, complete the following steps: 1. Access the datastore used for user profile storage as described in “Identifying Unrecorded External Datastore Failures” (page 493). 2. If the DHCP address pool is configured, ensure that there are sufficient addresses in the pool. 3. Ensure that the DHCP server is sending valid packets to the HP-UX AAA Server.
Table 30-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message session_allowed: Access rejected. Active sessions for user is at maximum configured (Simultaneous-Use) limit ' Cause The HP-UX AAA Server received an Access-Request from a user whose number of active sessions equal the configured simultaneous session limit. Or, The NAS went offline abruptly and resulted in a stale session in the HP-UX AAA Server, for the affected user.
Table 30-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message aaa_realm: Request denied. Unknown realm '' for user ''. Verify realm configuration through Server Manager or in files '' for the realm and '' for the realm or default realm entry Cause The HP-UX AAA Server is not configured to service requests from the realm. Solution 1.
Table 30-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message check_request: Access denied. Request does not match check item '' for user '' in realm ''. Expected: '',received: '' Or check_request: Access denied.
Table 30-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message dhcpRelayAatv_ActionFunction: Request failed. DHCP Relay is disabled. Verify DHCP Server-Name/ IP-Address at DHCP server properties in the Server Manager at Server Properties > DHCP Relay Properties or in /etc/opt/aaa/aaa.
Table 30-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message Sequence counter resynchronization failed for user in realm after unsuccessful OTP validations. The last sequence counter attempted is . Cause The HP-UX AAA Server is not able to resynchronize the sequence counter as the OTP in the request is incorrect.
Table 30-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message Invalid OTP Action Id. The OTP Action Id set through the bit mask for user in realm is zero. The valid OTP Action Id value is range from 1 to 127. Configure the valid OTP Action Id. Or Invalid OTP Action Id. The OTP Action Id set through the bit mask for user in realm is negative. The valid OTP Action Id value is range from 1 to 127.
Table 30-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message Shared secret for user in realm is bytes. The shared secret must not be less than 16 bytes. Verify the length of the shared secret in the token repository. Cause The length of the shared secret is too short. Resolution Verify that you have entered a shared secret that is more than 16 bytes.
Table 30-5 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message Configured hexadecimal string for user of realm has one or more non-hexadecimal characters. Verify the configured hexadecimal string in the token repository. Cause The configured hexadecimal shared secret has non-hexadecimal characters. Resolution Hexadecimal characters range from 0–9 and a-f.
Table 30-6 EAP Problems Problem Troubleshooting Invalid EAP type specified Log Message Invalid EAP type '' specified for the user '' for realm ''. Verify the EAP type configured for the realm 'example.com' in the appropriate authfile in '/etc/opt/aaa'. Or, verify the EAP configuration in the Local Realms screen in Server Manager. Cause The EAP type specified in the request does not match the EAP type configured for the realm.
Table 30-6 EAP Problems (continued) Problem Troubleshooting Unable to authenticate Log Message ProcessHandshake TLS: AAA Server generated TLS alert: 'certificate_revoked'. The certificates used for validation have been revoked by the CA Cause The client or supplicant certificate has been revoked. Solution Advise the user to acquire a new certificate from the administrator or ISP, and retry authentication.
Table 30-6 EAP Problems (continued) Problem Troubleshooting EAP-SIM functionality Log Message is disabled EAP-SIM : FSM does not define all of these events: 'SIM_AUTH_BY_PERMANENT_ID', 'SIM_AUTH_BY_PSEUDON YM', 'SIM_AUTH_BY_FAST_REAUTH_ID' 'SIM_UPDATE'. Disabling EAP-SIM. Cause If the radius.fsm file is modified prior to upgrading to HP-UX AAA Server A.08.01 from an older version, the FSM does not upgrade. Resolution You must merge the changes present in the legacy FSM with the radius.
Table 30-6 EAP Problems (continued) Problem Troubleshooting Cause Either the Subscriber-Key, AKA-Sequence-Number, AKA-Mode and AKA-Algorithm attribute is not configured, or does not meet the required specifications. Resolution Verify the Subscriber-Key, AKA-Sequence-Number, AKA-Mode configured for the user in the user profile and the AKA_Algorithm configured for the realm in the EAP.authfile file.
Table 30-7 (continued) Servers configured on the host with any one of the following errors “File /opt/aaa/ remotecontrol/ gui.properties is not found” (OR) “File /opt/aaa/ remotecontrol/ groups.config is not found”. 1. Start the Tomcat and HP-UX AAA Server Manager. 2. Add the required Groups and Servers. 3. Click the ‘Server Connections’ from the left panel. Select the group in which the servers that need to be run belong to from the ‘Select a group for administration’ menu. 4.
Table 30-7 (continued) Server configured on the host with the following error “Error while loading groups.config file” 1. Start the Tomcat and HP-UX AAA Server Manager. 2. Verify that the RMI object is running. If not, start the RMI object. 3. Modify the configured Server Attributes which is failing to start using HP-UX AAA Server Manager. For more information, see “Administering HP-UX AAA Servers Using HP-UX AAA Server Manager” 4. Save the Server Attributes using the HP-UX AAA Server as follows: a.
