HP-UX AAA Server A.08.02.
© Copyright 2002, 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license required from HP for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents About This Document ..................................................................................16 Intended Audience..................................................................................................................16 New and Changed Information in This Edition............................................................................16 Document Organization..........................................................................................................
Changing the Default localhost Proxy Settings..............................................................44 Environment Specific Security Procedures .........................................................................44 Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration.........44 Creating a Tomcat Identity Specifically for the HP-UX AAA Server ..................................45 Running the HP-UX AAA Server on Hosts with System Hardening Software.......................
Configuring Realms for LDAP .........................................................................................78 Modifying a Directory Configuration...........................................................................80 Deleting a Directory Configuration..............................................................................80 Tuning the AAA Server to LDAP Server Connection.......................................................80 9 Configuring Proxies.....................................
Format of Accounting Records in the Default Merit Style...................................................103 Time-Based Values..................................................................................................104 Client A-V Pairs......................................................................................................104 User Entry A-V Pairs................................................................................................104 Session Tracking.........................
Advanced OTP Authentication Configuration Concepts................................................135 Attributes for Configuring OTP Authentication........................................................138 Advanced Deployment Scenarios..............................................................................143 Validating OTP Alone.........................................................................................143 Configuring Two-Factor Authentication............................................
Random Pseudonyms...................................................................................................185 Algorithm-Based Pseudonyms........................................................................................185 Configuring for Pseudonym Identity Support....................................................................187 Sample EAP.authfile Configuration for Random Pseudonym Identity Support...................188 Sample EAP.
Configuring Multiple HP-UX AAA Servers as a Group..................................................220 Configuring for Disconnect and CoA Request Processing.........................................222 Dedicated HP-UX AAA Servers for Dynamic Authorization.......................................225 Dynamic Authorization in Authorize Only Mode.........................................................230 Configuring for Dynamic Authorization in Authorize Only Mode..............................
DBC Mapping...................................................................................................261 DBP Mapping...................................................................................................262 RET Mapping....................................................................................................263 Mapping Functions............................................................................................263 Conversion Functions....................................
FSM Tables................................................................................................................297 Custom State Tables ........................................................................................................298 Tracking Versions .......................................................................................................298 Examples ..................................................................................................................
Step 2 – Defining the DNIS Routing Policies...............................................................328 28 Customizing the HP-UX AAA Server Using the SDK...............................329 SDK Overview.................................................................................................................329 Migrating Plug-ins Created Using Previous Versions of the SDK..............................................330 Prerequisites for Using the SDK..............................................
EAP Problems.............................................................................................................369 Troubleshooting Provisioning Errors................................................................................371 Troubleshooting the HP-UX AAA Server Admin Utility.......................................................372 31 Troubleshooting Resources..................................................................374 HP-UX AAA Server Troubleshooting Utilities..................
Login-IPv6-Host.......................................................................................................390 Framed-IPv6-Route..................................................................................................390 Framed-IPv6-Pool....................................................................................................390 With Tunneling ..........................................................................................................391 The dictionary File ......
A Supported IETF RFCs..............................................................................424 B Supported Authentication Methods...........................................................426 C RADIUS Data Packets..............................................................................428 Data Packet Format...............................................................................................................428 Attribute-Value Pair Format ................................................
About This Document This document provides an overview of the HP-UX AAA Server and describes how to configure, administer, and troubleshoot the product. This document does not cover installing the product. The document printing date and part number on the cover indicate the document’s current edition. The printing date and part number changes when a new edition is printed. Minor changes can be made at reprint without changing the printing date.
• Part V — Reference provides information to supplement the task-based information in the previous parts of the document. Use the information in this section to learn more about non-task-based topics such as configuration files, and attribute-value pairs. • Appendix A (page 424) lists all the RFCs that are supported by the HP-UX AAA Server. • Appendix B (page 426) lists and describes all the authentication methods that are supported by the HP-UX AAA Server.
Typographic Conventions This document uses the following typographical conventions: audit(5) An HP-UX manpage. In this example, audit is the name and 5 is the section in the HP-UX Reference. On the web and on the Instant Information CD, it may be a link to the manpage itself. From the HP-UX command line, you can enter “man audit” or “man 5 audit” to view the manpage. See man( 1). Book Title The title of a book. On the web and on the Instant Information CD, it may be a link to the book itself.
Include the document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.
Part I Introduction This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 1: “Overview: The HP-UX AAA Server ” (page 23) • Chapter 2: “Upgrading to Version A.08.02.
Contents 1 Overview: The HP-UX AAA Server .............................................................23 RADIUS Topology ..................................................................................................................23 Establishing a RADIUS Session.................................................................................................24 Product Structure.....................................................................................................................
To Test the Installation.........................................................................................................50 Starting HP-UX AAA Servers Using Server Manager....................................................................51 AAA Server Start Options...................................................................................................52 Server Manager’s Reload Feature........................................................................................
1 Overview: The HP-UX AAA Server The Remote Authentication Dial In User Service (RADIUS) protocol defines a standard for information exchange between a network device or software application and an authentication, authorization, and accounting (AAA) server to manage and track user access to network services.
Figure 1 Typical AAA Network Topology Establishing a RADIUS Session A RADIUS session tracks the life of a user session through a series of message exchanges. RADIUS sessions are used to limit simultaneous access to a resource for users who share the same credential, and to manage the allocation and release of IP addresses acquired on behalf of the user by the AAA server.
Access-Accept data packet often includes authorization information that specifies the services the user can access and other session information, such as a timeout value that indicates when the user must be disconnected from the system. When the client receives an Access-Accept packet, it generates an Accounting-Request to start the session and send the request to the server. The Accounting-Request data packet describes the type of service being delivered and the user of the service.
HP-UX AAA Server Architecture The HP-UX AAA Server architecture consists of the following components: • Configuration files. Files to provide the information necessary for the server to perform authentication, authorization, and accounting requests for your system. In most cases, these files can be modified by using the Server Manager. • AATV plug-ins.
AATV Plug-Ins An AATV plug-in defines the actions that perform a variety of functions, including authenticating requests, authorization, and logging. Built-in actions support authentication of users using information from several different repositories, and accounting requests using several different polices and storage formats.
Figure 4 Default Action Sequence Authentication to Verify the Client and User The authentication of an access request has a number of distinctive steps, as shown in Figure 5 (page 29). The rounded rectangles represent configuration files that the HP-UX AAA Server uses and the ovals represent one or more authentication types.
Figure 5 Authentication Steps Authentication Steps Following lists the authentication steps followed by the HP-UX AAA Server: 1. After the HP-UX AAA server receives an Access-Request, it attempts to match the client making the request to an entry in the clients file. The server attempts to authenticate a request only if a match can be made. 2. The iaaaUsers action checks the local users file.
NOTE: If no realm is specified in the NAI, the server assigns the value NULL for the realm. You can configure NULL realm behavior in the same manner as named realms. 4. The iaaaRealmaction calls another action that attempts to retrieve a matching user profile from the data store for the realm, as indicated by authfile: • A realm-specific AAA users file; • An external data store, such as LDAP or a database; • A Unix user profile service via the getpwent() system call.
Figure 6 Authorization Steps Authorization Steps 1. 2. 3. The server receives the Access-Request. The server evaluates the request-ingress policy. This is the first step in the FSM, before the request is despatched for processing. The request ingress policy can be used to alter the request in one of the following ways: • A-V pairs may be added, changed, or removed. • The request classification may be altered. • The request may be rejected immediately.
