HP-UX AAA Server A.08.02 Administrator's Guide
Fast Re-Authentication Database Update AATV
As a result of a full authentication, the database may require a new record for the fast
re-authentication information. If the database includes an existing set of fast re-authentication
information, the information needs to be updated or made invalid with each full authentication or
a fast re-authentication.
If the realm is configured for fast re-authentication support, the update AATV is invoked with every
authentication, either full or re-authentication, successful or unsuccessful, and whether a new fast
re-authentication username is assigned or not.
Update AATV Inputs
The input to the Update AATV is the set of Vendor-Specific Attributes (VSAs) on the
AUTHREQ_REPLY_QUEUE list of the authreq. Table 48 describes the Fast Re-Authentication
Database Update AATV attributes.
Table 48 Vendor-Specific Attributes for Fast Re-Authentication Database Update AATV
DescriptionAttribute
A string attribute that contains the user's real identity. This identity contains
neither a prefix nor a realm. The identity can be an International Mobile
Real-Username
Subscriber Identity (IMSI) constituting up to 15 decimal digits. If the realm is
configured to support non-IMSI real identities, the identity can be a non-IMSI
real username constituting up to 253 characters.
A string attribute that contains the user's real realm, which is the value of the
AT_IDENTITY attribute, of the last full re-authentication. This realm can differ
Real-Realm
from the realm portion of the User-Name attribute value. If the
AT_IDENTITY attribute of the last full re-authentication does not specify a
realm, the Real-Realm attribute contains an empty string value.
A string attribute that contains the value sent by the HP-UX AAA Server during
the authentication. This value is the user's next Fast-Reauth-Username.
Fast-Reauth-Username
This identity is prefixed with the Fast Reauth ID, 3. However, no realm
is associated with it. The length of the identity, including the prefix, is 10
characters. If the attribute contains no value, it implies that the database's
existing Fast-Reauth-Username and the associated full authentication
details must be made invalid.
A fixed length binary string (octets) attribute that contains the Master Key
(MK) value of the last full authentication. The value consists of a 160-bit
FullAuth-Master-Key
binary string (20 bytes), in the network byte order. If the
Fast-Reauth-Username is an empty string, this attribute is not present.
An attribute that contains the updated value of the fast re-authentication
counter. During an update following a full authentication, this value is zero.
Fast-Reauth-Counter
Otherwise, the value is the number of fast re-authentications performed after
the last full authentication. If the value of the Fast-Reauth-Username
value is an empty string, this attribute is not present.
A Unix epoch date attribute that contains the UTC time at which this fast
re-authentication information expires. If the fast re-authentication information
Fast-Reauth-Expiration-Time
in the database is made invalid instead of being updated, this attribute has
no significance. If the Fast-Reauth-Username is an empty string, this
attribute is not present.
Update AATV Outputs
No attributes must be returned by the Update AATV.
AATV Functionality and Return Events
The fast re-authentication update AATV updates its database with the fast re-authentication
information available in the AUTHREQ_REPLY_QUEUE list of the authreq. The Update AATV
must not modify the AUTHREQ_REPLY_QUEUE list of the authreq. The result of the update can
182 Configuring EAP-SIM and EAP-AKA Authentication Methods