HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

141

142

143

144

145

146

147

148

149

150

NOTE: When a response from the proxy is returned, the HP-UX AAA Server implements the

reply-egress policy, and does not increment the sequence counter and the success or failed

authentication counters (since they are incremented by the external RADIUS server).

If you have configured different inner and outer realms

If you have configured different inner and outer realms, you must specify the inner realm name

when configuring OTP authentication. For example, if you have configured an inner realm called

otprealm that uses TTLS (PAP, MS-CHAP v2, or EAP-MSCHAPv2) as the authentication mechanism,

specify the realm name in the request-ingress.grp as follows:

if ( (count (User-Name) > 0) && (substr (User-Name after "@" ) = "otprealm" ) )

Specify the realm name in the reply-egress.grp file as follows:

if ( (count (User-Realm) > 0) && (User-Realm = "otprealm"))

NOTE: Creating different inner and outer realms for OTP authentication is supported only for

TTLS (PAP, MS-CHAP v2, and EAP-MSCHAPv2). For information on creating tunneled EAP realms,

see “Adding a Realm” (page 72).

If you are proxying the OTP to a remote server for validation, you must modify the

reply-egress.grp file:

if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT")

|| (Interlink-Proxy-Action = "LAS_ACCT") )

|| ( (count (User-Realm) > 0) && (User-Realm = "otprealm" ) ) )

NOTE:

• When a response from the proxy is returned, the HP-UX AAA Server implements the reply-egress

policy, and does not increment the sequence counter and the success or failed authentication

counters (since they are incremented by the external RADIUS server).

User Level OTP Attributes

To configure OTP attributes on a user level, you must modify the RetrieveToken SQLAction in

the sqlaccess.config file. You can choose to include the user-specific OTP attributes, listed in

Table 37 (page 137), using the following syntax:

SQLAction RetrieveToken {

{

input

RAD(User-Id, REPLY) DBP(userid, 253, CHAR)

output

DBR(100:*) RET(RETRIEVE_ERROR)

DBR(-1:*) RET(ERROR)

DBC(serial_number, 128, CHAR) RAD(Otp-Token-Serial-Number, REPLY)

DBC(token_status, 128, CHAR) FUNC(AAATokenStatusCheck)

DBC(seq_counter, 38, CHAR) RAD(HOtp-Seq-Counter, REPLY)

DBC(shared_secret, 128, CHAR) FUNC(AAASetConvertedHexToBinaryString)

DBR(0:0) RET(RETRIEVE_SUCCESS)

DBR(*:*) RET(RETRIEVE_ERROR)

SQLStatement db_oci {

SELECT serial_number, token_status,

seq_counter, shared_secret

FROM RAD_TOKENS_TABLE

WHERE user_name=:userid

Configuring OTP Authentication on the HP-UX AAA Server 141