31 Troubleshooting Resources The HP-UX AAA Server includes a set of utility programs that can: • check the status of the HP-UX AAA Server • emulate a RADIUS client • turn debugging on and off • set and modify the debug level Additionally, the RADIUS client and EAP supplicant vendors typically provide troubleshooting capabilities for their components. Protocol analyzers can also be used if more detailed troubleshooting is required.
radcheck [-p port] [-t timeout] [-r retries] [-x] [-x] [-x] [-x] [-v] Server If radcheck is successful, a message similar to the following is displayed: Server Name (UDP-port) is responding on standard output. For more information on the radcheck utility, see radcheck (1M). The radpwtst Utility: For Testing Authentication The radpwtst utility simulates a RADIUS client that sends and receives RADIUS messages to and from the HP-UX AAA Server.
The radsignal Utility: For Rolling Over the Debug Output to New Files The radsignal utility rolls over the logfile (/var/opt/aaa/logs/logfile) and accounting stream (/var/opt/aaa/acct/session.yyyy-mm-dd.log) output to new files. The radsignal utility can also be used to set the log level based on the RADIUS message type. For more information on these files, see “The HP-UX AAA Server Logfile and Debug File” (page 511). The new file can be identified by the "part number" appended to the file name.
Table 31-1 Debugging Levels in the HP-UX AAA Server Debug Level Level of Information 1 Minimal information 2 • Level 1 information • High-level FSM output and limited function tracing 3 • Level 2 information • Full function tracing 4 • Level 3 information • Low-level FSM and configuration file output At runtime, radiusd logs debugging information that may be useful for troubleshooting.
32 Reporting Problems If you are unable to solve the problem, do the following: 1. Read the release Notes for [Product/Platform/Component] to see if the problem is known. If it is, follow the workaround offered to solve the problem. 2. Determine whether the product is still under warranty or whether your company purchased support services for the product. Your operations manager can supply you with the necessary information. 3. Access http://www.itrc.hp.
Server Manager Related Information If you are facing problems with the GUI based administration, include the following information: • Server Manager version number • HP-UX Java SDK version number • HP-UX Tomcat-based Servlet Engine version number • Contents of the /opt/aaa/remotecontrol/admin.log file • Contents of the /opt/aaa/remotecontrol/file.log file • Contents of the /opt/aaa/remotecontrol/maintenance.log file • Contents of the /opt/aaa/remotecontrol/session.
Clients • • • Client type Patch type Tracing logs for EAP log files Access Points • • The make of the access point (such as Cisco or HP) Version of hardware and firmware EAP Related Information 515
Part VII Reference This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 33: “Configuration Files ” (page 519) • Chapter 34: “Attribute-Value Pairs” (page 546) • Chapter 35: “MIB Objects” (page 566) 516
Table of Contents 33 Configuration Files ...............................................................................................................519 HUP Processing................................................................................................................519 The aaa.config File.......................................................................................................520 Variables in the aaa.config File...................................................................
The vendors File ............................................................................................................538 Syntax of a vendors File............................................................................................538 The log.config File ......................................................................................................539 Syntax of a Stream Entry.............................................................................................539 Default Entry ..
33 Configuration Files The Server Manager interface configures most of the HP-UX AAA Server’s configuration files. However, some features of the HP-UX AAA Server cannot be configured through the Server Manager interface. If you want to define policy, vendor-specific attributes, or logging behavior, you must manually edit the configuration files. The information in this chapter is provided as a reference for the configuration files that Server Manager cannot configure.
• • • • • engine.config (all values except the certificate properties, which require a server stop and start to be refreshed) las.conf EAP.authfile aaa.config.license sqlaccess.config The aaa.config File The aaa.config file contains keyword-value entries, one-per-line, which allows the user to override compiled-in default values in the AAA server. The aaa.config file can be used for performance tuning, debugging, or overriding built-in defaults.
The aatv.ProLDAP Property This property controls AAA server connections to an LDAP server. • Retry-Interval sets the number of seconds for the AAA server to wait before trying to reconnect to a LDAP directory server, when a realm has failover directory servers configured. Defaults to 60 seconds. • Retry-Wait sets the number of seconds that the AAA server will wait before attempting to connect to the same failover LDAP server.
For example: iaaa.SNMP { Enabled agentxTimeout agentxRetries } yes 1 2 The log_threshold_limit and suppression_interval Variables These variables can be used to suppress a message from being repeatedly recorded in the log file. For example: log_threshold_limit=150 supression_interval=20 Where: log_threshold_limit supression_interval The number of times that the same message can be recorded to the log file within two seconds, before it is suppressed. Default: 100.
The default_users_file_cis_search Property This property can be used to specify the case matching while searching the default users file. If this property is set to yes, case insensitive search is enabled. If this property is set to no, case sensitive search is enabled. The default behavior is case sensitive search. The log_forwarding Variable This variable turns logging in the logfile on (or off) when packets are forwarded through the server to another RADIUS server.
CAUTION: If you configure an IPv6 address in the ourhostname variable, then traditional IP (IPv4) hosts will not be able to send or receive messages. Similarly, if you configure an IPv4 address here, then IPv6 hosts will not be able to send or receive messages. If you configure a DNS name, then the first address returned by the DNS server is used.
reply_check=+abort reply_check=+dump reply_check=+ignore reply_check=+verbose reply_check=clear reply_check=none reply_check=Attribute The value of first (default) means to check only the first match. The value of all means to check all the attributes for matches. The value of +abort means to abort and coredump if a check fails. The value of +dump means to dump the offending packet (in hexadecimal). You can specify a specific attribute to check with the syntax reply_check=Attribute.
