HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

181

182

183

184

185

186

187

188

189

190

Sample aaa.config Configuration for Algorithm-based Pseudonym Identity Support

#################################################################

### Add the following in /etc/opt/aaa/aaa.config

#################################################################

aatv.SIMAKA

{

#Configure other global parameters, if required

#Atleast one Pseudonym-Algorithm-Key is mandatory

Pseudonym-Algorithm-Key-1 0x00010203.04050607.08090a0b.0c0d0e0f

Pseudonym-Algorithm-Key-11 0xa0a1a2a3.a4a5a6a7.a8a9aaab.acadaeaf

Pseudonym-Algorithm-Key-16 0xf0f1f2f3.f4f5f6f7.f8f9fafb.fcfdfeff

Pseudonym-Algorithm-Current-Key 11

}

Guidelines to Write EAP-SIM and EAP-AKA Pseudonym Database AATVs

This section describes the EAP-SIM and EAP-AKA requirements that the Pseudonym Database AATVs

must meet in addition to the basic AATV requirements. For information on AATV writing, compiling,

installing, and debugging, see Chapter 28 (page 328).

You can configure EAP-SIM and EAP-AKA to support pseudonyms. To perform a full authentication

using pseudonym, you must map an assigned pseudonym to the real identity. EAP-SIM and EAP-AKA

can manage the pseudonym mapping internally. Alternatively, using customer-supplied plug-ins,

they can store the mapping in an external database using SQL Access and retrieve, when

required. In accordance with the RFCs, the HP-UX AAA Server must save at least two pseudonyms:

the last one used by the peer and the last one assigned by the HP-UX AAA Server. If you save the

attributes in an external database, the database record must include the following attributes:

• Real-Username

• Real-Realm

• Last-Used-Pseudonym-Username

• Last-Used-Pseudonym-Expiration-Time

• Last-Assigned-Pseudonym-Username

• Last-Assigned-Pseudonym-Expiration-Time

These attributes are described as follows:

The database can also include the authentication information and the reply items. The AATV, which

retrieves the mapping information, must look for a match for the

Last-Used-Pseudonym-Username attribute or the Last-Assigned-Pseudonym-Username

attribute.

The AATV, which retrieves the mapping information, can check whether the matching field has

expired. If the mapping retrieval AATV checks for expiration, the corresponding expiration time

attribute need not be placed on the AUTHREQ_REPLY_QUEUE list of the authreq. If the mapping

retrieval AATV is not configured to check for expiration, the expiration time attributes must be

placed in the authreq. Consequently, the EAP-SIM or the EAP-AKA AATV, which handles the

result of the lookup, checks for expiration.

If you write your own AATVs, which are necessary if an external database is employed, a set of

input attributes in the AUTHREQ_REPLY_QUEUE list of the authreq can be used by the AATVs.

Also, a set of returned attributes, that the lookup AATV adds to the AUTHREQ_REPLY_QUEUE list

of the authreq to interface with the HP-UX AAA Server, can be used by the AATVs.

Pseudonym Identities 189