HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

121

122

123

124

125

126

127

128

129

130

NOTE:

a. If RADIUS standard Password Authentication Protocol (PAP) is used, the HP-UX AAA Server

can split the user password in to password and OTP and perform one of the following

actions:

• Validate the OTP, or password, or password and OTP.

• Proxy the OTP or password to an external RADIUS server for validation.

Splitting of the user password into password and OTP is not supported for MS-CHAP v2

authentication protocol as the user password is a hash. Therefore, partial validation of

either OTP or password locally and the remaining part at an external RADIUS server is

not possible. The complete validation must be performed at the local HP-UX AAA Server

or at an external RADIUS server.

b. The HP-UX AAA Server can be configured to generate OTPs that can be delivered to

customers through the secondary channel using SMS, e-mail, FTP, and so on. Contact

your HP Support representative for assistance while configuring the HP-UX AAA Server

to use the secondary channel for OTP delivery.

If the validation is performed locally, the HP-UX AAA Server updates the database with the

incremented sequence counter after successful OTP authentication. If the validation is performed

by an external RADIUS server, the external RADIUS server updates the database with the

incremented sequence counter after successful OTP authentication.

Based on the success or failure of authentication, the HP-UX AAA Server sends an Access-Accept

or Access-Reject message to the user.

Supported OTP Functions for RADIUS Standard Password (PAP) and

MS-CHAP v2

OTP support for MS-CHAP v2 is compatible with RFC 4226. Table 34 describes the supported

functions for PAP and MS-CHAP v2.

Table 34 Supported OTP Functions for PAP and MS-CHAP v2

MS-CHAP v2RADIUS Standard Password (PAP)Functions

YesYesValidate OTP

YesYesValidate Password

YesYesStore OTP

YesYesValidate OTP and Password

YesYesProxy the OTP and password to

another RADIUS server for OTP and

password validation

NoYesSplitting the OTP and password, and

proxying the OTP or password to

another RADIUS server for OTP or

password validation

For information on supported action ids, see Table 36 (page 136).

Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAP v2 129