4. 5. Check Items. After authentication each check item in the user profile is processed or matched against the request's corresponding Attribute-Value (A-V) pairs. • If all the check and deny items associated with User-Name are satisfied, the CHK_DNY action returns an ACK value to the FSM. • If any check or deny item, including the user's password, is not matched correctly, the authentication module returns a NAK value to the FSM.
The ReplyPrep action also checks for a Service-Type value, equates the value with user entries, and then appends reply items to the request accordingly. The attribute values for these items specify the default values to use when configuring the connection specified by Service-Type. The special user entries are not used for authentication; the reply items for one of these entries are appended to a request from any user requesting the corresponding service type.
2 Upgrading to Version A.08.02.10 This chapter explains how to upgrade to the HP-UX AAA Server A.08.02.10 from previous versions. The HP-UX AAA Server Upgrade Process The following process describes the HP-UX AAA Server A.08.02.10 product installation on a system where a previous version of the HP-UX AAA server is currently installed: 1. The contents of the existing configuration in /etc/opt/aaa/ are copied to /etc/opt/ aaa.old/. If any files with the same names exist in /etc/opt/aaa.
information on OATH standards-based authentication, see “OATH Standards-Based OTP Authentication” (page 128). No migration is required. If you have modified /etc/opt/aaa/dictionary, and want to use SQL Access, OTP authentication, or pre-defined policy hooks in the FSM, merge the dictionary file. For information on merging the dictionary file, see “Merging the Dictionary File” (page 37). If you have modified the radius.
5. • The dictionary file • The aaa.config file Copy your legacy users files from /etc/opt/aaa.old/ to /etc/opt/aaa/ (including the default users file and all files with the .users extension). Update the users files as follows: • Remove all DEFAULT, dumbuser, pppuser, and slipuser entries.
Upgrading from Version A.05.x to Version A.08.02.10 Contact your HP Support representative if you are upgrading from Version A.05.x to Version A.08.02.10 or if you need assistance with your migration. Merging the Dictionary File To merge the legacy dictionary file changes to the new A.08.02.10 dictionary file, complete the following steps: 1. Copy the new dictionary file from /opt/aaa/newconfig/etc/opt/aaa/ to /etc/opt/ aaa/. 2.
3 Installing and Securing the HP-UX AAA Server This chapter explains how to acquire, install, and secure the HP-UX AAA Server product. Always see the HP-UX AAA Server Release Notes for important information specific to each version of the product, including requirements and dependencies. Acquiring the HP-UX AAA Server Software You can get the most recent version of the HP-UX AAA Server product at the HP Software Depot: http://www.hp.com/go/softwaredepot.
# swinstall -s /tmp/.depot HPUX-AAAServer NOTE: If the installation is not successful, an error message is displayed. The cause of the failure will appear at the end of /var/adm/sw/swagent.log file. 8. After installing the product, add the following entries to the /etc/services file: # RADIUS protocol radius 1812/udp radacct 1813/udp radius-dynauth 3799/udp NOTE: These RADIUS values are the server’s defaults and are specified in the RADIUS RFC 2865.
Table 5 File Locations Upon Installation (continued) Directory File • radiusd: AAA Server executable • rad_admin.sh: Tool to administer one or more HP-UX AAA Servers configured on the host • radpwtst: AAA test client utility /opt/aaa/examples/config Finite state machine, sample policy files: • *.fsm: Sample FSM tables • sqlaccess-acct.fsm: Sample FSM required to implement accounting without session management using SQL Access • sqlaccess-acct-sess.
Table 5 File Locations Upon Installation (continued) Directory File • dbsetup.sql: Script that creates the database tables for the sample configuration and inserts a test user in a database table • dbsetup.sql.dynauth_server_group: Script that creates the database tables and stored procedures for the dynamic authorization sample configuration. NOTE: See Chapter 22: “SQL Access” (page 248) for details on using the SQL Access feature.
Table 5 File Locations Upon Installation (continued) Directory File /opt/aaa/newconfig Default configuration files. Files residing here are copied to /etc/opt/aaa directory during installation. /etc/opt/aaa/security/ Directory containing a unique set of self-signed digital certificates created during installation. /opt/aaa/share/man/man5 and ~/man1m Directories where manpages are installed /opt/aaa/share/doc/ Directory containing Administrator’s Guide and product documentation.
Table 6 Files Generated During Operation Directory File /acct/session.yyyy-mm-dd.log Default session accounting logs, Merit style /data/session.las Currently active sessions log file /ipc/*.sm Shared memory files related to the interface used for some authentication types. IMPORTANT: You must not alter or delete the shared memory (*.sm) files. The server does not operate correctly if the files are changed or removed from the ipc directory. /logs/logfile The server log file /logs/logfile.
6. Change the “secret” portion to the same value configured in Step 3. IMPORTANT: The rmi.config.secret in /opt/aaa/remotecontrol/ rmiserver.properties and in /opt/hpws22/tomcat/webapps/aaa/WEB-INF/ gui.properties must be identical. Changing the Default test_user Settings HP recommends changing the default test_users password. This password can be changed only after starting the Server Manager.
nl IMPORTANT: Step 1. 4. 5. Replace with the password used to generate the keystore in Stop and start Tomcat: • Stop -/opt/hpws22/tomcat/bin/shutdown.sh • Start - /opt/hpws22/tomcat/bin/startup.
/opt/aaa/remotecontrol/rmistart.sh 10. Point your web browser to: http://:8081/aaa 11. Login with the new AAA Server-specific user name and password Running the HP-UX AAA Server on Hosts with System Hardening Software If you are setting up the HP-UX AAA Server on a system that is being hardened using lock-down software such as Bastille, you must ensure that the ports used by the HP-UX AAA Server are kept open.
NOTE: Before starting and stopping the Remote Method Invocation (RMI) server, the JAVA_HOME environment variable must be set to appropriate path. For example, to use Java7, export JAVA_HOME to the /opt/java7 path. If the JAVA_HOME environment variable is not set or set incorrectly, the default value /opt/java6 is used to start and stop the RMI Server. 3. Use the following command to start the RMI objects as the aaa user: $ su - aaa -c /opt/aaa/remotecontrol/rmistart.sh 4.
# stop the daemon!!! if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi 7. Change the then statement to stop the RMI objects as the aaa user during shutdown: Change: if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi To: if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /usr/bin/su - aaa -c /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi 8.
4 Enabling the HP-UX AAA Server for GUI-based Administration This chapter explains how to enable your HP-UX AAA server software to begin administration.
JAVA_HOME to the /opt/java7 path. If the JAVA_HOME environment variable is not set or set incorrectly, the default value /opt/java6 is used to start and stop the RMI Server. To start and stop the RMI objects, use the following commands: • To start: /opt/aaa/remotecontrol/rmistart.sh • To stop: /opt/aaa/remotecontrol/rmistop.sh • Status: netstat -a | grep 7790 Starting and Stopping Tomcat To start and stop Tomcat, use the following commands: • To start: /opt/hpws22/tomcat/bin/startup.
11. Verify that your HP-UX AAA Server is installed and operating correctly by using the testing user (named test_user) created during installation. After test_user is authenticated and the AAA server sends an Access-Accept, the client sends an Accounting-Request to start the session. After the session is terminated, the client sends an Accounting-Request stop message to stop the session logging and the AAA server writes the session information to a file. a.
AAA Server Start Options Select the Start button’s corresponding icon to display the Start Options screen shown in Figure 8. Table 8 describes the start options you can use. Figure 8 Server Manager’s Start Options Screen Table 8 Server Start Options Option Description Authentication Specifies the UDP port number to listen to authentication requests. The default Authentication port number is 1812. Accounting Specifies the UDP port number to listen to accounting requests.
