HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

181

182

183

184

185

186

187

188

189

190

There are two AATVs involved in pseudonym handling. One AATV performs the lookup and the

other performs the update. This section describes the following AATVs:

• “Pseudonym Database Update AATV” (page 190)

• “Pseudonym Database Lookup AATV” (page 191)

Pseudonym Database Update AATV

As a result of a full authentication, the database may require a new record for the pseudonym

information. If the database includes an existing set of pseudonym information, the information

needs to be updated or made invalid each time the HP-UX AAA Server assigns a new pseudonym.

Update AATV Inputs

The input to the Update AATV is the set of VSA on the AUTHREQ_REPLY_QUEUE list of the authreq.

Table 53 describes the Pseudonym Database Update AATV attributes.

Table 53 Vendor-Specific Attributes for Pseudonym Database Update AATV

DescriptionAttribute

A string attribute that contains the user's real identity. This identity

contains neither a prefix nor a realm. The identity can be an IMSI

Real-Username

constituting up to 15 decimal digits. If the HP-UX AAA Server is

configured to support non-IMSI real identities, the identity can be a

non-IMSI real username constituting up to 253 characters.

A string attribute that contains the user's real realm. This realm can

differ from the realm portion of the User-Name attribute value. If the

Real-Realm

AT_IDENTITY attribute contains only a username, but no realm, the

Real-Realm attribute contains an empty string value.

A string attribute that contains the value sent by the HP-UX AAA Server

during the current authentication. This value is also the value of the

Last-Assigned- Pseudonym-Username

next pseudonym. This username contains a pseudonym prefix, 2.

However, no realm is associated with it. The length of the identity,

including the prefix, can be up to 253 characters. If no new pseudonym

is assigned, the update AATV is not called.

A Unix epoch date attribute that contains the UTC time at which

Last-Assigned-Pseudonym-Username expires. This attribute is

Last-Assigned-Pseudonym-Expiration-Time

present only if the value of the

Last-Assigned-Pseudonym-Username attribute is present.

If the peer authenticated using a pseudonym, the

Last-Used-Pseudonym-Username attribute contains the pseudonym

Last-Used-Pseudonym- Username

value of the current authentication. This identity contains a pseudonym

prefix, 2. However, no realm is associated with it. The length of the

identity can be up to 253 characters. Otherwise, this attribute is not

present.

A Unix epoch date attribute that contains the UTC time at which

Last-Used-Pseudonym-Username expires. This attribute is present

Last-Used-Pseudonym-

Expiration-Time

only if the Last-Used-Pseudonym-Username attribute is present

and the database which maps the pseudonym to the Real-Username

attribute returns a Pseudonym-Expiration-Time VSA.

Update AATV Outputs

None of the attributes are returned by Update AATV.

AATV Functionality and Return Events

The pseudonym update AATV updates its database with the pseudonym information available in

the AUTHREQ_REPLY_QUEUE list of the authreq. The Update AATV must not modify the

AUTHREQ_REPLY_QUEUE list of the authreq. The result of the update can be either ACK or NAK.

190 Configuring EAP-SIM and EAP-AKA Authentication Methods