HP-UX AAA Server A.08.02 Administrator's Guide
4. Check Items. After authentication each check item in the user profile is processed or matched
against the request's corresponding Attribute-Value (A-V) pairs.
• If all the check and deny items associated with User-Name are satisfied, the CHK_DNY
action returns an ACK value to the FSM.
• If any check or deny item, including the user's password, is not matched correctly, the
authentication module returns a NAK value to the FSM. The request fails, and an
Access-Reject message is returned to the client.
5. User Policy. All requests are subjected to user policy after authentication. The user policy is
applied only after successful authentication. A user policy can be specified in a Policy-Pointer
attribute on the request as either a check item or a reply item. If the Policy-Pointer attribute is
found in the check items, then the HP-UX AAA Server does not look for one in the reply items.
The value of the Policy-Pointer attribute should specify the URL for the decision file to be
evaluated. If a request contains a Policy-Pointer attribute, as either a check item or a reply
item, the specified policy is applied. If the request does not contain a Policy-Pointer, then no
user policy is applied. In this case the POLICY action returns an ACK event to the FSM.
Some policies that can be implemented include:
• Dialed Number Identification Service (DNIS)-routing requests according to the number
called from or called;
• Grouping users by NAS addresses or ports;
• Control session duration, concurrent usage, or delivered services by logical groupings
defined by the contents of specified A-V pairs;
• Control access according to any time-based criteria.
6. Local Authorization Server (LAS). The LAS refers to the routines and code in the server that
handles authorization. LAS and POSTLAS actions are part of the LAS. Session control with
LAS is based on realms. Local Session tracking must be explicitly enabled for a realm via the
Server Manager or the /etc/opt/aaa/las.conf file. If the realm is not listed, LAS does
not enforce any session control for users from that realm. When the LAS handles an
Access-Request for a user in a local realm configured in the las.conf file, the LAS module
performs the following actions:
• Checks the user profile for a Simultaneous-Session attribute-value pair, which determines
the maximum number of active sessions the user can have. Default value is 1.
• Authorizes or denies service based on Service-Class.
The POSTLAS action performs Simultaneous Access Token (SAT) control, which is used to
implement realm-based simultaneous session control.
NOTE: HP recommends not to enable local session tracking for any realms utilizing session
management via SQL Access.
7. Reply items refer to the generation of an Access-Accept or Access-Reject message by the
ReplyPrep action. By adding reply items to a user's profile or through policy decisions,
ReplyPrep can provide a NAS with provisioning information in an Access-Accept data
packet. Depending on the capabilities of the NAS, the reply items can be used to control a
user's session. For example, the following user entry limits the length of the session and the
hosts that can be accessed:
guest@library.org Password = "public"
Filter = "library",
Session-Timeout = 3600
Users can authenticate as guest@example.org using password public to connect for one
hour (3600 seconds) to the library hosts that the filter library allows.
Handling an Access Request 31