HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

171

172

173

174

175

176

177

178

179

180

SQL Access Authentication Type

To use the SQL Access authentication type, you must include the following entry in the authfile

eapakarealm.com –AKA SQLAccess ActionId=RetrieveAkaUser

Also, you must include the RetrieveAkaUser SQL action in the sqlaccess.config file.

The following SQL Action RetrieveAkaUser is configured to return the subscriber key, AKA

Mode, and SQN. After successfully retrieving from a SQL compliant database (db_oci) the SQL

Action returns RETRIEVE_SUCCESS, else it returns RETRIEVE_ERROR.

SQLAction RetrieveAKAUser {

{

input

RAD(Real-Username, REPLY) DBP(runame, 253, CHAR)

output

DBR(100:0) RET(RETRIEVE_ERROR)

DBR(-1:*) RET(ERROR)

DBC(subscriber_key, 64, CHAR) FUNC(StoreInSubscriberKey) AAAHexToBinaryString

DBC(aka_mode, 16, CHAR) FUNC(StoreInAkaMode) AAAHexToBinaryString

DBC(aka_sequence_num, 32, CHAR) FUNC(StoreInAkaSeqNum) AAAHexToBinaryString

DBR(0:0) RET(RETRIEVE_SUCCESS)

DBR(*:*) RET(RETRIEVE_ERROR)

SQLStatement db_oci {

SELECT subscriber_key, aka_mode, aka_sequence_num

FROM RAD_USERS_TABLE

WHERE user_name=:runame

}

NOTE: The subscriber_key, aka_mode, and aka_sequence_num columns must be

added in RAD_USERS_TABLE.

StoreInSubscriberKey, StoreInAkaMode, and StoreInAkaSeqNum are the pre-defined

mapping functions which stores the binary string into Subscriber-Key, AKA-Mode,

AKA-Sequence-Number attributes respectively and inserts these AV-Pairs into

AUTHREQ_REPLY_QUEUE.

For more information on SQL Access, see Chapter 22 (page 247).

Realm-Based EAP-AKA Configuration Information in EAP.authfile

The EAP.authfile entry for a realm that supports EAP-AKA can contain an optional {}

configuration block following the EAP-Type AKA specification. This block contains realm-specific

EAP-AKA configuration information, such as the algorithm to use for the realm users, Fast-Reauth

and Psueodnym parameters discussed later in the chapter. For more information on Fast-Reauth

and Psueodnym, see “Pseudonym Identities” (page 184).

If certain parameters are not specified in the EAP-Type AKA {} configuration block, default

values are assigned. For those parameters that do not have a default value, you must specify those

values to ensure that the capability is supported.

The following rules apply to the EAP-Type AKA{} configuration block parameters:

• The parameter names are case-insensitive.

• For parameters with on and off binary values, the values, enabled, yes, on, and true

are synonymous, and the values, disabled, no, off, and false are synonymous.

• String parameter values must be enclosed within single or double quotes.

The EAP-Type AKA{} configuration block can contain any subset, including empty subsets. The

EAP.authfile configuration parameters are described in Table 44.

EAP-AKA 173