HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

171

172

173

174

175

176

177

178

179

180

Configuring for Fast Re-Authentication in EAP.authfile

To use fast re-authentications, the realm configuration in the EAP-Type SIM{} or EAP-Type

AKA{} block in EAP.authfile must specify the parameters described in Table 46.

Table 46 EAP.authfile Configuration Parameters

DescriptionParameter

The Fast-Reauth-Lookup parameter specifies an

AATV and an Xstring parameter for this AATV.

Fast-Reauth-Lookup

This AATV is invoked to map a fast re-authentication

identity to the user's real identity and full

authentication context. If this parameter is not

configured, fast re-authentication support is disabled

for the realm.

HP-UX AAA Server provides an AATV,

SIMAKA-ReauthCacheLookup, for this function.

There is no default value.

The Fast-Reauth-Update parameter specifies an

AATV and an Xstring parameter for this AATV.

Fast-Reauth-Update

This AATV is invoked to update the mapping of a

fast re-authentication identity to a user's real identity.

If this parameter is not configured, fast

re-authentication support is disabled for the realm.

HP-UX AAA Server provides the

SIMAKA-ReauthCacheUpdate AATV for this

function.

There is no default value.

This parameter specifies an upper limit for the number

of subsequent fast re-authentications allowed before

a full authentication needs to be performed.

Max-Number-Of-Reauths-Before-Full-Auth-Is-Required

The valid range is 1 to 65,535.

Specifies a realm that ensures where a fast

re-authentication is targeted. While providing a fast

Fast-Reauth-Realm

re-authentication identity, the server also includes a

realm to help ensure that the subsequent fast

re-authentication be targeted to the server, which

holds the full authentication context if internal

caching, rather than an external database, is used

to save the fast re-authentication context.

As the maximum length of a fast re-auth NAI cannot

exceed 253 characters, and because the length of

the fast re-auth user name is 10 characters, the

Fast-Reauth-Realm value must not exceed 242

characters. If the fast re-authentication identity must

be generated with no realm name, it is configured

as NULL.

The empty string entry, using just two quotes,

indicates that the server must generate a fast

re-authentication identity with the same realm name

as the permanent identity.

The Fast-Reauth-Id-Lifetime parameter

specifies a lifetime for a fast re-authentication identity,

Fast-Reauth-Id-Lifetime

in seconds. If a fast re-authentication identity is

assigned, but is not used within this period of time,

the fast re-authentication identity and the associated

full authentication context are purged.

The valid range is 1 to 14400 (1 second to 4 hours).

The default value is 3600 seconds.

Fast Re-Authentication 179