HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

291

292

293

294

295

296

297

298

299

300

Line 5 If PREPROC returns an ACK value, handling of the request continues normally with

the modified user name.

Line 6 If PREPROC returns a NAK value, the request will be rejected.

NOTE: When listing an event, you need to specify the last action only if it is required for the

finite state table to correctly determine the next action. In this case, the Preauth events *.*.ACK

and *.*.NAK on lines 5 and 6 would also work.

Interim Logging

To indicate that a session is still active, the client will send an accounting message at regular

intervals (defined by the client) during the session. To generate session logs when the server receives

this accounting message, you need to modify one line in the AACTlog state. The following example

uses the default radius.fsm FSM file.

*.*.ACCT_ALIVE LOG REPLYHold

The REPLY action has been replaced with LOG, which is the Action that writes the session log. If

you want to log other accounting messages, you must change the action to LOG for the event that

corresponds to the message that must be logged.

NOTE: A AAA Server-provided state table, logall.fsm, will log all accounting messages.

Custom Logging Format

Using a custom-logging format requires that you write or obtain a plug-in that will generate a

session log. In each instance when you want to use your custom format, you must replace the LOG

action in the state table with the name of the appropriate action defined in your plug-in.

TheACCTLog state in the following example uses a logging format generated by MYLOG for an

ordinary session and uses another format generated by TUNNELLOG for tunnel sessions.

ACCTlog:

*.*.ACCT_START REPLY Hold

*.*.ACCT_STOP MYLOG REPLYHold

*.*.ACCT_ALIVE REPLY Hold

*.*.ACCT_MSTART REPLY Hold

*.*.ACCT_MSTOP MYLOG REPLYHold

*.*.ACCT_CANCEL REPLY Hold

*.*.ACCT_ON MYLOG REPLYHold

*.*.ACCT_OFF MYLOG REPLYHold

*.*.ACCT_TUNNEL_START REPLY Hold

*.*.ACCT_TUNNEL_STOP TUNNELLOG REPLYHold

*.*.ACCT_TUNNEL_REJECT TUNNELLOG REPLYHold

*.*.ACCT_TUNNEL_LINK_START REPLY Hold

*.*.ACCT_TUNNEL_LINK_STOP TUNNELLOG REPLYHold

*.*.ACCT_TUNNEL_LINK_REJECT TUNNELLOG REPLYHold

Proxy Accounting Messages

If you have a distributed network of AAA servers, you can choose to centralize log records for

some or all of the accounting logs at a single location. The RAD2RAD action can forward accounting

messages to another server, as specified by an Xstring value. If all accounting messages will be

forwarded to a remote server, the ACCTlog state in the forwarding server's state table can be

removed, or commented out as shown below.

1 . . .

2 ACCTwait:

3 *.*.ACK RAD2RAD REPLYHold Xstring="default.accounting.proxy.server"

4 IPPool:

5 *.*.ACK POSTLAS Tunneling

6 *.*.NAK POSTLAS REPLYHold

7 . . .

8 REPLYHold:

298 Customizing the HP-UX AAA Server Using the Finite State Machine