Table 33-1 Dynamic Authorization-Related Configuration Items (continued) Configuration Items Description default_client_retries The maximum number of retries for client requests. This is a global value. default_client_retry_interval The retransmission interval for client requests. This is a global value. The CLIENT AATV is a generic AATV, which you can use to perform the required client functions. You must configure the CLIENT AATV in the aatv.CLIENT block within the aaa.config file.
fedc:ba98:7654:3210 secret type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1 An IPv6 example of a client that is a proxy: [fedc:ba98:7654:3210]:3400 secret type=Ascend+USR:PROXY+RAD_RFC+ACCT_RFC v1 NOTE: In case of a Proxy, if the Name field is an IPv6 literal address then you must separate the address from the port by enclosing the address in square brackets.
fedc::ba98:fe* The users File User profiles associate information, like check and reply items, with a user name. The server configuration must include profiles for all the users that can access services through the AAA server. Profiles can be stored in flat text files, or in an external database. If a user profile is not included in the configuration, the server will reject the user's access request. The default users, realm, or prefix.users files may contain user profiles for authentication.
Example 33-1 Examples of NAS-IPv6-Address Attribute Syntax fedc:ba98:7654:3210:fedc:ba98:7654:3210 12ab::4871 2222::4 Framed-Interface-Id This attribute indicates the IPv6 interface identifier to be configured for the user. Example 33-2 Examples of Framed-Interface-Id Attribute Syntax fedc:ba98:7654:3210 a:b:c:d IMPORTANT: Do not use “::” in the Framed-Interface-Id syntax. Framed-IPv6-Prefix This attribute indicates an IPv6 prefix to be configured for the user.
Example 33-4 Examples of Login-IPv6-Host Attribute Syntax fedc:ba98:7654:3210 12ab::4871 2222::4 hostname.domain.com CAUTION: A value of 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF in the Login-IPv6-Host indicates that the radius clients (NAS) must allow the user to select an address or name of the server to be connected to. A value of 0x0 in the Login-IPv6-Host indicates that the Radius clients (NAS) must select an address or the name of the server the user has to be connected to.
value in the request and then will check the request for a tunnel hint. If the password does not match, or there is no hint for medium type or the hint does not specify the IP address type, the server will respond with an Access-Reject; otherwise, the server will return the listed tunneling attribute values to the client. fred-eng Password = "laser", Tunnel-Medium-Type = IPv4 Tunnel-Type = PPTP, Tunnel-Medium-Type = IPv4, Tunnel-Client-Endpoint = 192.168.127.1, Tunnel-Server-Endpoint = 192.155.111.
Attribute-Value (A-V) pairs. See Chapter 34: “Attribute-Value Pairs” (page 546) for information about the data format of A-V pairs in RADIUS messages. IMPORTANT: Configuration files have a maximum input line length of 255 characters. No checking is done to insure that a configuration statement has not exceeded this limit. All configuration files must end with a new line.
• • pruning tag-int: single octet followed by three octets of integer value (used for tunneling attribute) tag-string: single octet followed by 0-252 octets (used for tunneling attribute) May be replaced with an optional expression that controls three server features • whether the attribute is ever sent to the NAS • whether or not the attribute may be logged • encapsulation, if used, for vendor-specific attributes Pruning Expressions Pruning is a feature that allows the server to remove A-V pairs from an
• • CONFIG: the attribute is a configuration item. INTERNAL: the attribute is internal to the server and will be removed from incoming and outgoing RADIUS messages. NOTE: ENCAPS and NOENCAPS keywords are mutually exclusive. If you specify both, only the last one will apply. CONFIG is mutually exclusive from NOLOG, ENCAPS, NOENCAPS, and INTERNAL.
Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE Merit.VALUE LAS-Code LAS-Code LAS-Code LAS-Code LAS-Code LAS-Code LAS-Code LAS-Code LAS-Code LAS-Code LAS-Notoken LAS-Notlocal LAS-Suspend LAS-Failed LAS-Authorized LAS-NASreboot LAS-Remote LAS-Duplicate LAS-Collision LAS-Stop 6 7 8 9 10 11 12 13 14 15 The las.conf File The las.
Table 33-2 Default LAS Session Timing Parameters Parameter Default Description Session-Hold-Time 45 seconds Tells LAS how long to wait for an Accounting-Start message from the NAS. After the specified number of seconds, a session is moved into not-confirmed state, in which it is not counted as a simultaneous session. This parameter us only used for Hunt-groups.
number-of-tokens Number of tokens in the token pool. Example Tokenpool Sample-pool End-Tokenpool 4 Realm Configuration This section lists realms by name and, optionally, any services, token pools or any custom AATV support for a realm. A realm entry las.conf is required to perform session tracking. The default server behavior is to log accounting messages locally, whether the server processes Access-Request messages locally or sends them to a proxy server. If a realm entry exists in the las.
• • A Token-pool-name is the name of a defined token pool. max-number-of-tokens specifies how many tokens a realm may use. The vendors File The vendors file contains a list of vendor entries. Each vendor entry contains a vendor name and vendor number. The vendor numbers are SMI Network Management Private Enterprise Code numbers, as managed by Internet Assigned Numbers Authority (IANA).
vendor-specific-value The internal attribute number. The standard-value and vendor-specific-value fields are optional and can be repeated any number of times. When used, the list of standard and vendor values is enclosed in parenthesis. These values are used to map attributes from the common attribute space defined in the RADIUS RFC to internal nonconflicting vendor-specific attributes.
aatv Specifies one of the following AATVs to use for logging. • LOG_ACCT (Livingston/Lucent/RABU style call detail format, default) • LOG_ALL (logs all streams defined in log.config) • LOG_BRIEF (simple session format) • LOG_BY_ATTRIBUTE (logging based on user specified attribute in radius.