Server Manager’s Reload Feature The Reload button signals the HP-UX AAA Server to reload specific configuration information while the server is running. The result of the command will be displayed in the Message frame. The HP-UX AAA server will reload the following files and the client policy files after you select Reload: • users • clients • authfile • aaa.config • engine.
Table 9 radiusd Options (continued) Option Description -da AATV-directory Specifies the directory where the AATV libraries are located. If omitted, the default directory is /opt/aaa/aatv. -dl Logfile-directory Specifies the directory where the log and debug files are located. If omitted, the default directory is /var/opt/aaa/logs. -di IPC-directory Specifies the directory where the files generated for shared memory operation are located. If omitted, the default directory is /var/opt/aaa/ipc.
Table 9 radiusd Options (continued) Option Description -f FSM Allows the user to specify an alternate Finite State Machine (FSM) table file instead of the default radius.fsm file. The default FSM file (/etc/opt/aaa/ radius.fsm) follows Merit style accounting behavior. -l Log-format strftime(3) format for naming logfiles. The -l option specifies the logfile name format with timestamp precision and dictates when a logfile must start logging.
IMPORTANT: When started by the inetd service, radiusd times out if it does not receive a message in 15 minutes. With the -t Timeout option, you can override this value. If the value is set to 0, it waits indefinitely without timing out. Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot You can configure the HP-UX AAA Server (radiusd) and RMI objects to start automatically after a system reboot. • Set the RADIUSD variable in/etc/rc.config.d/radiusd.conf to 1.
You can install a server to any machine that meets the system requirements and that can establish a UDP connection to the machine hosting the Server Manager. To add an HP-UX AAA Server to your network, complete the following steps: 1. From the navigation tree, click the Server Connections link and then click the Connect to Server link. 2. On the Create New Server Connection screen that appears, enter values as shown in Table 10.
Part II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 5: “The HP-UX AAA Server Manager Interface” (page 61) • Chapter 6: “Managing HP-UX AAA Servers” (page 63) • Chapter 7: “Configuring RADIUS Clients Using the Access Devices Screen” (page 70) • Chapter 8: “Configuring Realms” (page 73) • Chapter 9: “Configuring Proxies” (page 82) • Chapter 10: “Configuring Users” (page 89)
Contents 5 The HP-UX AAA Server Manager Interface...................................................61 Commonly Used Icons in the GUI.............................................................................................61 6 Managing HP-UX AAA Servers..................................................................63 Using the Server Connections Screen........................................................................................63 Adding a New Server Connection.............................
Specifying Attributes Using the Free Attributes Pane...........................................................91 Modifying User Profiles...........................................................................................................91 Deleting a User Profile.............................................................................................................92 To Delete a User Profile From the Default users File.................................................................
5 The HP-UX AAA Server Manager Interface HP-UX AAA Server Manager (Server Manager) is a browser-based application. It uses the HP-UX Tomcat-based Servlet Engine to provide a configuration interface between a web browser and one or more AAA servers. The Server Manager is used to start, stop, configure, and modify the servers. In addition, Server Manager can retrieve information about logged server sessions and accounting information for an administrator.
• Click • indicates that the configuration file cannot be modified using the Server Manager. Edit the configuration file manually using a command line editor. to edit the corresponding entry.
6 Managing HP-UX AAA Servers Your server configuration can be synchronized and controlled across one or more server installations. These server installations can be on the same machine as the Server Manager program, or on different machines. Server Manager identifies each AAA installation as a server connection and maps a hostname to the IP address (both traditional IPv4, and IPv6 address formats are supported) or DNS name of a remote machine where a AAA server is installed.
1. Click to display the Add Connection screen. The Add Connection screen appears as shown in Figure 12. Figure 12 The Add Connection Screen 2. In the Connection Attributes form, enter your connection attributes according to the format shown in Table 11 Table 11 Fields in the Connection Attributes Form Field Name Attributes Name The identifying string of a remote server Domain Name or IP Address The client IP address or DNS name. Both traditional IP (IPv4), and IPv6 address formats are supported.
Figure 13 The Modify Connection Screen HP-UX AAA Server Properties section of the form includes a list of pathnames that cannot be modified. These pathnames must match the installation directories of the remote server. IMPORTANT: When setting an option to a given directory, the directory must exist and be editable on the machine. You must specify the logfile directory to access session logs through the maintenance functions listed in the navigation tree menu.
Figure 15 Server Manager’s Server Status Frame When your network includes multiple HP-UX AAA Servers, click the check box that precedes each listed connection to specify whether a command applies to the corresponding server. When a server command, such as Start, is submitted, it will only be sent to checked servers. When you retrieve server logging, statistics, active sessions, or account information, only information from the checked servers will be displayed.
tree, the interface (shown in Figure 16) displays a prompt. You can edit the server configuration settings using this prompt. Information for the access device, proxies, local realms, users, and server properties in the loaded configuration will replace the existing information for all server configuration items.
To use SCP during saving or loading configuration, you must enable key-based authentication, which does not require a password, between the user account configured to start Tomcat (HP-UX AAA Server Manager) on the local host and the user account configured to start the RMI Server on the remote host. In the user account configured to start the RMI Server on the remote host, the default : aaa, rmiserver.aaa.user property in the rmiserver.properties file can be modified to change the default aaa value.
1. To transfer the public key to the remote system, enter the following command at the HP-UX prompt: # scp @:/ NOTE: Replace public key path with the file path where the public key is saved. Replace user with the name of the user who starts the RMI server on the corresponding host. Replace remoteserver with the name of the remote server where RMI server is running.
7 Configuring RADIUS Clients Using the Access Devices Screen The server configuration must include all the clients (NASs, access points and other network devices) that can communicate with the HP-UX AAA Server. If an access device is not included in the configuration, the server will not handle requests from, or send requests to the client. The Access Devices screen allows you to add a new client, and modify, or delete an existing client in the server configuration.
Table 13 Add Access Device Configuration Form Options (continued) Option Function host name. When specifying Name as a DNS host name, you must use the name returned by thehostname command. Notes: • Ensure that your DNS is configured correctly (with both forward and reverse entries) for your AAA server. The AAA server determines the name of the machine that it is running on. If this name does not match with your local DNS servers database, you cannot configure the access device correctly.
Table 13 Add Access Device Configuration Form Options (continued) Option Function Debug Dumps packets into the server’s debug output file. No Check Helps enhance server performance. When this option is checked the HP-UX AAA Server does not check all attributes to determine if the request is a duplicate. Check this option if you know that the client sends standard messages that can easily be detected as duplicates.
8 Configuring Realms A realm is a group of users who share a common characteristic, such as being customers of the same Internet Service Provider (ISP). All users of a given realm are handled in the same way, either proxied to a remote server or locally authenticated using a specified method according to the authentication type assigned to the realm.
Figure 22 Server Manager’s Local Realm Attributes Screen 3. Complete the form on the Local Realm Attributes screen according to the information given in Table 14. Table 14 Fields in the Local Realm Attributes Form Option Function Name Name of the realm that must be mapped. This name does not have to be a DNS host name. However HP recommends that the realm name match a domain name. The user will then be able to recognize the user@realmsyntax that resembles their email address.
Table 14 Fields in the Local Realm Attributes Form (continued) Option Function User password lookup is performed through the name-service switch configured in /etc/nsswitch.conf. See the nsswitch.conf man page for more information. • No Store: EAP-TLS Certificates: Choose this option if you are using TLS and do not want to store user information. If you are using TLS, you are not required to store user information because the TLS certificates provide the user information needed for authentication.
