HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

121

122

123

124

125

126

127

128

129

130

16 OATH Standards-Based OTP Authentication

IMPORTANT: The SecurID authentication is obsolete in A.08.00 release of the HP-UX AAA Server.

The SecurID authentication can be replaced by Open AuTHentication (OATH) standards-based

One-Time Password (OTP) authentication. OATH is an industry-wide collaboration to develop

open-reference architecture for strong authentication. The OATH standards-based OTP authentication

solution supports hardware and software tokens from multiple vendors.

This chapter introduces the Open AuTHentication (OATH) standards-based One-Time Password

(OTP) authentication. It also describes how to enable the HP-UX AAA Server to provide OTP, and

OTP and password (two-factor) authentication in different deployment scenarios. The term OTP

authentication is used throughout this document to refer to the functionality that enables OTP

authentication. The term two-factor authentication is used for password and OTP authentication.

This chapter addresses the following topics:

• “OTP and OATH Overview”

• “HP-UX AAA Server and OATH Support” (page 128)

• “Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAP v2” (page 129)

• “Components Required to Configure OTP Authentication” (page 130)

• “Configuring OTP Authentication on the HP-UX AAA Server ” (page 130)

“OTP Authentication Configuration Flowchart” (page 130)◦

◦ “Basic or Typical Configuration” (page 133)

◦ “Advanced Configuration” (page 134)

“Advanced OTP Authentication Configuration Concepts” (page 134)–

– “Advanced Deployment Scenarios” (page 142)

◦ “Predefined Mapping and Conversion Functions” (page 155)

◦ “Sample Configuration Files” (page 156)

OTP and OATH Overview

Like a password, OTP can be used to authenticate the user to obtain access to a network. OTP

can be used alone or along with a password for authentication. Typically, OTP is used for two-factor

authentication. For example, in large organizations, VPN access often requires the use of user-name,

password, and OTP for remote user two-factor authentication. Added security is provided when

an OTP is used for authentication, because a user must enter a different OTP each time to

authenticate to a validation server.

OATH is an industry-wide collaboration to develop open-reference architecture for strong

authentication. OATH consortium has developed a set of open royalty-free algorithms for one-time

passwords. The OATH standards-based OTP authentication solution uses the HMAC-based One-Time

Password (HOTP) algorithm to generate an OTP using a shared secret and sequence counter.

The HOTP algorithm is a sequence-based algorithm. Any OATH-compliant client device can

interoperate with an HOTP algorithm-enabled OTP validation server.

For more information on OATH and the HOTP algorithm, see the following web addresses:

• http://www.openauthentication.org/

• ftp://ftp.rfc-editor.org/in-notes/rfc4226.txt

OTP and OATH Overview 127