HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

131

132

133

134

135

136

137

138

139

140

Realm Level OTP Attributes

To configure OTP attributes on a realm level, you must modify the sample entry in the

request-ingress.grp file using the following syntax:

if ((count (User-Name) > 0) && (substr (User-Name after "@" ) = "<realm>"))

{

# Add Otp-ActionId attribute, if it is not present in the user request.

if (count (Otp-ActionId) = 0)

{

insert Otp-ActionId = <OTP-ActionId>

insert Otp-Retrieve-TokenInfo-ActionId = "<SQL action>"

}

exit "ACK"

}

In this example, the OTP-ActionID and Otp-Retrieve-TokenInfo-ActionId attributes

are configured on a realm-basis. Other realm-level OTP attributes can be added depending on

your configuration.

Configuring OTP Authentication for Tunneled EAP Mechanisms

If you have created EAP tunneled realms using the Server Manager for PEAP (EAP-GTC or

EAP-MS-CHAP v2) or TTLS (PAP, MS-CHAP v2, or EAP-MSCHAPv2) , refer to the following rules

for specifying the realms when configuring OTP authentication:

If you have configured the same inner and outer realms

• If you are using PEAP (EAP-GTC or EAP-MS-CHAP v2) as the authentication mechanism, replace

the variable <realm> with the configured inner realm name, using the following syntax in

the request-ingress.grp and reply-egress.grp files:

if ( (count (User-Realm) > 0) && (User-Realm = "<realm>/peap"))

If you are proxying the OTP to an external RADIUS server for validation, you must modify the

reply-egress.grp file as follows, and replace the variable <proxyrealm> with the

configured inner realm:

if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT")

|| (Interlink-Proxy-Action = "LAS_ACCT") )

|| ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>/peap") ) )

• If you are using TTLS (PAP, MS-CHAP v2, or EAP-MSCHAPv2) as the authentication mechanism,

replace the variable <realm> with the configured inner realm name, using the following

syntax in the request-ingress.grp and reply-egress.grp files:

if ( (count (User-Realm) > 0) && (User-Realm = "<realm>/ttls"))

If you are proxying the OTP to an external RADIUS server for validation, you must modify the

reply-egress.grp file as follows, and replace the variable <proxyrealm> with the

configured inner realm name:

if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT")

|| (Interlink-Proxy-Action = "LAS_ACCT") )

|| ( (count (User-Realm) > 0) && (User-Realm = "<proxyrealm>/ttls") ) )

140 OATH Standards-Based OTP Authentication