HP-UX AAA Server A.08.01 administrator's guide (T1428-90072, May 2010)
Table Of Contents
- HP-UX AAA Server A.08.01 administrator’s guide
- Table of Contents
- About This Document
- Part I Introduction
- 1 Overview: The HP-UX AAA Server
- 2 Upgrading to Version A.08.01
- 3 Installing and Securing the HP-UX AAA Server
- Acquiring the HP-UX AAA Server Software
- Installing and Uninstalling the HP-UX AAA Server
- HP-UX AAA Server File Locations
- Securing the HP-UX AAA Server
- Changing the Default HP-UX AAA Server Settings
- Environment Specific Security Procedures
- Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration
- Creating a Tomcat Identity Specifically for the HP-UX AAA Server
- Running the HP-UX AAA Server on Hosts with System Hardening Software
- Running the HP-UX AAA Server as a Non-Root User
- Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot
- 4 Enabling the HP-UX AAA Server for GUI-based Administration
- Part II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI
- 5 The HP-UX AAA Server Manager Interface
- 6 Managing HP-UX AAA Servers
- 7 Configuring RADIUS Clients Using the Access Devices Screen
- 8 Configuring Realms
- 9 Configuring Proxies
- 10 Configuring Users
- 11 Modifying Server Properties
- Navigating the Server Properties Screen
- DHCP Relay Properties
- DNS Updates Properties
- Message Handling Properties
- SNMP Properties
- Tunneling Properties
- Certificate Properties
- File Size Properties
- Miscellaneous Properties
- Local Users File Properties
- ProLDAP Properties
- AAA Server As A Client Properties
- Client Action Properties
- 12 Logging and Monitoring
- Overview
- Server Log Files
- Accounting Log Files
- Using Server Manager to Retrieve Accounting Logfiles
- Format of Accounting Records in the Default Merit Style
- Writing Livingston CDR Accounting Records
- Changing the Accounting Log Filename
- Changing the Accounting Log Rollover Interval
- Rolling Over the Log File and Accounting Stream and Setting the Log Level
- Part III Advanced Configuration Information
- 13 Securing LAN Access With EAP
- 14 Managing Sessions
- 15 Assigning IP Addresses
- 16 OATH Standards-Based OTP Authentication
- OTP and OATH Overview
- HP-UX AAA Server and OATH Support
- Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAP v2
- Components Required to Configure OTP Authentication
- Configuring OTP Authentication on the HP-UX AAA Server
- OTP Authentication Configuration Flowchart
- Basic or Typical Configuration
- Advanced Configuration
- Predefined Mapping and Conversion Functions
- Sample Configuration Files
- 17 Configuring EAP-SIM and EAP-AKA Authentication Methods
- EAP-SIM
- EAP-AKA
- Fast Re-Authentication
- Pseudonym Identities
- Generating Authentication Vectors Using A3, A8, and AKA Algorithms
- 18 Configuring HP-UX AAA Server for Scalability and High-Availability
- Overview
- Scalability and High-Availability Concepts
- HP-UX AAA Server Deployment for Scalability and High-Availability
- Managing Multiple HP-UX AAA Servers For Scalability and High-Availability
- Disaster Recovery of the HP-UX AAA Server Manager
- 19 Configuring the HP-UX AAA Server for Client Functionality
- 20 Configuring the HP-UX AAA Server for Dynamic Authorization
- Dynamic Authorization Overview
- HP-UX AAA Server and Dynamic Authorization
- Processing of Dynamic Authorization Requests
- Configuring for Dynamic Authorization
- Basic Configuration
- Advanced Configuration
- Sample Configuration Files
- Part IV Integrating the HP-UX AAA Server With External Services
- 21 LDAP Authentication
- 22 SQL Access
- SQL Access Overview
- Implementing SQL Access
- Administering Users and Tokens Stored in an SQL Database
- Multi-Row Support For SQL Access
- 23 Simple Network Management Protocol (SNMP) Support
- 24 VPN Tunneling
