HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

191

192

193

194

195

196

197

198

199

200

The AATV returns ACK if the database is updated successfully. If the result of the update is NAK,

the update has failed. However, it does not affect the outcome of the current authentication.

NOTE: If the Pseudonym-Expiration-Time is not present as a result of the Lookup AATV

handling the expiration check, the Last-Used-Pseudonym-Expiration-Time of the database

may need to be updated with the Last-Assigned-Pseudonym-Expiration-Time value by

the Lookup AATV. For more information on Pseudonym-Expiration-Time, see Table 55

(page 191).

Pseudonym Database Lookup AATV

The Pseudonym Database Lookup AATV retrieves the information associated with the

Pseudonym-Username attribute from the database.

Lookup AATV Inputs

The input to the Lookup AATV is a set of Vendor-Specific Attributes (VSA) in the

AUTHREQ_REPLY_QUEUE list of the authreq. Table 54 describes the attributes.

Table 54 Vendor-Specific Attributes for Pseudonym Database Lookup AATV

DescriptionAttribute

A string attribute that contains the pseudonym value to be found in the database.

The identity contains a pseudonym prefix, 2. However, no realm is associated with

it. The length of the identity can be up to 253 characters.

Pseudonym-Username

A string attribute that contains the user's real realm. This realm can differ from the

realm portion of the User-Name attribute value. If the AT_IDENTITY attribute

Real-Realm

contains only a username, but no realm, the Real-Realm attribute contains an

empty string value.

An integer attribute that contains the number of requested triplets, such as, RAND,

Kc, and SRES. In accordance with RFC4186, the number of triplets required for

Number-of-Triplets-Requested

authentication is two or three. The number of triplets required for authentication is

present to enable the lookup AATV to generate GSM Triplets, if required.

A string attribute that contains the name of the A3 algorithm to be used in the GSM

Triplet generation. The value is case-sensitive. This attribute is present only if the

A3-Algorithm

realm is configured with a default A3 algorithm. The attribute is present to enable

the lookup AATV to generate GSM Triplets, if required.

A string attribute that contains the name of the A8 algorithm to be used in the GSM

Triplet generation. The value is case-sensitive. This attribute is present only if the

A8-Algorithm

realm is configured with a default A8 algorithm. The attribute is present to enable

the lookup AATV to generate GSM Triplets, if required.

Lookup AATV Outputs

The AUTHREQ_REPLY_QUEUE list of the authreq is updated to additionally contain the following

attributes, as described in Table 55.

Table 55 Lookup AATV Output Attributes

DescriptionAttribute

A string attribute that contains the user's real identity. The identity contains neither

a prefix nor a realm. The identity can be an IMSI constituting up to 15 decimal

Real-Username

digits. If the realm is configured to support non-IMSI real identities, the identity can

be a non-IMSI real username constituting up to 253 characters.

A Unix epoch date attribute that contains the UTC time at which the looked up

pseudonym expires. This attribute is optional if the lookup AATV has already checked

Pseudonym-Expiration-Time

for an expired Pseudonym-Username. If it is returned, the HP-UX AAA Server

checks whether the Pseudonym-Username has expired. The lookup AATV may

return this attribute even if the expiration check is performed. If this attribute is

Pseudonym Identities 191