HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

191

192

193

194

195

196

197

198

199

200

Table 57 Lookup AATV Attributes for EAP-AKA (continued)

DescriptionAttribute

An optional string attribute that contains the name of the AKA algorithm used to

authenticate the user. This attribute is optional if a default value is configured for the

realm. The value is case-sensitive.

AKA-Algorithm

A fixed-length binary string (octets) attribute that contains the 48-bit sequence number,

which is used to authenticate the user.

AKA-Sequence-Number

An optional fixed-length binary string (octets) attribute that contains a 16-bit value. The

value indicates whether the AKA-Sequence-Number is used for a Circuit Switched

AKA-Mode

or Packet Switched authentication. This attribute is optional if a default value is configured

for the realm.

AND

Optional Reply item, such as, Session-Timeout and Idle-Timeout.Other reply attributes

Lookup AATV Functionality and Return Events

The Pseudonym Lookup AATV attempts to retrieve the Real-Username from its database.

• If the information is found, the Lookup AATV updates the cur_request list of the authreq

with the specified output, and a RETRIEVE_SUCCESS message is returned.

• If the information is not available, a RETRIEVE_ERROR message is returned.

• The Lookup AATV can check if the Pseudonym-Username has expired based on the

Pseudonym-Expiration-Time. If the Pseudonym-Username has expired, a

RETRIEVE_ERROR message is returned, and the cur_request list of the authreq is not

updated. If the AATV does not check for an expired entry, the

Pseudonym-Expiration-Time is returned. Subsequently, the HP-UX AAA Server checks

for the expiration.

The Pseudonym-Expiration-Time values represent the following:

◦ Last-Used-Pseudonym-Expiration-Time -- If the Pseudonym-Username matches

the Last-Used-Pseudonym-Username

◦ Last-Assigned-Pseudonym-Expiration-Time -- If the Pseudonym-Username

matches the Last-Assigned-Pseudonym-Username

• A successful mapping can also return user credentials and general reply-items. If the user

credentials are returned, these credentials are appended to the cur_request list of the

authreq, as specified.

Generating Authentication Vectors Using A3, A8, and AKA Algorithms

If authentication vectors are not retrieved from a datastore or supplied by an external AuC, they

must be generated using A3 and A8 algorithms for EAP-SIM or the AKA algorithm for EAP-AKA.

GSM A3 and A8 algorithms are used in EAP-SIM. GSM-03.20 specifies the general GSM

authentication procedure and the external interface of the A3 and A8 algorithms. The operation

of these functions are specific to each network operator. Therefore, the functions are not generalized,

but are specified by each operator. The GSM-MILENAGE algorithm, specified publicly in

3GPP-TS-55.205, is an example algorithm set for A3 and A8 algorithms.

The AKA algorithm can also use the GSM functions that are used to implement A3 and A8

algorithms.

The A3, A8, and AKA algorithm plug-ins are located in the /opt/aaa/aatv directory, by default.

The server can use multiple A3/A8/AKA algorithms. You can specify these algorithms in the

aaa.config global configuration file, realm-based configurations, or in an users’ profile. For

Generating Authentication Vectors Using A3, A8, and AKA Algorithms 193