HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

171

172

173

174

175

176

177

178

179

180

◦ AKA mode is a string attribute containing the binary encoded 16-bit user authentication

management field, often referred to as AMF. The encoding must be in network byte order

(big-endian).

◦ AKA algorithm is a string attribute indicating the name of the AKA algorithm to be applied

in AKA vector generation. Most lines in the configuration files are limited to 1023

characters, which places a limit on the length of this string. The value is case-sensitive.

• The second form is the configuration of an AKA vector. An AKA vector is a fixed length binary

string (octets) attribute, which holds an EAP-AKA authentication vector. The attribute value is

a 576-bit binary string (72 bytes) partitioned as described in Table 43. ??? lists the AKA

Vector parameters.

Table 43 AKA Vector Parameters

DescriptionParameter

The first 128 bits (16 bytes) of the valueRAND

The next 64 bits (8 bytes) of the valueXRES

The next 128 bits (16 bytes) of the valueCK

The next 128 bits (16 bytes) of the valueIK

The last 128 bits (16 bytes) of the valueAUTN

The user credentials can be stored in any supported data repository, such as a local realm users

file, an LDAP database, SQL-compliant database using SQL Access, or a customer-supplied

database.

NOTE: SQL Access feature can be used to retrieve user credentials as well as manage SQN.

For SQL Access sample configuration, see “Realm-Based EAP-AKA Configuration Information in

authfile” (page 172). Configuring user credentials in realm user's file and LDAP database requires

Finite State Machine (FSM) modifications and a module that manages SQN.

EAP-AKA Realm-Based Configurations

Many EAP-AKA parameters can be configured on a per realm basis. These parameters are

configured in realm entries stored in the authfile and EAP.authfile files.

Realm-Based EAP-AKA Configuration Information in authfile

The user's AKA credentials lookup information is configured in the authfile on a per realm

basis.

The EAP-AKA realm must be configured with the -AKA switch. The following syntax is used to

configure the user credential storage:

eapakarealm.com –AKA <AATV name> <xstring, if any>

If user-specific plug-in is added for user lookup, the AATV name is replaced with the plug-in name.

The following section describes configuration of HP-UX AAA Server and SQL-compliant database

for credential lookup (subscriber key).

The HP-UX AAA Server receives AKA vector directly when the external storage (typically an AuC)

generates the vector. An AATV must be written for this. For information on how to write an AATV,

see Chapter 28 (page 328)

NOTE: The xstring field in the realm configuration must not have spaces.

172 Configuring EAP-SIM and EAP-AKA Authentication Methods