Default Entry The stream entry identified with the name, *default*, will be used when LOG is invoked by the FSM without an Xstring parameter. End Entry The one-keyword end entry tells the session logging subsystem to stop reading the configuration file, allowing subsequent text to be ignored. Logging Multiple Streams To log multiple streams you must define a default stream with the AATV sub-command set to LOG_ALL. When you specify a log.
Table 33-3 Information Recorded by LOG_V2_o (continued) Field Type Value Description 12 string service_class Service-Class attribute value 13 string filter 14 string[/string[/string]] service_type Service-Type followed by additional fields separated by a ‘/’, depending on Service-Type.
aatv buffer close filename log_v1_1 1 on record.%y%m%d.las } stream new { aatv aatv-value buffer close filename log_v2_0 7 1 on recordv2.%y%m%d.las } end Logging Based on attributes This sample aatv logs all accounting request logs for yourorg.com in the yourorg.%Y%M.log file and the rest of the accounting request in the realm.%Y%M.log file. This stream configuration for logging is based on log_by_realm. The log_by_realm AATV searches for the User-Realm attribute.
Accounting Log Based on Attribute Value You can write accounting log to different log files, based on the RADIUS attribute value in the RADIUS accounting-request. To write accounting log to a different log file, you must modify the /etc/opt/aaa/log.config and /etc/opt/aaa/radius.fsm files. To write accounting log to different log files, complete the following steps: 1. Modify the /etc/opt/aaa/log.
5. Send accounting Start and/or Stop request without Called-Station-Id attribute. Example of an accounting start message: radpwtst -c 4 -s localhost -u ppp -i 1.1.1.1 -l 4 -:Acct-StatusType=Start-:Called-Station-Id=12345 -w password test_user Example of an accounting stop message: radpwtst -c 4 -s localhost -u ppp -i 1.1.1.1 -l 4 -:Acct-StatusType=Stop-:Called-Station-Id=12345 -w password test_user You can now see the following file: /var/opt/aaa/acct/ logotherattr.2005-05-16.
34 Attribute-Value Pairs The RADIUS protocol defines things in terms of attributes. Each attribute may take on one of a set of values. When a RADIUS packet is exchanged among clients and servers, one or more attributes and values are sent pairwise as an Attribute-Value pair (A-V pair). For the HP-UX AAA Server software, all valid attributes and values are listed in the dictionary file.
Examples The following examples are syntactically valid A-V pair lists: Password = "rock", Service-Type = "Framed", Comment = "This is OK" Password =rock Service-Type =Framed Comment ="This is OK" The following examples are not syntactically valid A-V pair lists: Password="rock"Service-Type="Framed"Comment="This is not OK" Password= rock Service-Type= Framed Comment= This is not OK Tagged Attributes A RADIUS message can include multiple values for one or more attributes that are tagged to organize the att
Configuration Attributes You can add configuration attributes that are not directly supported by the Server Manager graphic interface. You can add configuration attributes through the Server Manager as a check item under the Free tab on the User Creation screen. For more information, see “Tabs on the Add Users Screen” (page 130). The authentication type is applied to a user just as it Authentication-Type would be applied to a user belonging to a realm.
Group-Name Can be any string value. Unlike other configuration-only attributes, Group-Name initially appears in a user entry as a reply item and would be used as a check item in a policy definition by LDAP or a customized authentication method. Password Specifies the value to compare to the User-Password attribute value in the Access-Request or the user's input in response to an Access-Challenge. The \ character must not be used. NOTE: The RADIUS protocol does not send clear text passwords.
still be required if the user does not belong to a realm. The Simultaneous-Use attribute can be used in a user entry for LAS functions. Simultaneous-Use Attribute This attribute’s value determines the maximum number of active sessions the user can have. The default is 1 (if the LAS is enabled for the user’s realm, but no Simultaneous-Use attribute value is specified for the user or the user’s realm).
IMPORTANT: The HP-UX AAA Server only compares a check item with the first value that appears for an attribute in an Access-Request. The server will disregard any additional instances of the same attribute in the request. This limitation also applies to tagged attributes, like those used to establish VPN tunnels. Attributes Concerning the NAS NAS-IP-Address This attribute indicates the identifying IPv4 address of the NAS which is requesting authentication of the user.
• • NAS-Port-Id ISDN-Async-V110 Virtual This attribute is similar to the NAS-Port Attribute in that it indicates the physical port number of the NAS that is authenticating the user. NAS-Port-ID contains a text string that identifies the port of the NAS that is authenticating the user. The text string is intended for use by NASs that cannot conveniently number their ports. Policy Attributes These attributes are useful while specifying policy group conditions or replies.
Reply Items Table 34-1 identifies which reply item attributes may appear as a hint that could be checked by the server, and those that would not appear as a hint that could be checked.
Table 34-1 Reply Item Attributes (continued) Attribute Check Item (HInt) Reply Item Login-Service Yes Yes Login-TCP-Port No Yes Port-Limit Yes Yes Prompt No Yes Reply-If-Ack-Message No Yes Reply-Message No Yes Service-Type Yes Yes Session-Timeout No Yes Tunnel-Assignment-ID No Yes Tunnel-Client-Auth-ID Yes Yes Tunnel-Client-Endpoint Yes Yes Tunnel-Medium-Type Yes Yes Tunnel-Password Yes Yes Tunnel-Preference Yes Yes Tunnel-Private-Group-ID Yes Yes Tunnel-Serve
• • • • • • Callback-Framed: The user should be disconnected and called back and then a Framed Protocol should be started for the user, such as PPP or SLIP. Outbound: The user should be granted access to outgoing devices. Administrative: The user should be granted access to the administrative interface to the NAS from which privileged commands can be executed. NAS-Prompt: The user should be provided a command prompt on the NAS from which non-privileged commands can be executed.