3. 4. Modify the properties on the Local Realm Attributes screen according to the information given in Table 14. To submit changes to the realm entry to the Server Manager, click Modify. To return to the Realms screen without making any changes to your server configuration, click Cancel. NOTE: indicates that the configuration file cannot be modified using the Server Manager. Edit the file manually using a command line editor.
1. In the Local Realms screen, click the icon corresponding to the realm you want to delete. The Delete Local Realm screen appears as shown in Figure 23. This screen allows you to preview the realm attributes before you confirm deletion. Figure 23 The Delete Local Realm Screen 2. Click Delete to delete the realm. Click Cancel to return to the Local Realms screen without deleting the realm.
Figure 24 User Storage Parameters for Database Access via SQL 5. In the User Storage Parameters Field, select one of the following options: • RADIUS Attribute: Specify the RADIUS attribute in the : format. This RADIUS attribute must contain the SQL action used for authentication. If vendorID is not specified, 0 that corresponds to standard RADIUS attribute will be used.
6. 7. In the User Storage Parameters Field, select New LDAP Directory or the name of an existing LDAP Directory. In the LDAP screen that appears, configure the LDAP directory using the information described in Table 16. Table 16 Values for Configuring Realms for LDAP Value Description Directory Name Start of a directory configuration. Give a name to the directory, which can be an arbitrary string. If the name contains spaces or tabs, the string must be enclosed in single or double quotes.
Table 16 Values for Configuring Realms for LDAP (continued) Value Description IMPORTANT: With multiple LDAP directory servers, the Filter used for lookups must be consistent across all directories specified for a particular realm. Potential filters are uid, User-Id or some other key that uniquely identifies a subject to be authenticated on the system. Currently, the LDAP module does not enforce the use of consistent filters, but using inconsistent filters may produce unpredictable authentication failures.
Debug 0 } • Retry-Interval sets the number of seconds for the AAA server to wait before trying to reconnect to a LDAP directory server when a realm has failover directory servers configured. Default value is 60 seconds. • Retry-Wait sets the number of seconds that the AAA server will wait before attempting to connect to the same failover LDAP server. When all failover directory servers configured for a realm are down, the AAA server will try to reconnect to one every time an access request is received.
9 Configuring Proxies AAA proxy is an entity that acts as both a client and a server. When a request is received from a client, the proxy acts as a AAA server. When the same request needs to be forwarded to another AAA entity, the proxy acts as a AAA client. Figure 25 illustrates both ends of a proxy configuration relative to the local host. When the local host receives a request that it will authenticate, the server that forwarded the request is called the proxy server.
3. 4. Change the default shared secret and confirm it by entering it again. Click Modify. IMPORTANT: Changing the default password increases the security of your HP-UX AAA Server. HP recommends changing the default values to all customers. Creating or Modifying a Proxy When adding a proxy entry to the server configuration or modifying an existing entry, you must supply values for the proxy attributes through the Server Manager’s Proxy Attributes Screen.
Table 17 Proxy Configuration Options (continued) Option Function Notes: • To accept forwarded requests from any IPv4 address or from any IPv4 address of a particular subnet, specify a wildcard pattern. Examples of valid IPv4 wildcard patterns are: ◦ * ◦ 192.* ◦ 192.0.* ◦ 192.0.2.* • To allow access from any IPv6 address or from a group of IPv6 addresses, specify an IPv6 wildcard pattern.
3. If you are adding a new proxy entry, click Create to submit the new proxy to the Server Manager. If you are modifying an existing entry, click Modify to submit changes made to the proxy entry to the Server Manager. Click Cancel to return to the Proxy screen without making any changes to your server configuration. 4. 5. From the navigation tree, click Save Configuration. On the Save Configuration screen that appears, click Save.
Forwarding Authentication Requests to a Remote Server To forward authentication requests to a remove server, complete the following steps: 1. Follow the steps listed in “Creating or Modifying a Proxy” (page 83). 2. In the Realms to Forward field, select the Add Realms option. 3. Complete the Proxy Realm screen that appears by entering the name of the realm. 4. Select Yes if accounting requests are not to be forwarded to the proxy server. 5. On the Proxy Realm screen, click Save. 6.
Table 19 Accounting Logging Options Configuration Logging Location • Account forwarding set to Yes for a proxy configuration • Local • No.
3. Replace the two instances of default.accounting.proxy.server with the DNS name or IP address of the server that you want to forward the accounting messages to. To forward the accounting to a different port, use the following syntax:Acct:Port. IMPORTANT: 4. 5. The server you specify must be added to your proxy configuration. Save radius.fsm. Restart the server if it is already running. Deleting a Proxy Complete the following steps to delete a proxy: 1.
10 Configuring Users User profiles associate information with a user name for authentication and authorization. This information is defined by attribute-value pairs. The server configuration must include profiles for all the users that can access services through the AAA server. If a user profile is not included in the configuration, the server will reject the users access request. Profiles are stored in flat text files or in an external source. This section covers user profiles stored in a text file.
To add, or modify a user’s profile, complete the following steps: 1. From the navigation tree, click Users. The Users screen appears as shown in Figure 29. 2. To add a new user, click the icon corresponding to the New user link. The Add Users screen appears as shown in Figure 30. Figure 30 The Add Users Screen 3. Enter values in the form as per the instructions in Table 20.
Table 20 General Attributes in the Add User Screen (continued) 4. 5. 6. Attribute Name Description Callback Number (optional) This attribute indicates a dialing string to be used for callback. Callback ID (optional) This attribute indicates the name of a place to be called, to be interpreted by the NAS. Click Create in the User Attributes screen. Repeat steps 2 to 4 for each user profile you wish to add to the realm. From the navigation tree, click Save Configuration.
Figure 31 The Modify Users Screen 3. 4. Fill the fields in the form according to the information given in Table 20. Click Modify to save changes. Click Cancel to exit without saving changes Deleting a User Profile You can delete a user profile in the default users file or in a realm file, which is the file created for a realm that uses file type authentication. To Delete a User Profile From the Default users File To delete a user profile in the default users file, complete the following steps: 1.
2. Click Delete to delete the displayed user profile. Click Cancel to return to the Users screen without deleting the user profile. To Delete a User Profile in a Local Realms File Complete the following steps to delete a user profile in a local realms file: 1. In the Local Realms screen, select the type authentication. icon for a listed realm that is configured for file The Users screen appears displaying a list of users in that realm. 2.
11 Modifying Server Properties You can modify server variables to override built-in defaults. Server startup options override a corresponding server property setting. You can modify server variables using the Server Properties screen. Enter values for the given parameters to modify a server variable. Navigating the Server Properties Screen The Server Properties screen can be accessed by selecting the Server Properties link the Server Manager Navigation tree.
Table 21 DHCP Relay Properties (continued) Option Function Send Maximum DHCP Message Size If Yes, always select the Maximum DHCP Message Length as the message size sent to the DHCP server. This is required by some DHCP servers. If No, use the minimum possible message size. The preselected value is No. DHCP Server Name (optional) DNS name of the DHCP server. This value is only used if the DHCP server IP address value is not specified.
Table 23 Message Handling Properties (continued) Option Function Max. Accounting Requests (optional) Sets the maximum number of simultaneous accounting requests to be handled by the system. When this limit is exceeded, the requests are dropped with a message in the logfile. Hold Accounting Requests (optional) The time in seconds each accounting request should be held after the Hold Replies time. This option is used for debugging purposes only. If no value is specified, 0 will be used. Max.
