HP-UX AAA Server A.08.02 Administrator's Guide
Table 45 The aaa.config Configuration Block Parameters
DescriptionParameter
Directs the output of EAP-AKA statistics to the logfile
when the server shuts down.
Statistics
The valid values are Enabled and Disabled.
If not explicitly configured, the default value is Enabled.
The following is an example of a aaa.config configuration file:
aatv.EAP-AKA
{
# =====================================
# The following parameters are global.
# =====================================
Statistics "Enabled"
# Enabled or Disabled
}
Fast Re-Authentication
Fast re-authentication is a an optional EAP-SIM and EAP-AKA feature. This feature is used to refresh
the previous authentication periodically. A fast re-authentication, if applicable, occurs shortly after
a full authentication or an earlier fast re-authentication. The Fast-Reauth-Id-Lifetime
parameter specifies a lifetime for a fast re-authentication identity, in seconds. If a fast
re-authentication identity is assigned, but is not used within this period of time, the fast
re-authentication identity and the associated full authentication context expire.
The HP-UX AAA Server generates a fast re-authentication identity, which is 10 characters long,
consisting of the fast re-authentication identity prefix 3, followed by nine random characters from
the 31 character set consisting of the upper-case characters, without vowels, and ending with 10
digits: 0-9, that is {BCDFGHJKLMNPQRSTVWXYZ0123456789}.
As there are 31 choices for each of the nine random characters, there are then 31
9
different
identities, or, more than 26 trillion fast re-authentication identities of all permanent identities.
Selecting only uppercase characters for the server-generated re-authentication identities allows
case-insensitive database lookups.
The server sends a fast re-authentication identity to the client, which includes a realm. Before
generating a fast re-authentication identity, the server checks whether the total length of the
name@realm string exceeds 253 characters, which is the maximum length of a User-Name attribute
value. If it exceeds the maximum length, the server does not generate a reauth identity. As the
name portion of the fast re-authentication identity is 10 characters, this problem occurs only if the
realm is greater than 242 characters. The realm is either the configured fast reauth realm or the
realm from the permanent identity. A fast reauth realm can be configured for targeting a fast reauth
authentication request to the specific server that generated the fast re-authentication identity.
Configuring for Fast Re-Authentication
This section addresses the following topics:
• “Configuring for Fast Re-Authentication in EAP.authfile” (page 179)
• “Configuring for Fast Re-Authentication in aaa.config File” (page 180)
178 Configuring EAP-SIM and EAP-AKA Authentication Methods