HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

151

152

153

154

155

156

157

158

159

160

NOTE: For MS-CHAP v2 authentication protocol, partial validation of either OTP or password

locally and the remaining part at an external RADIUS server is not possible. The complete validation

must be performed at the local HP-UX AAA Server or at an external RADIUS server.

Validating Password on the Local Server and Forwarding OTP to Another RADIUS Server

To configure the HP-UX AAA Server to validate the password and forward the OTP to another

RADIUS server for validation, complete the following steps:

1. Configure the realm using the Realms Screen of the Server Manager. Based on the user profile,

configure the realm for the local users file, LDAP, Oracle or MySQL database using SQL

database. For more information on configuring the realm, see “Adding a Realm” (page 72).

2. Configure the proxy target server using the Server Manager and save the configuration. For

more information on configuring proxies, see “Configuring Proxies” (page 81)

3. If not appended , append the contents of the sample OTP reference implementation policy

files (located in /opt/aaa/examples/config) to the default policy files (located in /etc/

opt/aaa) using the following commands:

# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp

# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp

# cat /opt/aaa/examples/config/oath-proxy-egress.grp >> /etc/opt/aaa/proxy-egress.grp

4. In the /etc/opt/aaa/request-ingress.grp file, replace the <realm> variable and

configure the Otp-ActionId attribute according to the following rules:

Then …

If you have

configured...

Replace the <realm> variable in the following syntax with the realm name configured in Step

if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>"))

{

The realm for

RADIUS

standard

password

authentication

insert Otp-ActionId = 101

exit "ACK"

}

Replace the <realm> variable in the following syntax with the inner realm name configured in

Step 1:

if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>"))

{

Tunneled

realms with

different inner

and outer

realms for

insert Otp-ActionId = 101

exit "ACK"

}

EAP

authentication

Tunneled

realms with

1. Delete the following (default) condition in the /etc/opt/aaa/request-ingress.grp

file:

if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>"))

{

same inner

and outer

realms for

insert Otp-ActionId = 112

exit "ACK"

}

EAP

authentication

2. Based on the EAP authentication method you have configured, add one of the following

conditions in the /etc/opt/aaa/request-ingress.grp file, and replace the <realm>

variable with the inner realm name configured in step 1:

• If you have configured the realm for PEAP (EAP-GTC) , add the following condition:

if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap"))

{

insert Otp-ActionId = 101

exit "ACK"

}

• If you have configured the realm for TTLS (PAP), add the following condition:

if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls"))

{

insert Otp-ActionId = 101

Configuring OTP Authentication on the HP-UX AAA Server 151