HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

441

442

443

444

445

446

447

448

449

450

test or assign a substring of the specified Value attribute. Pos indicates the index position in the

attribute's value to begin the substring and if specified Len determines the length.

When used in the condition section of a group entry, indirection checks values. When used in the

reply section, it assigns a value.

For example, in an expression Port-Id <= $Port-Limit would only allow access to users

who access the server through ports that don't exceed the limit set in their profile. As a reply item

Decision = $Interlink-Proxy-Action would assign the current FSM event to the Decision

attribute.

Notes:

• Test = $Value$Pos$Len will add a new A-V pair to the request. It will not update an

existing pair. For example, when the request includes a Test = “String” A-V pair, the expression

Test = $Test$2$3 will append Test = “rin” to the request, which results in both Test

= “String” and Test = “rin” in the request.

• Because the left-side attribute is handled differently than the right-side attribute value, multiple

attributes in a request can cause some unexpected indirection results. Each instance of the

left-side attribute is AND'd, but only the value of the right-side attribute's last instance is used.

For example, the expression Test < $Test would evaluate to FALSE as (Test1 < 1)

&& (Test2 < 1) when the request contains the A-V pairs Test1 = 1 and Test2 = 2.

Example Group Entries

This section discusses the syntax of sample decision files that are included in earlier versions of

the HP-UX AAA Server. For information on using the sample DNIS and DAC decision files present

in the current version of the HP-UX AAA Server, see “Modifying the FSM for Specific Customizations

” (page 324)

• /opt/aaa/examples/config/DNIS.grp for DNIS routing

• /opt/aaa/examples/config/DAC.grp for dynamic access control

DNIS.grp for DNIS Routing

The following example shows a simple DNIS routing scheme. Refer to For an example of a modified

radius.fsm file that works with this decision file, see Chapter 12: “Logging and Monitoring ”

(page 99).

1 Group Controlled-Access {

2 Condition {

3 (Calling-Station-Id = 1234567890) ||

4 (Called-Station-Id = 8005551212)

5 }

6 Reply {

7 Authentication-Type = radius

8 Server-Name = flatland.com

9 Server-Port = 1812

10 Decision = Forward

11 }

12 }

13 Group Denied-Access {

14 Condition {

15 Called-Station-Id = 8001234567

16 }

17 Reply {

18 Authentication-Type = blackhole

19 Decision = Abandon

20 }

21 }

22 Group NORMAL {

23 Reply {

24 Decision = $Interlink-Proxy-Action

444 Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server