Manualshelf

HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software
231232233234235236237238239240
Security Consideration in Dynamic Authorization
This section describes the security features in Dynamic Authorization. The following features are
supported:
“Replay Protection” (page 233)
“Message-Authenticator” (page 234)
“Reverse Path Forwarding Check for Proxies” (page 235)
Replay Protection
The Replay Protection feature protects the network from fraudulent transmissions using valid data.
The Event-Timestamp attribute is used for enforcing replay protection. The HP-UX AAA Server
discards all incoming messages if the Event-Timestamp value is not within acceptable time
limits. You can configure the time window using the event_timestamp_window attribute in the
aaa.config file. For more information on the attribute, see “Dynamic Authorization-Related
Configuration Items” (page 386).
By default, the Event-Timestamp attribute checking is not enforced. The verification of the
Event-Timestamp attribute occurs only if the attribute is present in the incoming message. If an
Event-Timestamp attribute is not present, the attribute is ignored. To enforce Event-Timestamp
attribute checking, add the following lines in the /etc/opt/aaa/client-reply-ingress.grp
file:
if( count(Event-Timestamp) = 0 )
{
exit "NAK"
}
To configure the HP-UX AAA Server to send the Event-Timestamp attribute in the outgoing
messages, add the following SQL mapping in SQLAction, which creates the client request.
FUNC(get_cur_timestamp) RAD(Event-Timestamp, REPLY)
To add the Event-Timestamp attribute in the outgoing Disconnect requests, add the mentioned
mapping in the CreateDisconnectReq or CreateDisconnectReqServerGroup SQLAction
within the /etc/opt/aaa/sqlaccess.config file.
To add the Event-Timestamp value in the outgoing CoA requests, add the mentioned mapping
in the CreateCoAReq or CreateCoAReqServerGroup SQLAction within the /etc/opt/aaa/
sqlaccess.config file.
Configuring the Event Timestamp Window for Replay Protection Using HP-UX AAA Server Manager
To configure the Event Timestamp window for replay protection, complete the following steps:
1. Log in to HP-UX AAA Server Manager.
2. Click Server Properties. The Server Properties window is displayed as follows:
Configuring for Dynamic Authorization 233