HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

121

122

123

124

125

126

127

128

129

130

Components Required to Configure OTP Authentication

The following components, which are required to configure OTP authentication, are provided with

the HP-UX AAA Server:

• Modified Finite State Machine (FSM)

• Database schema files

• The following sample configuration files:

sqlaccess.config◦

◦ Policy configuration files:

oath-proxy-egress.grp–

– oath-request-ingress.grp

– oath-reply-egress.grp

◦ User Database Administration Manager (This web-based interface enables you to

administer user profiles and token information in the SQL database effectively.) For more

information, see “Administering Users and Tokens Stored in an SQL Database” (page 273).

The following components required to configure OTP authentication are not provided with the

HP-UX AAA Server:

• SQL database

• OTP generators (typically, token devices or software that generates OTP) with their inventory

files (files that contain the shared secret and other token information)

Configuring OTP Authentication on the HP-UX AAA Server

The HP-UX AAA Server uses SQL Access, the FSM, and policy actions to support OTP authentication.

This feature offers the flexibility to customize OTP authentication depending on the deployment

scenarios.

Sample policy files are provided to simplify the process of configuring the HP-UX AAA Server to

provide password and OTP authentication.

If you are not using the basic or typical configuration (“Basic or Typical Configuration”) append

the contents of the sample OTP reference implementation files (located in /opt/aaa/examples/

config) to the default policy files (located in /etc/opt/aaa) using the following commands:

# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp

# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp

# cat /opt/aaa/examples/config/oath-proxy-egress.grp >> /etc/opt/aaa/proxy-egress.grp

In addition, you must complete the necessary configuration to use SQL Access. For more information,

see Chapter 22 (page 247).

NOTE: The oath-proxy-egress.grp file is required only if you are proxying the OTP or

password to another RADIUS server.

OTP Authentication Configuration Flowchart

The OTP authentication configuration flowchart (Figure 49) included in this section documents some

common deployment scenarios. Read the scenarios discussed in the flowchart against your

deployment requirements and click the relevant links for more information about the procedure to

be followed.

To customize your deployment further, additional configuration attributes and items are provided

that can be configured on a per-user, per-realm, or on a system-wide level. For more information

on these attributes, see “Attributes for Configuring OTP Authentication” (page 137). For information

130 OATH Standards-Based OTP Authentication