HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

401

402

403

404

405

406

407

408

409

410

Local Authorization Service (LAS) Configuration

Some configuration-only attributes define information for authorization through the servers LAS. To

activate the features related to these attributes for users in a given realm, you must enable session

tracking for the user’s realm. A NULL realm entry will still be required if the user does not belong

to a realm. The Simultaneous-Use attribute can be used in a user entry for LAS functions.

Simultaneous-Use Attribute

This attribute’s value determines the maximum number of active sessions the user can have. The

default is 1 (if the LAS is enabled for the user’s realm, but no Simultaneous-Use attribute value

is specified for the user or the user’s realm). A value of -1 disables the feature—providing no limit

to number of simultaneous sessions for a user in a realm enabled to use the LAS.

NOTE: Simultaneous session control is based on the inner identity (realm) for tunneled-EAP

authentications.

Attributes Concerning OTP Authentication

These attributes are used for configuring OTP authentication and customizing the feature to suit

various deployments. For information on these attributes, see “Attributes for Configuring OTP

Authentication” (page 137).

Check (and Deny) Items

A user entry can include check, configuration-only, and reply items to implement simple policy

decisions. Check items are A-V pairs that are compared to pairs in a RADIUS Access-Request data

packet. Reply items are A-V pairs that are included in an Access-Accept, Access-Challenge, or

Access-Reject messages to provide instruction to the NAS for authorizing the user.

There are two types of check items:

• Regular check items

• Deny items

A check item is used to authenticate a user by matching the attribute value in a request to the

attribute value specified as a check item. A deny item is a regular attribute, identical to a check

item, except the value is not matched to the attribute as being equal to a value but by being not

equal (indicated by !=). In other words, a deny item causes an Access-Request to be rejected if

the deny item's value matches the corresponding attribute value in the request.

IMPORTANT: The HP-UX AAA Server only compares a check item with the first value that appears

for an attribute in an Access-Request. The server will disregard any additional instances of the

same attribute in the request. This limitation also applies to tagged attributes, like those used to

establish VPN tunnels.

Attributes Concerning the NAS

NAS-IP-Address This attribute indicates the identifying IPv4 address of the NAS which

is requesting authentication of the user. Either the NAS IP address,

NAS-IPv6-Address, or the NAS-Identifier must be present in an

Access-Request.

NAS-IPv6-Address This attribute indicates the identifying IPv6 address of the NAS which

is requesting authentication of the user. This attribute must be unique to

the NAS within the scope of the RADIUS server. Either the

NAS-IP-Address, NAS-IPv6-Address, or NAS-Identifier must be present

in an Access-Request.

Check (and Deny) Items 405