HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

291

292

293

294

295

296

297

298

299

300

Table 87 Predefined FSM Tables (continued)

FunctionFilename

Sample FSM file required to implement accounting without session

management using SQL access

/opt/aaa/examples/config/

sqlacess-acct.fsm

Sample FSM file required to implement accounting with session management

using SQL access

/opt/aaa/examples/config/

sqlaccess-acct-sess.fsm

To use any of the above predefined state tables for the HP-UX AAA server, copy the required .fsm

file to /etc/opt/aaa/radius.fsm and start the AAA server

NOTE: The product is installed with logall.fsm as radius.fsm in /etc/opt/aaa/.

Custom State Tables

The server can be set up for different functions by modifying existing FSM tables, or creating new

FSM tables. Edit the state table for authorization sequence, or to have interim accounting messages

logged by calling the appropriate module at a certain point in the authentication process.

Tracking Versions

You can embed version information into a state table using the following syntax:

%FSMID Version

Version Can be any string and will appear as the ID in radcheck output.

Examples

State table modifications can range from simple to more involved customization and offer a great

deal of flexibility when configuring the HP-UX AAA software.

Preprocessing Module

An Access-Request message may need to be pre-processed for a variety of reasons. For example,

if the client sends a User-Name value with extraneous information, the extraneous information may

need to be stripped out before the server authenticates the user. Preprocessing requires that you

write or obtain a plug-in that will parse the message and pass the processed A-V pairs to the

iaaaUsers action.

Modify the state table to call the preprocessing plug-in when the message is first received. Add a

preprocessing state that calls the iaaaUsers action and transitions to the UsersCheck state.

1 START:

2 *.+AUTHEN.ACK PREPROC Preauth

3 *.+AUTHENTICATE.ACK PREPROC Preauth

4 Preauth:

5 *.PREPROC.ACK iaaaUsers UsersCheck

6 *.PREPROC.NAK REPLY Hold

7 . . .

Lines 1-3 *.+AUTHEN.ACK or +AUTHENTICATE.ACK indicates that the received message

is an Access-Request. PREPROC indicates the action, which calls the custom

PREPROC software module. PREPROC is programmed to parse User-Name, strip

out the extraneous information, and assign the result to the User-Id attribute. (The

server uses User-Id to locate a stored user profile.) If PREPROC is successful it returns

an ACK event name; otherwise, it returns a NAK. Preauth indicates the next state

the FSM must proceed to, after PREPROC returns an ACK or NAK event name.

Line 4 As described for steps 1 to 3, Preauth is the next state after PREPROC has parsed

User-Name and returned an ACK or NAK value.

Custom State Tables 297