Certificate Properties Clicking Certificate Properties takes you to the Certificate Properties screen where you can modify the properties described in Table 24. Table 24 Certificate Path Properties Option Function Server Certificate Path For TLS, TTLS, and PEAP. Fully-qualified file name to the AAA server certificate in .pem or .cer format. Server Private Key Path Fully-qualified file name to a file in .pemor .cer format that contains the private key used to generate the AAA server certificate.
(Yes), the AAA Server ignores any "host/" prefix in the user name passed from the client request. The default setting is Yes (enable). If this parameter is enabled, the HP-UX AAA Server can still authenticate supplicants that do not have “authenticate as a computer” configured. Local Users File Properties Enable (Yes) to enable case-insensitive searching in the default users file. The default setting is No (case sensitive search is disabled by default).
Table 26 AAA Server As A Client Properties Option Description Max Client Requests Specifies the maximum number of client requests that can be stored in the client queue. Client requests exceeding the specified limit are discarded. The default value is 25000. Global Client Retry Limit Specifies the maximum number of retries that the Client AATV sends. The default value is 2.
12 Logging and Monitoring This chapter covers the server's diagnostic functions that allow you to search and display information related to the server's operation and usage. Overview You can view the log files that record the details of each AAA transaction or the session logs that record information about each user's session. You can also access information for active sessions and manually terminate a session if necessary.
Search Parameters You can filter what dates and times to retrieve from the logfile. Table 28 Filter Parameters for Searching Logfiles Option Description Begin (server time) The date and time of the first record in the range of data to retrieve. End (server time) The date and time of the last record in the range of data to retrieve. User Limits the result of the search command to messages related to a specific user. For example, you can choose to find out why a user is not able to authenticate.
Figure 35 Server Manager’s Statistics Screen Table 29 Statistic Search Parameters Option Description Begin (server time) The date and time of the first record in the range of data to retrieve. End (server time) The date and time of the last record in the range of data to retrieve. The AAA server statistics are displayed in a bar graph similar to the example in Figure 36.
Figure 37 Accounting Logfile Search Screen in Server Manager Table 30 Accounting Logfile Search Parameters Option Description Begin The date and time of the first record in the range of data to retrieve. End The date and time of the last record in the range of data to retrieve. User Only searches for sessions that used the specified ID. An accounting search returns a list of users.
After the first line of a session record, each A-V pair in the accounting message that triggered the logging activity is listed. NOTE: The default session format (Merit) corresponds to the log_v2_0 setting for the aatv parameter in the log.config file, see “The log.config File ” (page 397). Alternate formats, Livingston for example, may be specified. Time-Based Values Started at: This is the time when the session first arrived at the RADIUS server. It is the number of seconds since 00:00:00 GMT, Jan.
Table 31 Reasons Why The Record Was Generated (continued) Reason Integer Billed/Info Description AC_DUPLICATE 13 Info Duplicate accounting record received: This record is intended for statistics only. AC_COLLISION 14 Billed The session is released due to a NAS and port collision. Session: Session identifier, an arbitrary string with a maximum length of eight. The algorithm used to generate a session identifier.
The above session record will also include any additional A-V pairs that were included in an Accounting-Request message. The attribute value pair displayed above may differ depending on the server configuration. NOTE: Merit is the default logging format. Changing the Accounting Log Filename 1. 2. Open the log.config configuration file (found in /etc/opt/aaa by default). Locate the following lines, which should be found at the beginning of the file: # Default logging configuration if there is no log.
stream stream-name The AAA server accounting stream. If stream-name is not specified then the default stream ( *default* ) will be used. This should be used along with the keyword roll. radsignal has the following options: -h Displays a help message. -v Displays version information. -di ipcdir The directory where the radiusd shared memory files are located. If omitted, the default is /var/opt/aaa/ipc. log level msg_type msg_sub_type log_level Sets the log level for the specified RADIUS message type.
Part III Advanced Configuration Information This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 13: “Securing LAN Access With EAP” (page 113) • Chapter 14: “Managing Sessions” (page 120) • Chapter 15: “Assigning IP Addresses” (page 124) • Chapter 16: “OATH Standards-Based OTP Authentication” (page 128) • Chapter 17: “Configuring EAP-SIM and EAP-AKA Authentication Methods” (page 161) • Chapter 18: “Configuring HP-UX AAA Server for Scalability and High
Contents 13 Securing LAN Access With EAP..............................................................113 Overview............................................................................................................................113 The Secure LAN Advisor...................................................................................................113 Preparing Your LAN .............................................................................................................
Sample Policy Files......................................................................................................159 The oath-request-ingress.grp Sample File....................................................................159 The oath-reply-egress.grp Sample File........................................................................159 The oath-proxy-egress.grp Sample File.......................................................................
Update AATV Outputs.............................................................................................191 AATV Functionality and Return Events........................................................................191 Pseudonym Database Lookup AATV...............................................................................192 Lookup AATV Inputs................................................................................................192 Lookup AATV Outputs..................................
Replay Protection....................................................................................................234 Message-Authenticator............................................................................................235 Reverse Path Forwarding Check for Proxies................................................................236 Sample Configuration Files....................................................................................................237 The client-request-init.grp.
13 Securing LAN Access With EAP IMPORTANT: The EAP-LEAP authentication method is obsolete in A.08.00 release of the HP-UX AAA Server. The EAP-LEAP authentication method is replaced by the EAP-PEAP authentication method. HP recommends that you use EAP-PEAP in place of EAP-LEAP for improved security. Unlike EAP-LEAP, EAP-PEAP supports mutual authentication and uses an encrypted tunnel to transmit the user's credentials. This chapter provides information about securing LANs with EAP using the HP-UX AAA Server.
Preparing Your LAN A LAN requires you to synchronize items on the supplicant, access point, and AAA server. The following table lists the items you need to synchronize on each node and provides notes on configuring each item. Table 32 LAN Configuration Items Item Nodes Notes Shared Secret • Access Device The shared secret configured on the access device and AAA server must match for the two to communicate. Use the Access Devices link to configure this item on AAA servers.
1. 2. 3. 4. 5. 6. Dynamic Key Exchange—Distributes a user-specific encryption key to the client and access device during the authentication process. Without this feature, all clients must share the same static encryption key. Mutual Authentication—Protects against unauthorized (rogue) access devices by allowing clients to authenticate the network they are connecting to. Password-based Authentication—Clients provide a password to authenticate to the network.
Table 33 Supported EAP Methods and Their Features (continued) EAP Method Feature Description MS-CHAP 2, 3 Microsoft Challenge Handshake Accept Protocol: Passwords are hashed using a Microsoft algorithm. Can be deployed for protecting access to LAN switches where the authentication traffic will not be transmitted over airwaves. Can also be safely deployed for wireless authentication inside EAP tunnel methods (see feature 5 above).
Using the “Self-Signed” Digital Certificates The HP-UX AAA Server creates a unique set of “self-signed” digital certificates during installation that are based on its DNS name. Server Manager uses these certificates by default. You can use the self-signed certificates in production environments for TTLS and PEAP, and in testing environments for TLS. The self-signed server certificates are in/etc/opt/aaa/security/.
NOTE: See the supplicant documentation to determine each supplicant’s specific certificate requirements. For example, some supplicants require the client and server certificate to have the Enhanced Key Usage (EKU) field. For the client certificate, the Enhanced Key Usage (EKU) field must contain the Client Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.2"); and, for the server certificate, the EKU field must contain the Server Authentication certificate purpose (OID "1.3.6.1.5.5.7.3.1").
