HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

141

142

143

144

145

146

147

148

149

150

2. If not appended , append the contents of the sample OTP reference implementation policy

files (located in /opt/aaa/examples/config) to the default policy files (located in /etc/

opt/aaa) using the following commands:

# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp

# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp

3. In the /etc/opt/aaa/request-ingress.grp file, replace the <realm> variable and

configure the Otp-ActionId attribute according to the following rules:

Then …

If you have

configured...

Replace the <realm> variable in the following syntax with the realm name configured in Step

if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>"))

{

The realm for

RADIUS

standard

password or

MS-CHAP v2

authentication

insert Otp-ActionId = 16

exit "ACK"

}

Replace the <realm> variable in the following syntax with the inner realm name configured in

Step 1:

if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>"))

{

Tunneled

realms with

different inner

and outer

realms for

insert Otp-ActionId = 16

exit "ACK"

}

EAP

authentication

Tunneled

realms with

1. Delete the following (default) condition in the request-ingress.grp file:

if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>"))

{

same inner

and outer

insert Otp-ActionId = 112

exit "ACK"

}

realms for

EAP

authentication

2. Based on the EAP authentication method you have configured, add one of the following

conditions in the /etc/opt/aaa/request-ingress.grp file, and replace the <realm>

variable with the inner realm name configured in step 1:

• If you have configured the realm for PEAP (EAP-GTC) or PEAP(EAP-MSCHAPv2), add the

following condition:

if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap"))

{

insert Otp-ActionId = 16

exit "ACK"

}

• If you have configured the realm for TTLS (PAP), TTLS (MS-CHAP v2), or

TTLS(EAP-MSCHAPv2), add the following condition:

if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls"))

{

insert Otp-ActionId = 16

exit "ACK"

}

4. In the /etc/opt/aaa/reply-egress.grp file, replace the <realm> variable with the

configured realm name in step 1 as follows:

if ( (count (User-Realm) > 0) && (User-Realm = “<realm>”) )

Configuring OTP Authentication on the HP-UX AAA Server 143