- 25 Using DHCP
- Part V Customizing the HP-UX AAA Server
- 26 Customizing the HP-UX AAA Server Using the Finite State Machine
- 27 Customizing the HP-UX AAA Server Using Policies
- 28 Customizing the HP-UX AAA Server Using the SDK
- Part VI Troubleshooting
- 29 Troubleshooting Overview
- 30 Troubleshooting Procedures
- Troubleshooting Flowchart
- Troubleshooting the Server Manager Administration Utility
- Troubleshooting the HP-UX AAA Server
- 31 Troubleshooting Resources
- 32 Reporting Problems
- Part VII Reference
- 33 Configuration Files
- HUP Processing
- The aaa.config File
- Variables in the aaa.config File
- The strict_duplicate_check Variable
- The aatv.ProLDAP Property
- The iaaa.SNMP Property
- The log_threshold_limit and suppression_interval Variables
- The list_copy_limit Variable
- The localUsersFile.FilterType Property
- The default_users_file_cis_search Property
- The log_forwarding Variable
- The log_generated_request Variable
- The ourhostname Variable
- The packet_log Variable
- The radius_log_fmt Variable
- The reply_check Variable
- OTP Authentication-Related Configuration Items
- Dynamic Authorization-Related Configuration Items
- Variables in the aaa.config File
- The clients File
- The users File
- The dictionary File
- The las.conf File
- The vendors File
- The log.config File
- 34 Attribute-Value Pairs
- 35 MIB Objects
- 33 Configuration Files
- A Supported IETF RFCs
- B Supported Authentication Methods
- C RADIUS Data Packets
- D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK
- E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server
- Glossary of Terms
- Index
MS-CHAP v2, 182
MS-CHAP, features, 163
multiple streams
finite state machine, 539
logging, 541
N
non-root processes, 68
O
OTP authentication, 162
components, 182
flowchart, 183
inner and outer realms, 197
mapping and conversion functions, 217
precedence rules, 195
process flow, 181
realm-level configuration, 196
system-wide configuration items, 195
user-level configuration, 198
OTP authentication attributes, 192
HOtp-Seq-Counter, 193
Otp-ActionId, 194
Otp-Add-Checksum, 195
Otp-Lookup-Window, 192
Otp-Retrieve-TokenInfo-Action Id, 195
Otp-Shared-Secret, 193
Otp-Token-Length, 193
Otp-Token-Lock-Counter, 193
Otp-Token-Serial-Number, 193
Reply-Egress-ActionId, 195
OTP authentication concepts
using bit masks, 188
OTP authentication configuration concepts, 187
override AAA server defaults, 520
P
PEAP (Protected EAP), 576
PEAP, features, 163
policy
proxy-egress, 45, 438
proxy-ingress, 45, 439
reply-egress, 437
request-ingress, 45, 435
user policy, 46, 436
Xstring, 399
policy action commands
delete, 414
exit, 418
if, 420
insert, 415
log, 419
modify, 417
policy attributes, 440
product architecture, 39
product structure, 38
PROLDAP, 231
ProLDAP properties, 139
pruning
example, 534
expressions - general information, 533
pseudonyms, 256
R
RADIUS overview, 34, 464
RADIUS sessions, 36
radius.fsm
accounting logs, 146
alternate fsm file, 79
FSM, 396
radiusd, 77
starting, 77
realm
add, 105
configuration - LAS, 537
configuration example, 537
modify, 108
realms screen, Server Manager, 105
reload, 76
remove A-V pair, 533
Replay Protection, 321
reply item
authorization, 47
Reverse Path Forwarding, 324
RMI Objects, 72
S
sample AATV
ACE, 451
checkCSI, 451
sample configuration files, 326
sample OTP configuration files, 217
oath-prexy-egress.grp, 222
oath-reply-egress.grp, 221
oath-request-ingress.grp, 221
SDK
APIs, 579
A-V pair APIs, 580
Asynchronous event and I/O APIs, 589
Authreq APIs, 582
Logging APIs, 587
secondary APIs, 591
compiling and loading plug-ins, 452
concepts, 448
creating plug-ins, 451
directory structure, 448
header files and data structures, 579
prerequisites, 448
testing and debugging plug-ins, 453
Secure Copy Protocol, 96
server
log files, 142
611