3. Define the locations to certificates by entering the path, and clicking Create. Following list explains how to enter the path names in these fields: • Server Certificate Path: For TLS, TTLS, and PEAP. Enter the fully-qualified file name to the AAA server certificate in .pem or .cer format. • Server Private Key Path: Enter the fully-qualified file name to a file in .pem or .cer format that contains the private key used to generate the AAA server certificate. This file cannot be encrypted.
14 Managing Sessions NOTE: This chapter does not apply to session management using the SQL Access feature. See Chapter 22: “SQL Access” (page 248) for more information on session management using the SQL Access feature. This chapter covers two procedures: reading records of active sessions, and manually stopping sessions. Session Logs After a user is successfully authenticated and the AAA server sends an Access-Accept, the access device will send an Accounting-Request message to start the session.
4. Select a session. The AAA server manager will display the attributes for the selected session similar to the example shown in Figure 43. Figure 43 Example of a Session’s Attributes 5. Click OK when you are done reading the session. Stopping a Session This procedure is intended for sessions that were terminated on the access device but are maintained as active by the AAA server. 1. Follow the procedure described in “Displaying Session Attributes” (page 120). 2.
2. Associate the user profile with the filter ID. • If the user profile is stored in a AAA server users file (grouped by realm or the default file), select the General tab from the User Attributes screen and specify the ID in the Filter ID field.
5. Access the user profile and set the simultaneous session limit. • If the user profile is stored in a AAA server users file, select the Free tab from the User Attributes screen and then enter the following in the Check text box according to the limits you want to set.
15 Assigning IP Addresses The following information explains how the HP-UX AAA Server can be used to assign static or dynamic IP addresses to users. IMPORTANT: Currently, only static IPv6 addresses and prefixes can be assigned using the HP-UX AAA Server. Dynamic assignment of IPv6 addresses is not supported. Assigning Static IP Addresses The procedure for assigning the static IP (IPv4 and IPv6) addresses depends on where the user profile is stored.
Figure 45 The Framed User Attributes Form 5. 6. Enter the static IP for the user in the Framed IP Address field. Click Modify. To Assign a Static IPv6 Address to a Profile in Flat Files To assign a static IPv6 address to a user profile stored in AAA server flat files, complete the following steps: 1. From the navigation tree, click Local Realms. 2. Choose the users icon for the realm the user is in. The Users screen appears as shown in Figure 46. Figure 46 The Users Screen 3.
4. Click the Framed tab. The Framed User Attributes form is displayed on the screen as shown in Figure 47. Figure 47 The Framed User Attributes Form 5. 6. Enter the static IPv6 Interface Id for the user in the Framed Interface ID field. Enter the static value for the prefix that needs to be assigned to the user in the Framed IPv6 Prefix field. NOTE: 7. See “Syntax of IPv6 Attributes” (page 389) for more information on IPv6 attributes. Click Modify.
3. Save the file. Assigning Dynamic IP Addresses Using DHCP You can assign dynamic IP (traditional IPv4) addresses using DHCP. NOTE: The following steps do not apply to session management using the SQL Access feature. See Chapter 22: “SQL Access” (page 248) for more information on session management using the SQL Access feature. To assign dynamic IP addresses using DHCP, complete the following steps: 1. Define the DHCP address pools. See “Defining DHCP Address Pools for Specific Users” (page 286). 2.
16 OATH Standards-Based OTP Authentication IMPORTANT: The SecurID authentication is obsolete in A.08.00 release of the HP-UX AAA Server. The SecurID authentication can be replaced by Open AuTHentication (OATH) standards-based One-Time Password (OTP) authentication. OATH is an industry-wide collaboration to develop open-reference architecture for strong authentication. The OATH standards-based OTP authentication solution supports hardware and software tokens from multiple vendors.
HP-UX AAA Server and OATH Support The HP-UX AAA Server supports the OATH standards sequence-based OTP authentication, which enables the HP-UX AAA Server to interoperate with other OATH compliant clients. Normally, the authentication process used by the HP-UX AAA Server is confined to validating the user password against the password stored in the database.
NOTE: a. If RADIUS standard Password Authentication Protocol (PAP) is used, the HP-UX AAA Server can split the user password in to password and OTP and perform one of the following actions: • Validate the OTP, or password, or password and OTP. • Proxy the OTP or password to an external RADIUS server for validation. Splitting of the user password into password and OTP is not supported for MS-CHAP v2 authentication protocol as the user password is a hash.
Components Required to Configure OTP Authentication The following components, which are required to configure OTP authentication, are provided with the HP-UX AAA Server: • Modified Finite State Machine (FSM) • Database schema files • The following sample configuration files: ◦ sqlaccess.config ◦ Policy configuration files: ◦ – oath-proxy-egress.grp – oath-request-ingress.grp – oath-reply-egress.
on actions and customizing actions, see “Advanced OTP Authentication Configuration Concepts” (page 135). Notes: 1. 2. The HP-UX AAA Server supports only the token information that is stored in the SQL database.
Figure 49 OTP Authentication Configuration Flowchart for RADIUS Standard Password Configuring OTP Authentication on the HP-UX AAA Server 133
Figure 50 OTP Authentication Configuration Flowchart for MS-CHAP v2 Basic or Typical Configuration A basic or typical scenario involves configuring the HP-UX AAA Server to provide two-factor authentication when user and token information is stored in different tables in the same SQL database.
IMPORTANT NOTES: • After using the sample reference implementation and before deploying your implementation in a production environment, you must change the default passwords for database user, test user, and the shared secret of the test user. • If the shared secret provided by the token vendor is in ASCII format, edit the /etc/opt/aaa/ sqlaccess.config file to change the following entry in the RetrieveUserAndToken SQL action: DBC(RAD_TOKENS_TABLE.
Table 35 Bit Masks to Configure OTP Authentication Tasks Task Bit Mask Support for RADIUS Standard Password Splits the incoming password in to password and OTP. 7 Yes No On receiving the incoming request, the HP-UX AAA Server splits the request into password and OTP based on the number of digits specified in OTP token length as follows: If the number of digits specified in the OTP token length is 7, the last 7 characters are identified as OTP. Validates the password.
Figure 51 Usage of Bit Masks to set OTP Authentication Actions The OTP-ActionId attribute is set at 112 by converting the binary value 01110000 into decimal. Table 36 lists some common actions along with the bit masks that must be used for configuration. Table 36 Common OTP Authentication Actions Action RADIUS Standard Password OTP-ActionId Value MS-CHAP v2 OTP-ActionId Value Bit Mask Set Validates the password and OTP 112 (two-factor authentication) if the incoming request contains password and OTP.
Table 36 Common OTP Authentication Actions (continued) RADIUS Standard Password OTP-ActionId Value MS-CHAP v2 OTP-ActionId Value Action Bit Mask Set Forwards only the OTP to the 69 configured proxy target server in the proxy-egress.grp policy file if the incoming request contains password and OTP. Not applicable 01000101 Removes the password and stores only the OTP in the User-Password attribute.
Table 37 Attributes for Configuring OTP Authentication (continued) Attribute Name Configuration Type Description OTP values and check against the received OTP to synchronize the sequence counter. If this attribute is not specified, the value of system wide configuration entry otp_lookup_window is used as the default value. Default Value 10 Value Type integer HOtp-Seq-Counter User level configuration only Specifies an eight-byte counter value.
Table 37 Attributes for Configuring OTP Authentication (continued) Attribute Name Configuration Type Description Default Value no Otp-Retrieve-TokenInfo- Realm level configuration only Specifies the SQL action for retrieving the token information from the database. ActionId Reply-Egress- ActionId NOTE: Realm level configuration only Sets the SQL action to be processed after applying the reply-egress policy (for example, updating the success or failed authentication counter).
