HP-UX AAA Server A.08.01 administrator's guide (T1428-90072, May 2010)
Table Of Contents
- HP-UX AAA Server A.08.01 administrator’s guide
- Table of Contents
- About This Document
- Part I Introduction
- 1 Overview: The HP-UX AAA Server
- 2 Upgrading to Version A.08.01
- 3 Installing and Securing the HP-UX AAA Server
- Acquiring the HP-UX AAA Server Software
- Installing and Uninstalling the HP-UX AAA Server
- HP-UX AAA Server File Locations
- Securing the HP-UX AAA Server
- Changing the Default HP-UX AAA Server Settings
- Environment Specific Security Procedures
- Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration
- Creating a Tomcat Identity Specifically for the HP-UX AAA Server
- Running the HP-UX AAA Server on Hosts with System Hardening Software
- Running the HP-UX AAA Server as a Non-Root User
- Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot
- 4 Enabling the HP-UX AAA Server for GUI-based Administration
- Part II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI
- 5 The HP-UX AAA Server Manager Interface
- 6 Managing HP-UX AAA Servers
- 7 Configuring RADIUS Clients Using the Access Devices Screen
- 8 Configuring Realms
- 9 Configuring Proxies
- 10 Configuring Users
- 11 Modifying Server Properties
- Navigating the Server Properties Screen
- DHCP Relay Properties
- DNS Updates Properties
- Message Handling Properties
- SNMP Properties
- Tunneling Properties
- Certificate Properties
- File Size Properties
- Miscellaneous Properties
- Local Users File Properties
- ProLDAP Properties
- AAA Server As A Client Properties
- Client Action Properties
- 12 Logging and Monitoring
- Overview
- Server Log Files
- Accounting Log Files
- Using Server Manager to Retrieve Accounting Logfiles
- Format of Accounting Records in the Default Merit Style
- Writing Livingston CDR Accounting Records
- Changing the Accounting Log Filename
- Changing the Accounting Log Rollover Interval
- Rolling Over the Log File and Accounting Stream and Setting the Log Level
- Part III Advanced Configuration Information
- 13 Securing LAN Access With EAP
- 14 Managing Sessions
- 15 Assigning IP Addresses
- 16 OATH Standards-Based OTP Authentication
- OTP and OATH Overview
- HP-UX AAA Server and OATH Support
- Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAP v2
- Components Required to Configure OTP Authentication
- Configuring OTP Authentication on the HP-UX AAA Server
- OTP Authentication Configuration Flowchart
- Basic or Typical Configuration
- Advanced Configuration
- Predefined Mapping and Conversion Functions
- Sample Configuration Files
- 17 Configuring EAP-SIM and EAP-AKA Authentication Methods
- EAP-SIM
- EAP-AKA
- Fast Re-Authentication
- Pseudonym Identities
- Generating Authentication Vectors Using A3, A8, and AKA Algorithms
- 18 Configuring HP-UX AAA Server for Scalability and High-Availability
- Overview
- Scalability and High-Availability Concepts
- HP-UX AAA Server Deployment for Scalability and High-Availability
- Managing Multiple HP-UX AAA Servers For Scalability and High-Availability
- Disaster Recovery of the HP-UX AAA Server Manager
- 19 Configuring the HP-UX AAA Server for Client Functionality
- 20 Configuring the HP-UX AAA Server for Dynamic Authorization
- Dynamic Authorization Overview
- HP-UX AAA Server and Dynamic Authorization
- Processing of Dynamic Authorization Requests
- Configuring for Dynamic Authorization
- Basic Configuration
- Advanced Configuration
- Sample Configuration Files
- Part IV Integrating the HP-UX AAA Server With External Services
- 21 LDAP Authentication
- 22 SQL Access
- SQL Access Overview
- Implementing SQL Access
- Administering Users and Tokens Stored in an SQL Database
- Multi-Row Support For SQL Access
- 23 Simple Network Management Protocol (SNMP) Support
- 24 VPN Tunneling
- 25 Using DHCP
- Part V Customizing the HP-UX AAA Server
- 26 Customizing the HP-UX AAA Server Using the Finite State Machine