Attributes Concerning Login Users Login-IP-Host This attribute indicates the system that the user will connect to when Service-Type is defined as Login. This attribute is used in an IPv4 environment. Login-IPv6-Host This attribute indicates the system that the user will connect to when Service-Type is defined as Login. This attribute is used in an IPv6 environment. Login-Service This attribute indicates the service that should be used to connect to the login host.
Framed-Interface-Id This attribute indicates the IPv6 interface identifier to be configured for the user. Framed-IP-Netmask This attribute indicates the IP netmask to be configured for the user when the user is a router on a network. Framed-Routing This attribute indicates the routing method for the user when the user is a router to a network.
Framed-IPX-Network This attribute indicates the IPX Network number to be configured for the user. Tunneling Attributes When a tunneling attribute is used as a reply item, the AAA server will return the A-V pair, which the NAS will use as instruction for establishing the tunnel. The server may recognize hints in an Access-Request. If hints appear in an Access-Request for a user with tunneling attributes as reply items, the server will use the tunneling keyword in the aaa.
• • • • • • • • E-164 (SMDS, Frame Relay, ATM) F-69 (Telex) X-121 (X.25, Frame Relay) IPX Appletalk DecnetIV Banyan-Vines E-164-NSAP Tunnel-Client-Endpoint Address of the client that initiated the tunnel. Tunnel-Server-Endpoint Address of the server that provides the tunnel to the user. Tunnel-Password This password is not used for authentication by the AAA server but is a separate check made for access to the machine specified by Tunnel-Server-Endpoint.
established without the Tunnel-Assignment-ID attribute. NOTE: The same ID may be used to name different tunnels if the tunnels are between different endpoints. Tunnel-Preference When returning more than one tagged tunnel description, this attribute indicates each tunnel’s relative level of preference. Values for this attribute are specified as an ordinal number (e.g., first, second, etc.).
and is sent from a RADIUS Proxy Server to a RADIUS Proxy Client in an Access-Accept message that indicates a type of user profile to be used. Port-Limit This attribute sets the maximum number of ports to be provided to the user by the NAS. It is intended for use in conjunction with Multilink PPP or similar uses. Prompt This attribute is used only in Access-Challenge packets and indicates to the NAS whether it should echo the user's response as it is entered.
service (Start), the end (Stop), or some other state.
Acct-Input-Packets How many packets have been received from the port over the course of this service being provided to a framed user. Only appears in a stop message. Acct-Output-Packets How many packets have been sent to the port in the course of delivering this service to a framed user. Only appears in a stop message. Acct-Terminate-Cause How the session was terminated. The termination causes are listed in Table 34-2.
Table 34-2 Session Termination Causes (continued) 564 Cause Description User Error Input from user is in error, causing termination of session. Host Request Login Host terminated session normally. Acct-Multi-Session-Id A unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a unique Acct-Session-Id but the same Acct-Multi-Session-Id.
interim messages. This value can only appear in the Access-Accept message. NOTE: The Acct-Interim-Interval value field contains the number of seconds between each interim update to be sent from the NAS for a session. The value must not be smaller than 60 seconds or greater than 600. Careful consideration must be given to impact on network traffic.
35 MIB Objects RFCs 2619, 2621, and 4672 describe the MIB objects for HP-UX AAA Server. All of the RADIUS MIB objects that are sent to the management workstation by the server in response to SNMP requests are read-only, except radiusAuthServConfigReset and radiusAcctServConfigReset. Notes: • When you check the server status, the server increases the radiusAuthServTotalAccessRequests count but does not increase radiusAuthServAccessRequests for any client.
Table 35-1 MIB Objects and Definitions (continued) MIB Object Definition radiusAccServTotalRequests The number of messages of any type received through the accounting port. radiusAuthServTotalInvalidRequests Total number of authentication requests received from an unknown address. radiusAccServTotalInvalidRequests Total number of accounting requests received from an unknown address. radiusAuthServTotalDupAccessRequests Total number of duplicate authentication requests received.
Table 35-1 MIB Objects and Definitions (continued) 568 MIB Object Definition radiusAuthServTotalBadAuthenticators Total number of Access-Request messages with invalid Message-Authenticator attributes. radiusAccServTotalBadAuthenticators Total number of accounting messages with invalid Message-Authenticator attributes received from clients.
Table 35-1 MIB Objects and Definitions (continued) MIB Object Definition radiusAuthClientAddress, radiusAccClientAddress The IP-Address of the corresponding client. radiusAuthClientClientID, radiusAccClientClientID The NAS-Identifier of the corresponding client. radiusAuthServAccessRequests Number of messages of any type received through the authentication port from the corresponding client.
Table 35-1 MIB Objects and Definitions (continued) MIB Object Definition radiusAuthServPacketsDropped, radiusAccServPacketsDropped Number of incoming packets from the the corresponding client entry that were silently discarded for some reason other than malformed, bad authenticators, or unknown types. radiusAuthServUnknownTypes, radiusAccServUnknownTypes Number of unknown RADIUS messages received from the corresponding client.
