HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

171

172

173

174

175

176

177

178

179

180

AKA-Mode 0x12ab

Protected-Identity-Exchanges No

Protected-Success-Indications "Enabled"

}

NOTE: The comment field in realm configuration must not have spaces.

Auth-Result-Update and Resync-Update

The management of SQN required for EAP-AKA can be done using SQL Access feature provided

by HP-UX AAA Server. In this case user credentials must be stored in an Oracle or SQL-compliant

database. The above example has EAP.authfile configuration for these parameters.

UpdateSQN and ResyncSQN are the SQL action names that must be configured in the

sqlaccess.config file. Following are the sample entries for the same.

UpdateSQN: This SQL action increments the SQN in the database for each successful authentication.

Two mappings are used. The first one retrieves the sequence number for the corresponding real

identity and adds the incremented SQN into the REPLY queue The second mapping retrieves it

from the REPLY queue and inserts it back to the database. A predefined sample mapping function

IncAkaSeqNum is used to increment the SQN if the authentication succeeds. Subsequently, the

mapping function converts it back to hex string format, and inserts the AKA-Sequence-Number

AVP to REPLY queue.

You can use the vendor-specific attribute, AKA-Authentication-Result to check the result of

authentication. The result can include the following values based on the authentication result:

NO-AUTH 0

SUCCESS 1

REAUTH 2

CLIENT_REJECT 3

BAD_MAC 4

BAD_XRES 5

BAD_CHECKCODE 6

BAD_PROTOCOL 7

BAD_INTERNAL 8

SQLAction UpdateSQN {

{

input

RAD(Real-Username, REPLY) DBP(ruame, 253, CHAR)

output

DBR(100:*) RET(NAK)

DBR(-1:*) RET(ERROR)

DBC(aka_sequence_number, 64, CHAR) FUNC(IncAkaSeqNum) AAAHexToBinaryString

DBR(0:0) RET(ACK)

DBR(*:*) RET(ERROR)

SQLStatement db_oci {

SELECT aka_sequence_number

FROM RAD_USERS_TABLE

WHERE user_name=:runame

}

{

input

RAD(AKA-Sequence-Number, REPLY) DBP(seqnum, 253, CHAR)

RAD(Real-Username, REPLY) DBP(runame, 253, CHAR)

output

DBR(-1:*) RET(ERROR)

DBR(0:0) RET(ACK)

DBR(*:*) RET(NAK)

SQLStatement db_oci {

UPDATE RAD_USERS_TABLE set aka_sequence_number=:seqnum

where user_name=:runame

176 Configuring EAP-SIM and EAP-AKA Authentication Methods