HP-UX AAA Server A.08.02 Administrator's Guide
be either ACK or NAK. If the result of the update is NAK, the update has failed, which may affect
a subsequent fast re-authentication. However, it does not affect the success or failure of the current
authentication.
Fast Re-Authentication Database Lookup AATV
The fast re-authentication lookup AATV retrieves the information associated with the
Fast-Reauth-Username attribute in the database. This AATV is invoked during a fast
re-authentication only.
Lookup AATV Inputs
The input to the lookup AATV is a set of VSA in the AUTHREQ_REPLY_QUEUE list of the authreq.
Table 49 describes the Fast Re-Authentication Database Lookup AATV attributes.
Table 49 Vendor-Specific Attributes for Fast Re-Authentication Database Lookup AATV
DescriptionAttribute
A string attribute that contains the value of the user's Fast Reauth identity. This
identity contains a Fast Reauth ID prefix, 3. However, no realm is associated
with it. The length of the identity, including the prefix, is 10 characters.
Fast-Reauth-Username
A string attribute that contains the realm portion of the received Fast Reauth
identity. This realm can be the Real-Realm or the configured
Fast-Reauth-Realm
Fast-Reauth-Realm. The realm can also be a realm that the NAS created to
facilitate routing of the Fast Reauth Request to the HP-UX AAA Server, which
performed the last full authentication. The realm is used for the database lookup,
and is used by the HP-UX AAA Server to invoke EAP-SIM or EAP-AKA only.
Lookup AATV Outputs
The AUTHREQ_REPLY_QUEUE list of the authreq is updated to additionally contain the full
authentication details. Table 50 describes the Lookup AATV attributes.
Table 50 Lookup AATV Output Attributes
DescriptionAttribute
A string attribute that contains the user's real identity. This identity contains no
prefix or realm. The IMSI can be up to 15 decimal digits. If the HP-UX AAA
Real-Username
Server is configured to support non-IMSI real identities, the identity can be a
non-IMSI real username, which is up to 253 characters.
A string attribute that contains the user's real realm. This realm can differ from
the realm portion of the User-Name attribute value. If the AT_IDENTITY attribute
Real-Realm
of the user’s last full authentication specifies only a username with no realm, the
Real-Realm attribute contains an empty string value.
A fixed-length binary string (octets) attribute that contains the value of the Master
Key (MK) from the last full authentication. The value is a 160-bit binary string
(20 bytes), in the network byte order.
FullAuth-Master-Key
An integer attribute that contains the value of the last fast re-authentication
counter. The value is the number of fast re-authentications performed after the
last full authentication.
Fast-Reauth-Counter
A Unix epoch date attribute that contains the UTC time at which this fast
re-authentication information expires. If the lookup AATV has already checked
Fast-Reauth-Expiration-Time
for an expired Fast-Reauth-Username, the attribute is not returned. If the
attribute is returned, the HP-UX AAA Server checks whether the
Fast-Reauth-Username has expired.
Fast Re-Authentication 183