Manualshelf

HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software
21222324252627282930
1 Overview: The HP-UX AAA Server
The Remote Authentication Dial In User Service (RADIUS) protocol defines a standard for information
exchange between a network device or software application and an authentication, authorization,
and accounting (AAA) server to manage and track user access to network services.
A RADIUS AAA server provides authentication (verifying user credentials), authorization (supplying
provisioning information for the user), and accounting (storage of usage information into accounting
logs) services to devices and software applications (AAA clients) that support the IETF RADIUS
standards.
The AAA or RADIUS client is the access device or application that acts as an enforcement point
to control access to a resource. The user device itself or application requesting access to the resource
is referred to as the supplicant.
RADIUS Topology
The RADIUS protocol follows the client-server architecture. The client sends user information to the
AAA server using Access-Request or accounting-Request messages. The AAA server processes the
request locally, or, if acting as a proxy server, forwards (proxies) the request to a secondary
RADIUS Server.
When processing a RADIUS request locally, the AAA server can utilize additional external services
(LDAP, external database access, DHCP, and so on.) to service the request.
The processing of RADIUS requests is usually configured on a per-realm basis. A realm is a group
of users sharing a common component in the Network Access Identifier (NAI) attribute in the
RADIUS request (for example,"example.org" is the realm component for "username@example.org").
In Figure 1 (page 23), a sample Internet Service Provider (ISP) uses four AAA servers to handle
user requests. User organizations are grouped into realms. Each user connects to one of the ISP's
servers through a local Network Access Server (NAS). The NAS sends a RADIUS Access-Request
containing the user's credentials to one of the AAA servers. In turn, the AAA server accesses user
and policy information from the repository specified for the user's realm. The repository can be in
flat text files associated with the AAA Server, an external database or LDAP Server, or an HP-UX
Unix user repository.
When authenticating users stored in replicated LDAP directory servers or databases, the server
can be configured to perform load balancing and failover to achieve greater scalability and
availability.
22 Overview: The HP-UX AAA Server