Realm Level OTP Attributes To configure OTP attributes on a realm level, you must modify the sample entry in the request-ingress.grp file using the following syntax: if ((count (User-Name) > 0) && (substr (User-Name after "@" ) = "")) { # Add Otp-ActionId attribute, if it is not present in the user request.
NOTE: When a response from the proxy is returned, the HP-UX AAA Server implements the reply-egress policy, and does not increment the sequence counter and the success or failed authentication counters (since they are incremented by the external RADIUS server). If you have configured different inner and outer realms If you have configured different inner and outer realms, you must specify the inner realm name when configuring OTP authentication.
} } } In this example, the Otp-Token-Length attribute has been added in the last row. If you are using RetrieveUserAndToken SQL action, similar changes will be required there to configure OTP attributes at a user level. NOTE: The corresponding values for the attributes configured in the sqlaccess.config file must be stored in the user profile and in RAD_TOKENS_TABLE in the database.
2. If not appended , append the contents of the sample OTP reference implementation policy files (located in /opt/aaa/examples/config) to the default policy files (located in /etc/ opt/aaa) using the following commands: # cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp # cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp 3. In the /etc/opt/aaa/request-ingress.
Use the following rules while replacing the variable, with the realm name: If you have configured … Then… The realm for RADIUS standard password authentication Replace with the realm name configured in step 1 Tunneled realms with different inner and outer realms for EAP authentication Replace with the inner realm name configured in step 1 Tunneled realms with the same inner and outer realms for EAP authentication Replace with the inner realm name configured in step 1 usi
3. In the /etc/opt/aaa/request-ingress.grp file, replace the variable and configure the Otp-ActionId attribute according to the following rules: If you have configured...
If you have configured... Then … exit "ACK" } 4. In the /etc/opt/aaa/reply-egress.
4. If not appended, append the contents of the sample OTP reference implementation policy files (located in /opt/aaa/examples/config) to the default policy files (located in /etc/opt/ aaa) using the following commands: # cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp # cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp 5. In the /etc/opt/aaa/request-ingress.
If you have configured... Then … insert Otp-ActionId = 48 exit "ACK" } • If you have configured the realm for TTLS (EAP-MS-CHAP v2), add the following condition: if ((count (User-Realm) > 0) && (User-Realm = "/ttls")) { insert Otp-ActionId = 48 exit "ACK" } 6. In the /etc/opt/aaa/reply-egress.
3. In the /etc/opt/aaa/request-ingress.grp file, replace the variable and configure the Otp-ActionId attribute according to the following rules: If you have configured...
If you have configured... Then … insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK" } • If you have configured the realm for TTLS (EAP-MS-CHAP v2), add the following condition: if ((count (User-Realm) > 0) && (User-Realm = "/ttls")) { insert Otp-ActionId = 48 insert Otp-Retrieve-TokenInfo-ActionId = "RetrieveToken" exit "ACK" } NOTE: In this example, the Otp-Retrieve-TokenInfo-ActionId attribute is configured to retrieve token information from the SQL database. 4.
NOTE: For MS-CHAP v2 authentication protocol, partial validation of either OTP or password locally and the remaining part at an external RADIUS server is not possible. The complete validation must be performed at the local HP-UX AAA Server or at an external RADIUS server. Validating Password on the Local Server and Forwarding OTP to Another RADIUS Server To configure the HP-UX AAA Server to validate the password and forward the OTP to another RADIUS server for validation, complete the following steps: 1.
If you have configured... Then … exit "ACK" } 5. In the proxy-egress.
7. Configure the proxy target server for OTP validation as follows: • If the target proxy server is an HP-UX AAA Server: 1. Configure the proxy server as a client using the same shared secret of the proxy server. For more information, see “Configuring RADIUS Clients Using the Access Devices Screen” (page 70). 2. Configure the proxy target server to validate OTP. For more information, see “Validating OTP Alone” (page 143). IMPORTANT: While specifying the realm in the remote server’s request-ingress.
4. In the /etc/opt/aaa/request-ingress.grp file, replace the variable and configure the Otp-ActionId attribute according to the following rules: If you have configured...
If you have configured … Then… /peap Or • TTLS (PAP): /ttls 6. In the proxy-egress.grp file, replace the variable with the realm name, and the variable with the proxy target server host name (FQDN) or the IP Address that is configured in Step 2, as follows: if ( (count (User-Realm) > 0) && (User-Realm = "") ) { modify Interlink-Proxy-Target = "" exit "ACK" } NOTE: 7. 8.
format. In such scenarios, you can use the AAASetConvertedHexToBinaryString function to convert hexadecimal shared secret to binary format. • The AAATokenStatusCheck Function: This mapping function is used to verify whether the status of the token is ACTIVE. If the status is ACTIVE, then the HP-UX AAA Server allows the user to continue with the OTP authentication process. If the status is ASSIGN, the user has to activate the token using the User Database Administration Manager.
Table 39 SQL actions and Stored Procedures that Support OTP Authentication (continued) SQL action Table Operated On Operation stored procedure also increments the success authentication count. UpdateFailedAuthCountAnd TokenStatus RAD_TOKENS_TABLE A stored procedure that is created using dbsetup.sql. This procedure increments the failed authentication count after a failed authentication. This stored procedure also increments the lock counter for each failed authentication.
work_phone mobile_phone Sample Policy Files This section describes the sample policy files that are used for configuring OTP authentication. This section addresses the following topics: • “The oath-request-ingress.grp Sample File.” • “The oath-reply-egress.grp Sample File” (page 159) • “The oath-proxy-egress.grp Sample File” (page 160) The oath-request-ingress.grp Sample File The oath-request-ingress.grp file is the primary sample reference implementation file for configuring OTP authentication.
if ( (count (User-Realm) > 0) && (User-Realm = "") ) { In the case of successful authentication, the following sample inserts the Reply-Egress-ActionId attribute with the SQL action UpdateSeqenceCounterAndSuccessAuthCount and returns the POST_REPLY_EGRESS event to update the sequence counter and success authentication count using SQLAccess.
17 Configuring EAP-SIM and EAP-AKA Authentication Methods This chapter introduces you to Extensible Authentication Protocol (EAP) for Global System for Communications (GSM) Subscriber Identity Module (SIM) and EAP for Universal Mobile Telecommunications System (UMTS) Authentication and Key Agreement (AKA) authentication methods.
The authentication software on the user’s mobile device for EAP/802.1x authentication is referred to as supplicant. The supplicant accessing the SIM card information communicates with the HP-UX AAA Server via the authenticator (access point) to gain access to the network. The supplicant sends its messages via EAP over LAN to the access point. The access point encapsulates the EAP message and uses the RADIUS protocol to communicate with the HP-UX AAA Server.
9. The access point forwards the EAP Success message to the supplicant, and keeps the keying material for encrypting the subscriber’s session. The supplicant also derives the same encryption key and therefore, the access point does not forward to the supplicant. 10. With the common session key, the network traffic between the access point and the supplicant can now be encrypted and the supplicant can securely access the network.
Benefits EAP-SIM offers the following benefits: • Offers more reliable security than the GSM mechanisms. • Supports protection of the subscriber identity based on pseudonyms or temporary identifiers. • Supports a fast re-authentication procedure. Configuring EAP SIM The configuration files must be edited manually, because EAP-SIM cannot be configured using the HP-UX AAA Server Manager.
