HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

321

322

323

324

325

326

327

328

329

330

1. Replace the radius.fsm file in the server's configuration directory with /opt/aaa/

examples/config/DAC.fsm. For example, if the server's configuration directory is /etc/

opt/aaa/radius.fsm, then enter the following command:

# cp /opt/aaa/examples/config/DAC.fsm /etc/opt/aaa/radius.fsm

NOTE: Take a backup of /etc/opt/aaa/radius.fsm before replacing it.

IMPORTANT: If you are using a different decision file than the supplied DAC.grp decision

file, change the CheckDAC state so that the POLICY action calls the DAC decision file. For

example,

CheckDAC: *.*.ACK POLICY AuthWait Xstring=decisionfile://DAC.grp

2. Copy the sample decision file /opt/aaa/examples/config/DAC.grp to the server's

configuration directory using the following command:

# cp /opt/aaa/examples/config/DAC.grp /etc/opt/aaa/

Step 2 – Defining the DAC Policies

The default DAC.grp decision file contains sample entries. You must edit the DAC.grp decision

file to define your DAC policies. To edit the DAC.grp decision file, complete the following steps:

1. Modify each group in the DAC.policy file according to your implementation requirements.

For example,

# Daytime Access Check

if ( (Access-Group = "daytime") &&

((Time-Of-Day >= "06:00") && (Time-Of-Day <= "20:00")) )

{

insert Reply-Message = "Daytime access allowed"

exit "ACK"

}

NOTE: The Reply-Message reply item attribute may not be returned if the user is authenticated

using a tunneled EAP method.

Comment out any condition you do not need by placing a hash symbol (#) before each line.

The last line must remain unchanged so that a user who does not match one of the conditions

is rejected.

2. If you rename the DAC.grp file, move it to the server's configuration directory and edit

radius.fsm so that the CheckDAC state Xstring parameter points to the correct file name.

DNIS Routing

In a typical DNIS routing scheme, requests are handled according to the Calling Station-Id

and Called-Station-Id attributes. The POLICY action matches the Calling-Station-Id

and Called-Station-Id attribute values in the Access-Request to the conditions defined in the

DNIS decision file, and returns the matching policy group reply items and the FSM events Forward

and Abandon. The required events and states are defined in the DNIS.fsm file delivered with

the server. To implement the sample policy for DNIS Routing, complete the following steps:

• “Step 1 – Modifying the Default FSM for DNIS Routing.”

• “Step 2 – Defining the DNIS Routing Policies” (page 327)

Step 1 – Modifying the Default FSM for DNIS Routing

To modify radius.fsm to support DNIS routing, complete the following steps:

326 Customizing the HP-UX AAA Server Using Policies