HP-UX AAA Server A.08.02 Administrator's Guide
Lookup AATV Functionality and Return Events
The fast re-authentication lookup AATV attempts to retrieve the full authentication details of the
Fast-Reauth-Username attribute from its database.
• If the information is available, the lookup AATV updates the AUTHREQ_REPLY_QUEUE list of
the authreq with the specified output and a RETRIEVE_SUCCESS message is returned
• If the information is not available, a RETRIEVE_ERROR message is returned.
• The lookup AATV can check if the fast re-authentication information has expired based on the
Fast-Reauth-Expiration-Time value. If the fast re-authentication information has expired,
a RETRIEVE_ERROR message is returned, and the cur_request list of the authreq is not
updated. If the AATV does not check for an expired entry, the
Fast-Reauth-Expiration-Time value is returned. Subsequently, the HP-UX AAA Server
checks for the expiration.
Pseudonym Identities
Pseudonym Identity support is an optional EAP-SIM and EAP-AKA feature, which provides identity
protection by hiding the permanent identity on the second and all future authentications.
The HP-UX AAA Server can generate pseudonyms as an encrypted form of the permanent identity,
which can be subsequently decrypted to reproduce the permanent identity. Alternatively, the server
can generate pseudonyms as a string of random characters, similar to the fast re-authentication
identity. In the latter case, an external database is required to store the pseudonym to permanent
identity mappings. For many users, the algorithm-based pseudonyms are the easiest and most
efficient option. Random pseudonyms are required if the algorithm does not provide adequate
security to the permanent identity.
Random Pseudonyms
The server, while operating in an environment where a central database is used for saving the
pseudonym to permanent identity mappings, can be configured to generate a pseudonym as a
string of random characters. The server can also store the last used and last assigned pseudonyms
in this central database. EAP-SIM RFC 4186 recommends saving at least two pseudonyms, the last
used and the last assigned. To ensure random pseudonyms work, the realm configuration in
EAP-Type SIM{} block within the EAP.authfile file must specify the Pseudonym-Lookup
and Pseudonym-Update parameters with an AATV, which maps the pseudonym to the permanent
identity, and which stores the random pseudonym in the database. In this case, the pseudonym
algorithm is employed and the pseudonym resembles a fast re-authentication identity with a different
prefix. The random pseudonym identity is 10 characters long, consisting of the pseudonym prefix
2, followed by nine random characters from the character set,
{BCDFGHJKLMNPQRSTVWXYZ0123456789}. The random pseudonym is advantageous, because
it is impossible to reverse engineer the permanent identity. However, a database to store and
retrieve the mapping of pseudonym to permanent identity is required.
Algorithm-Based Pseudonyms
The HP-UX AAA Server generates a pseudonym by encrypting the real user name using an algorithm
and the SIMAKA-PseudonymDecrypt AATV that decrypts a pseudonym to reproduce the real
user name. Following are the features and benefits of the algorithmic approach as specified by
Ericsson1, and submitted to the 3GPP TSG SA WG3 working group:
• No external database is required to store all the assigned pseudonyms.
• A pseudonym generated on one RADIUS server can be processed by a second RADIUS server.
• No user state is kept in the RADIUS server between WLAN sessions.
• Pseudonyms are not stored in the Home Subscriber Server (HSS) or Home Location Register
(HLR).
184 Configuring EAP-SIM and EAP-AKA Authentication Methods