HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

281

282

283

284

285

286

287

288

289

290

24 VPN Tunneling

Tunneling involves access to a server that provides secure intranet or other network functionality

through a dial-up or Internet connection from a client workstation. This process can be categorized

as one of two types: voluntary or compulsory. Some applications, such as secure access to corporate

intranets through the Internet, are characterized by voluntary tunneling, where users create the

tunnel through client software at their workstation. These tunnels are created independently of the

AAA server.

Compulsory VPN tunnels are established by returning tunneling attributes to the access device. The

HP-UX AAA Server supports tagged attributes that can be used to specify tunneling alternatives,

in the event that the access device cannot establish the preferred tunnel configuration.

NOTE: How you configure the server to handle hints in the Access-Request may also affect how

or if the tunnel is established

Establishing a Tunnel for a User

• If the user profile is stored in a AAA server users file, select the Free tab from the Modify

User screen and then add the tunneling attributes that will define the tunnel.

• If the user profile is stored in an LDAP LDIF file, add the attributes to the profile, following the

aaaReply: Tunneling-Attribute = Value syntax.

• If you want to specify alternative tunnels, you should use tagged attributes with the

Tunneling-Attribute =:Tag-no:Value syntax. Each set of attributes that establish one of the

possible tunnels should be tagged with the same Tag-no. The order in which the access device

should consider the tunnel alternatives is specified with the Tunnel Preference attribute. In the

following example, the access device will establish a tunnel according to those attributes

tagged with 1, since that group has Tunnel Preference set to “first,” and if the access device

cannot establish the tunnel with those attributes, it will use the alternative tagged with 2 (Tunnel

Preference of “second.”)

Tunnel-Type =:1:PPTP,

Tunnel-Medium-Type =:1:IPv4,

Tunnel-Client-Endpoint =:1:192.168.127.1,

Tunnel-Server-Endpoint =:1:192.155.111.1,

Tunnel-Password =:1:Michigan,

Tunnel-Private-Group-Id =:1:engineering,

Tunnel-Assignment-Id =:1:management,

Tunnel-Preference =:1:first,

Tunnel-Client-Auth-Id =:1:NET,

Tunnel-Server-Auth-Id =:1:Michigan,

Tunnel-Type =:2:L2TP,

Tunnel-Medium-Type =:2:IPv4,

Tunnel-Client-Endpoint =:2:192.168.127.1,

Tunnel-Server-Endpoint =:2:192.170.130.1,

Tunnel-Password =:2:California,

Tunnel-Private-Group-Id =:2:engineering,

Tunnel-Assignment-Id =:2:management,

Tunnel-Preference =:2:second,

Tunnel-Client-Auth-Id =:2:NET,

Tunnel-Server-Auth-ID =:2:California

284 VPN Tunneling