Table 35-1 MIB Objects and Definitions (continued) MIB Object Definition • • • • • • • • • • radiusDynAuthClientCoARetransmissions radiusDynAuthClientCoAAcks radiusDynAuthClientCoANaks radiusDynAuthClientMalformedCoAResponses radiusDynAuthClientCoABadAuthenticators radiusDynAuthClientCoAPendingRequests radiusDynAuthClientCoATimeouts radiusDynAuthClientCoAPacketsDropped radiusDynAuthClientUnknownTypes radiusDynAuthClientCounterDiscontinuity radiusDynAuthServerIndex A unique number identifying the Dynamic
Table 35-1 MIB Objects and Definitions (continued) MIB Object Definition radiusDynAuthClientDisconNakAuthOnlyRequest, The number of RADIUS Disconnect/CoA-Naks received from radiusDynAuthClientCoANakAuthOnlyRequest this DAS that have packets with Service-Type=Authorize-Only. radiusDynAuthClientDisconNakSessNoContext, radiusDynAuthClientCoANakSessNoContext The number of RADIUS Disconnect/CoA-Naks received from this DAS because no session context was found.
A Supported IETF RFCs Table A-1 lists the key IETF RFCs the HP-UX AAA Server supports. Refer to the IETF Website for more information on these RFCs at http://www.ietf.org.
Table A-2 Additional IETF RFCs Supported by HP-UX AAA Server (continued) RFC # RFC Title 3539 Authentication, Authorization and Accounting (AAA) Transport Profile 3575 IANA Considerations for RADIUS 3576 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) 3579 RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol 3580 IEEE 802.
B Supported Authentication Methods The following list describes the authentication methods the HP-UX AAA Server supports: Password Authentication Protocol (PAP) This authentication method is most appropriately used where a plaintext password must be used to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.
The following is a list of the EAP supported authentication methods you can use with this version of the HP-UX AAA Server: • Transport Layer Security (TLS): Uses TLS (also known as SSL) to authenticate the client using its digital certificate. NOTE: Some wireless supplicants require specific extensions to support certificates for EAP. TLS features include Dynamic Key Exchange; Mutual Authentication; Digital Certificate/Token Card-based Authentication; and, Encrypted Tunnelling.
C RADIUS Data Packets The Access-Request and other RADIUS data packets contain a header and a set of attribute-value (A-V) pairs, which are used by the server during the AAA transaction. The RADIUS RFC 2865 defines how vendors can extend the protocol. Encapsulation is the RFC defined way of extending RADIUS. Conflicts can occur when the RFC is not followed. In those cases, the server can map the attributes to unique internal values for processing.
Table C-1 RADIUS Request/Reply Message Format Description (continued) Data Description authenticator value. Value in reply is MD5 digest of reply message data appended with secret, using authenticator value from request. Attributes Arbitrary numbers of information pairs with format shown in Figure C-2. Attribute-Value Pair Format An attribute-value (A-V) pair represents a variable and one of the possible values that the variable can hold. The A-V pair data format is depicted in Figure C-2.
D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK This appendix discusses the header files, data structures, and APIs that the HP-UX AAA Server SDK includes. This chapter addresses the following topics: • “Header Files and Data Structures in the SDK.” • “APIs in the HP-UX AAA Server SDK” (page 579) Header Files and Data Structures in the SDK This section lists the header files and the predefined data structures that the SDK includes. The HP-UX AAA Server SDK includes the sdk.
• Asynchronous APIs — These APIs enable you to write AATVs that are required for making asynchronous calls to external servers. • Secondary APIs — These additional APIs enable you to further customize the HP-UX AAA Server. The following sections describe these APIs in detail. A-V Pair APIs This section discusses the A-V pair APIs. sdk_avp_t *sdk_avp_allocate() Allocates an A-V pair, initializes all fields as 0, and returns a pointer to it.
attrid attrlen attrval tag The input variable that stores the attribute ID of the A-V pair. For vendor specific attributes, the attribute ID is the vendor type or sub-attribute. The input variable that stores the length of the attribute (in bytes) of the A-V pair. For vendor-specific attributes, this value is the vendor length. The input pointer that points to the attribute value of the A-V pair. For vendor-specific attributes, the attribute value is the sub-attribute value.
Input avp vendid attrid attrlen attrval A pointer to an A-V pair to be set or modified. The vendor ID of the attribute to be set or modified. For a standard RADIUS attribute, use VC_RADIUS which is 0 The attribute ID to be set or modified. For a vendor-specific attribute, the attribute ID is the vendor type or sub-attribute. The length of the attribute (in bytes) to be set or modified. For a vendor-specific attribute, the length is the vendor length. The attribute value to be set or modified.
authreq qtype A pointer to an authreq The type of list to be accessed. It can be one of the following types: • AUTHREQ_REQUEST_QUEUE • AUTHREQ_REPLY QUEUE • AUTHREQ_CHECK_QUEUE • AUTHREQ_DENY_QUEUE attrid attrlen The attribute to be discovered The attribute length to be matched. If the length is 0, the attribute length and value are not considered in the match. The attribute value to be matched. If the value is NULL, the attribute length and value are not considered in the match.
attrlen attrvalue position tag The attribute length to be matched. If the attrlen value is 0, the attribute length and value are not considered in the match. For vendor-specific attributes, the attribute length (attrlen) is the vendor length. The attribute value to be matched. If the attrvalue value is NULL, the attribute length and value are not considered in the match. For a vendor-specific attribute, the attribute value (attrvalue) is the sub-attribute value.
