HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

401

402

403

404

405

406

407

408

409

410

Tagged Attributes

A RADIUS message can include multiple values for one or more attributes that are tagged to

organize the attributes into defined groups. Depending on its capabilities, a client or server can

selectively use one set of tagged attributes. For example, an Access-Accept can contain several

different tunnel definitions. If it supports tagged attributes, the client can select the definition to use.

Tagged attributes can be used as check or reply items.

Tagged attributes follow the syntax:

Attribute=:Tag:Value

Attribute: The attribute to tag.

Tag: A unique integer (less than 32) that identifies what set

this attribute belongs to.

Value: The attribute value.

For example, Tunnel-Type =:1:PPTP indicates an attribute value of PPTP that belongs to a

larger set of attributes, all tagged with 1, that collectively define one type of tunnel that might be

established for a user.

IMPORTANT: Some NASs do not support tagged attributes. HP recommends that when you return

multiple tunnel definitions to a client, you have at least one set of attributes that is untagged or

tagged with a 0 value, so that there is a tunnel definition available to a client that does not support

tags.

Attributes in User Profiles

The following attributes can be used to establish the authorization rules for a user profile.

Authorization determines the following:

• The services and network resources that the user can access

• The services that the user can access

• The time duration that the user can access the network

The attributes in a user profile may act a configuration, check (and deny), or reply item. Some

attributes may act as both a check and reply items.

Configuration Attributes

You can add configuration attributes that are not directly supported by the Server Manager graphic

interface. You can add configuration attributes through the Server Manager as a check item under

the Free tab on the User Creation screen. For more information, see “Tabs on the Add Users Screen”

(page 90).

Authentication-Type The authentication type is applied to a user just as it would be

applied to a user belonging to a realm. Check and reply items in

the user entry will be appended to any items used later in the

authentication process.

Comment This attribute does not perform any server function. It allows you to

provide any necessary explanation for the entry.

Deny-Message This attribute specifies a string that would be returned as a

Reply-Message value to the user in the Access-Reject if any deny

item for this user caused a rejection. You can configure a denial

message (using the Free tab in the Check Item list box in the Server

Manager) as follows:

Deny-Message = "You can't do that."

NAS-Port != 3160

You can also use an asterisk wildcard:

Attributes in User Profiles 403