- 27 Customizing the HP-UX AAA Server Using Policies
- 28 Customizing the HP-UX AAA Server Using the SDK
- Part VI Troubleshooting
- 29 Troubleshooting Overview
- 30 Troubleshooting Procedures
- Troubleshooting Flowchart
- Troubleshooting the Server Manager Administration Utility
- Troubleshooting the HP-UX AAA Server
- 31 Troubleshooting Resources
- 32 Reporting Problems
- Part VII Reference
- 33 Configuration Files
- HUP Processing
- The aaa.config File
- Variables in the aaa.config File
- The strict_duplicate_check Variable
- The aatv.ProLDAP Property
- The iaaa.SNMP Property
- The log_threshold_limit and suppression_interval Variables
- The list_copy_limit Variable
- The localUsersFile.FilterType Property
- The default_users_file_cis_search Property
- The log_forwarding Variable
- The log_generated_request Variable
- The ourhostname Variable
- The packet_log Variable
- The radius_log_fmt Variable
- The reply_check Variable
- OTP Authentication-Related Configuration Items
- Dynamic Authorization-Related Configuration Items
- Variables in the aaa.config File
- The clients File
- The users File
- The dictionary File
- The las.conf File
- The vendors File
- The log.config File
- 34 Attribute-Value Pairs
- 35 MIB Objects
- 33 Configuration Files
- A Supported IETF RFCs
- B Supported Authentication Methods
- C RADIUS Data Packets
- D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK
- E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server
- Glossary of Terms
- Index
Table 30-2 Common Problems with HP-UX AAA Server Startup (continued)
TroubleshootingProblem
be removed from the /etc/opt/aaa/authfile and /etc/
opt/aaa/EAP.authfile.
HP recommends that you use the SQL Access AATV instead
of Oracle AATV, EAP-PEAP instead of EAP-LEAP, and OATH
standard-based authentication instead of SecurID authentication.
For information on how to configure SQL database based
authentication, see Chapter 22 “SQL Access”. For information
on how to configure OTP or Two-factor authentication, see
Chapter 16 “OATH Standards-Based OTP Authentication”.
RealmEAP::configure: Unknown AATV 'CiscoLEAP' in
'/etc/opt/aaa/EAP.authfile' at '12' for EAP-Type. Specify a valid
Log MessageHP-UX AAA
Server logs an
AATV for EAP-TYPE RealmEAP::readauth: AATV for EAP-Typeerror message
while starting is missing or not valid for realm 'oracle.test.test' on line 13 in
/etc/opt/aaa/EAP.authfile read_auth: /etc/opt/aaa/EAP.authfile
( 3 entries) read to memory, 1 error
Authfile has configured realm entries for EAP-LEAP
authentication.
Cause
Starting with HP-UX AAA Server A.08.00 release, EAP-LEAP
AATV is obsolete. The corresponding entries must be removed
Solution
from the /etc/opt/aaa/authfile and /etc/opt/aaa/
EAP.authfile.
HP recommends that you use EAP-PEAP instead of EAP-LEAP.
For information on EAP-PEAP, seeChapter 13 “Securing LAN
Access With EAP”
Troubleshooting Bind Errors at HP-UX AAA Server Startup
This section describes how to troubleshoot problems when you cannot start the HP-UX
AAA Server because of bind errors.
If you are unable to start the HP-UX AAA Server, complete the following steps:
1. Check if the radiusd daemon is already running by entering the following
command:
# ps -ef |grep radiusd
If radiusd is running, the radiusd process must be displayed.
If the radiusd daemon is already running, you can stop and start the HP-UX
AAA Server from the Server Manager Administration utility or the command line.
For more information, see “Starting HP-UX AAA Servers Using Server Manager”
(page 74) or “Starting HP-UX AAA Servers From the Command Line” (page 77).
You can also continue with the HP-UX AAA Server instance that is already running.
2. Enter the following command to verify that the authentication and accounting
ports specified for the RADIUS service in /etc/services (entries for radius
482 Troubleshooting Procedures