Inserts an A-V pair into the A-V pair list of type qtype in authreq. Table D-1 lists the different insertions that this API performs, based on the values of the loc_avp A-V pair. Table D-1 Actions Performed as a Result of the loc_avp A-V Pair Parameter Value Action The loc_avp A-V pair in the list is valid and the The new_avp A-V pair is inserted before loc_avp. value of the position parameter is INSERT_BEFORE.
infotype The information type interested. Table D-2 lists the various information types. Table D-2 Information Types Information Type Description AUTHREQ_CODE Code: The packet type, one of Access-Request, Access-Accept as defined in RFC 2865. The code has a type of unsigned short. AUTHREQ_FWD_ID Forward ID: A locally generated sequence number for a request to be forwarded. The forward ID has a type of unsigned short.
value The input pointer points to the content of the value for non-scalar types of data. You must copy the contents that are of value. The memory for the value must not be freed after you copy the contents. The input pointer points to NULL if the client uses an IPv4 address and the user input argument is AUTH_CLIENT_IPADDRV6. The input pointer also points to NULL if the client uses an IPv6 address and the user input argument is SDK_AUTH_CLIENT_IPADDRV4.
NOTE: To use the above log levels, you must include syslog.h in your program. format arg A printf-style format string. Arguments to replace values in the format string. For more information, see the printf(3) manpage. NOTE: If the arguments are insufficient for the format, the behavior can be unexpected. Return This API returns one of the following values: If the message is logged. 0 If the message is queued. 1 -1 If the message is not logged or queued.
Table D-3 HP-UX AAA Server Debug Levels Debug Level Level of Information 1 Minimal information 2 • Level 1 information and • High-level FSM output and limited function tracing 3 • Level 2 information and • Full function tracing 4 • Level 3 information and • Low-level FSM and configuration file output format arg A printf-style format string. Arguments to replace values in the format string. For more information, see the printf(3) manpage.
int sdk_pollfd_register() int sdk_pollfd_register (int fd, callback_f callback) Usage Registers a file descriptor with the HP-UX AAA Server and supplies a callback function to the HP-UX AAA Server. The socket descriptor and associated callback function are added to the global list of file descriptors monitored by the server for inbound messages. The callback function is called when data is received on the file descriptor. Input fd The file descriptor that must be registered.
aatv_name event_code The name of the AATV supplied for processing the request. The event code to resume processing the request from where it was left off on the FSM. Return Returns one of the following values: • SDK_SUCCESS if the operation succeeds. • SDK_INVALID_ARG if the arguments are invalid. • SDK_FAILURE if the operation fails. Secondary APIs This section discusses additional APIs that you can use to customize the HP-UX AAA Server.
infotype The information type. It can be set to one of the following: • AUTHREQ_TTL — the time to live of an authentication request. The time to live has a type of unsigned character. • AUTHREQ_CODE — the message type or (code) of a request. The message type (code) has a type of unsigned short. • AUTHREQ_TARGET_HOST — the target host to which the request must be sent. It has a type of string. len The length of the value to be set in bytes. value A pointer pointing to the value to be set.
Table D-4 Possible Values of the infotype Parameter (continued) Information Type Value Description client types, see the sdk.h header file. The client type field has a type of uint32_t. len value The address of a variable to store the length of the value interested. The address of a pointer intended to point to the content of the value interested. Output len The input variable that stores the length of the value (in bytes). value The input pointer that points to the content of the value.
int sdk_encrypt_passwd() int sdk_encrypt_passwd (sdk_authreq_t *authreq, char *clpasswd, uint32_t clpwlen, char *enpasswd, uint32_t *enpwlen) Usage Encrypts the password Input authreq A pointer to an authentication request. clpasswd A pointer to the password string that is in clear text. clpwlen The length of the clear text password. enpasswd A pointer to the buffer where the encrypted password is to be stored. enpwlen A pointer to an integer, where the encrypted password is to be stored.
Enqueues the request to a request queue. Input authreq A pointer to an authreq. Returns one of the following values: • SDK_SUCCESS — if the operation succeeds. • SDK_INVALID_ARG — if the arguments are invalid. • SDK_FAILURE — if the operation fails.
E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server This appendix describes the syntax of the decision files that are present in earlier versions of the HP-UX AAA Server. While decision files created using this syntax are supported in this version of the HP-UX AAA Server, HP encourages customers to use the syntax described in Chapter 27 (page 411) to create new decision files.
Table E-1 A-V Pair Expression Operators (continued) Operator Description <= Less than or equal to && Logical AND || Logical OR ! Logical NOT You can also use parentheses to nest expressions. Line breaks are not significant. Table E-2 illustrates some possible expressions that you can use to control access depending on the dial-in phone number and time of the call.
Date-Time 24 hour clock in yyyy:mm:dd:hh:mm format. This attribute is compared to the current system clock of the system hosting the HP-UX AAA Server that is making the comparison. Time-of-Day 24 hour clock in hh:mm format. This attribute is compared to the current system clock of the machine hosting the AAA server that is making the comparison. Hours must be two digits, for example, 08:00, not 8:00.
Notes: • Test = $Value$Pos$Len will add a new A-V pair to the request. It will not update an existing pair. For example, when the request includes a Test = “String” A-V pair, the expression Test = $Test$2$3 will append Test = “rin” to the request, which results in both Test = “String” and Test = “rin” in the request. • Because the left-side attribute is handled differently than the right-side attribute value, multiple attributes in a request can cause some unexpected indirection results.
21 } 22 Group NORMAL { 23 Reply { 24 Decision = $Interlink-Proxy-Action 25 } 26 } Line 1 Lines 2 to 5 Lines 7 to 9 Line 10 Line 13 Lines 14 to 16 Lines 18 Line 19 Line 22 Line 24 Names the first group entry Controlled-Access. If the user calls from 1234567890, or calls into 8005551212, the user belongs to this group. The Authentication-Type attribute indicates that requests from members of this group must be proxied. The Server-Name and Server-Port attributes specify flatland.
For an example of a modified radius.fsm file that works with this decision file, see Chapter 12: “Logging and Monitoring ” (page 142). This decision file works only if the Access-Group attribute is added to the dictionary file and user profiles as a configuration item. For more information, see “The dictionary File ” (page 531).
Line 31 Line 33 Line 34 602 Names the fourth group Denied-by-time-access. Requests that do not match with the previous two groups are matched to this group, because this group entry does not include a condition section. The Decision attribute returns the NAK value to the FSM as an event, which rejects the request. Specifies a message that is sent back to the user.
Glossary of Terms A-B A-V Pair Attribute-value pair. AAA Abbreviation for Authentication, Authorization, and Accounting. AAA Server A software application that performs authentication, authorization, and accounting functions. Access-Accept AAA Server returns an Access-Accept to the client when an Access-Request is valid. The Access-Accept will contain A-V pairs that specify what services the authenticated user is authorized to use.
C-D Challenge Handshake Authentication Protocol Log-in security procedure for dial-in access. Rather than send an unencrypted password, a random number is sent to the client as a challenge. The challenge is one-way hashed with the password, and the result is sent back to the server. The server does the same with its copy of the password and verifies that it gets the same result to authenticate the user, abbreviated as CHAP. CHAP Challenge Handshake Authentication Protocol.
H-I-J-K Hard token Also called token devices. A physical authentication device such as a SmartCard that displays the OTP. Hint When a user requests access to a service of a specific configuration, a client may provide this information in an Access-Request as a hint to the AAA Server. The server may reject the request based on the hints or supply the service as specified by the hints, by the server’s configuration, or by a combination of the hints and the server’s configuration.
encryption and hashing algorithms used by Windows networks, and the MS-CHAP response to a challenge is in a format optimized for compatibility with Windows operating systems. NAI Network Access Identifier NAS Network Access Server navigation tree Refers to the navigation links on the left side of the Server Manager GUI. Network Access Server A device that interfaces telephony circuits to the network, abbreviated as NAS.
RADIUS Client A NAS or other device that sends requests to an AAA server. RAS Remote Access Server. Realm A realm is a logical group of users, who usually can be authenticated using one particular method. Grouping users into realms simplifies the management of those users in a distributed environment. For example, an ISP’s users may be from different organizations located in different cities. Each organization already has one way or another to authenticate its users and each corresponds to a realm.
SLS Service Level Specification. Soft Token Software that enables an existing smart phone or PDA to act as a one-time password token SQL Access A feature that allows AAA Server to interact with an SQL compliant database. T-U-V-W-X-Y-Z TLS (Transport Layer Security) Uses TLS (also known as SSL) to authenticate the client using its digital certificate. Note: some wireless supplicants require specific extensions to support certificates for EAP.
Index auto-starting the server, 80 Symbols 3GPP Milenage, 269 B Boolean operator precedence and association rules, 433 A A-V pair pruning, 533 removing, 533 A-V pair, configuration attributes, 548 A-V pair, specifying, 546 A3, 227 A8 , 227 AAA proxy, 319 AAA Server As A Client Properties, 140 AAA Server upgrade, 49 aaa.config, 235, 247 aaa.
digital certificates, self-signed, 165 Disconnect, 297 DNIS routing, 444 DNS properties, 134 dynamic access control, 442 Dynamic Authorization, 297 Dynamic Authorization proxy functionality, 320 E EAP action, 404 EAP AKA, 236 EAP, choosing a method, 161 EAP, key-exchange, 162 EAP, tunneling, 162 EAP-AKA user credentials, 239 EAP-SIM, 224 EAP.
MS-CHAP v2, 182 MS-CHAP, features, 163 multiple streams finite state machine, 539 logging, 541 N non-root processes, 68 O OTP authentication, 162 components, 182 flowchart, 183 inner and outer realms, 197 mapping and conversion functions, 217 precedence rules, 195 process flow, 181 realm-level configuration, 196 system-wide configuration items, 195 user-level configuration, 198 OTP authentication attributes, 192 HOtp-Seq-Counter, 193 Otp-ActionId, 194 Otp-Add-Checksum, 195 Otp-Lookup-Window, 192 Otp-Retri
starting, 77 server connections, 90 Server Manager, introduction, 38 server properties, 133 server properties screen, Server Manager, 133 server properties, modifying, 133 Server Status Screen, Server Manager, 93 session records - accounting format, 150 session limits, 170 session logs, Server Manager, 169 SNMP properties, 136 SNMP, introduction, 386 SNMP, setting-up, 386 SQL Access, 338 benefits, 338 Configuration, 349 Conversion Functions, 361 Database Client, 347 Database Connection, 350 Database Server,
VPN, 388 VPN tunneling, 388 W Wireless LAN planning, 160 Wireless LAN preparation, 160 Wireless LAN security, 159 Wireless LAN, digital certificates, 164 Wireless LAN, EAP, 161 Wireless LAN, steps to configure, 164 WLAN, configuring, 164 WLAN, EAP methods, 161 WLAN, planning, 160 X Xstring - policy, 399 613