The user credentials (Ki) can be stored in any of the following supported data repository: • local realm users file • LDAP database • SQL-compliant database using SQL Access The following is an example of a local realm users file: # IMSI configured with 128 bit Subscriber-Key 801448005551000 Subscriber-Key ="\x6d\x37\x71\x8a\xcc\xec\x37\x01\x4e\xdb\xf0\xf0\x3b\xe5\x77\ xda", NOTE: octets.
Table 40 The iaaaFile authfile Configuration Parameters (continued) Parameter Description The default value is User-Id. Policy-Pointer For information on Policy-Pointer, see “Authorization to Control Sessions and Access to Services ” (page 30). NOTE: This parameter is optional. The following is an example of a iaaaFile configuration for credentials lookup: eapsimrealm.com -SIM iaaaFile isp { Request-Attribute-For-Search Real-Username } } The following must is the sample content of the isp.
Also, you must include the RetrieveSimUser SQL action in the sqlaccess.config file. The following SQL Action RetrieveSimUser is configured to return the subscriber key. After successfully retrieving from a SQL compliant database (db_oci) the SQL Action returns RETRIEVE_SUCCESS, else it returns RETRIEVE_ERROR.
Table 41 EAP.authfile Configuration Parameters (continued) Parameter Description on available algorithms, see “Generating Authentication Vectors Using A3, A8, and AKA Algorithms” (page 194). A8 Algorithm Specifies the default A8 algorithm for the realm. If an A8 algorithm is needed to produce the GSM triplets for this user's authentication, then the A8 algorithm specified in this field is used. There is no default value.
####################################################################### eapsimrealm.com { EAP-Type SIM { -EAP EAP "comment" # Following parameters specify the name of A3 and A8 algorithm to generate # triplets. You need not configure these values if triplets are retrieved from # an external AuC.
} EAP-AKA This section discusses the EAP-AKA authentication method and its configurations. This section addresses the following topics: • “Overview” (page 170) • “EAP-AKA Authentication Using HP-UX AAA Server” (page 170) • “Features” (page 171) • “Benefits” (page 172) • “Configuring EAP-AKA” (page 172) Overview EAP AKA is an authentication and session key distribution mechanism used in the third generation mobile networks: UMTS and CDMA2000.
The EAP-AKA uses an example algorithm for key generation that can be customized or replaced with operator specific key generation algorithm. EAP-AKA includes optional identity privacy support, wherein the supplicant can send a temporary (pseudonym) identity instead of using the clear text permanent identity to prevent eavesdroppers. In such cases the HP-UX AAA Server has to do a lookup of the Real user name i.e the permanent identity on receiving the pseudonym identity.
Benefits EAP-AKA offers the following benefits: • In devices that already contain an identity module, AKA can be used as a secure Point-to-Point Protocol (PPP) authentication method. • Enables the use of third generation mobile network authentication infrastructure in wireless LANs. • Supports the co-existence of the existing infrastructure with any other EAP technology. • Supports identity privacy. • Supports result indications. • Supports fast re-authentication.
• ◦ AKA mode is a string attribute containing the binary encoded 16-bit user authentication management field, often referred to as AMF. The encoding must be in network byte order (big-endian). ◦ AKA algorithm is a string attribute indicating the name of the AKA algorithm to be applied in AKA vector generation. Most lines in the configuration files are limited to 1023 characters, which places a limit on the length of this string. The value is case-sensitive.
SQL Access Authentication Type To use the SQL Access authentication type, you must include the following entry in the authfile : eapakarealm.com –AKA SQLAccess ActionId=RetrieveAkaUser Also, you must include the RetrieveAkaUser SQL action in the sqlaccess.config file. The following SQL Action RetrieveAkaUser is configured to return the subscriber key, AKA Mode, and SQN.
Table 44 EAP.authfile Configuration Parameters Parameter Description AKA Algorithm Specifies the default AKA algorithm for the realm. If the profile for a user in this realm does not specify an AKA algorithm, and if an AKA algorithm is needed to produce the AKA vector for this user's authentication, the AKA algorithm specified by this parameter is used. For information on available algorithms, see “Generating Authentication Vectors Using A3, A8, and AKA Algorithms” (page 194). There is no default value.
Table 44 EAP.authfile Configuration Parameters (continued) Parameter Description AKA-Mode AKA mode is the user authentication management field, which is often referred to as AMF. It is an input to the functions f1 and f1*. For more information, see 3GPP documents. The value of the AKA mode parameter is a 16-bit binary string entered as 0x, followed by two 2–digit hex values. The dots are optional, and are used to improve readability. The encoding must be in the network byte order (big-endian).
AKA-Mode 0x12ab Protected-Identity-Exchanges No Protected-Success-Indications } "Enabled" } NOTE: The comment field in realm configuration must not have spaces. Auth-Result-Update and Resync-Update The management of SQN required for EAP-AKA can be done using SQL Access feature provided by HP-UX AAA Server. In this case user credentials must be stored in an Oracle or SQL-compliant database. The above example has EAP.authfile configuration for these parameters.
} } } ResyncSQN SQL action derives the SQN from Vendor-specific attribute (AKA-Synchronization-Token) (AUTS) in the REPLY queue that is sent by the client when a synchronization failure occurs. The first mapping retrieves the subscriber key for the corresponding real identity and the second mapping inserts the derived SQN back to the database. A predefined sample GetResyncAkaSeqNum mapping function is used to extract the SQN from AUTS.
Table 45 The aaa.config Configuration Block Parameters Parameter Description Statistics Directs the output of EAP-AKA statistics to the logfile when the server shuts down. The valid values are Enabled and Disabled. If not explicitly configured, the default value is Enabled. The following is an example of a aaa.config configuration file: aatv.EAP-AKA { # ===================================== # The following parameters are global.
Configuring for Fast Re-Authentication in EAP.authfile To use fast re-authentications, the realm configuration in the EAP-Type SIM{} or EAP-Type AKA{} block in EAP.authfile must specify the parameters described in Table 46. Table 46 EAP.authfile Configuration Parameters Parameter Description Fast-Reauth-Lookup The Fast-Reauth-Lookup parameter specifies an AATV and an Xstring parameter for this AATV.
Sample EAP.authfile Configuration for Fast Re-authentication ################################################################# ### Add the following in /etc/opt/aaa/EAP.authfile for EAP-SIM ################################################################# eapsim.com -EAP EAP "comment" { EAP-Type SIM { #Configure other realm-specific parameters, if required . .
Table 47 The aaa.config Configuration Block Parameters for Fast Re-authentication (continued) Parameter Description If the value is zero, no new fast reauth identities are added to the cache, but the existing non-expired entries are used. This value is intended to phase out fast reauth support following a HUP. If not explicitly configured, the default value is 500,000. Sample aaa.
Fast Re-Authentication Database Update AATV As a result of a full authentication, the database may require a new record for the fast re-authentication information. If the database includes an existing set of fast re-authentication information, the information needs to be updated or made invalid with each full authentication or a fast re-authentication.
be either ACK or NAK. If the result of the update is NAK, the update has failed, which may affect a subsequent fast re-authentication. However, it does not affect the success or failure of the current authentication. Fast Re-Authentication Database Lookup AATV The fast re-authentication lookup AATV retrieves the information associated with the Fast-Reauth-Username attribute in the database. This AATV is invoked during a fast re-authentication only.
Lookup AATV Functionality and Return Events The fast re-authentication lookup AATV attempts to retrieve the full authentication details of the Fast-Reauth-Username attribute from its database. • If the information is available, the lookup AATV updates the AUTHREQ_REPLY_QUEUE list of the authreq with the specified output and a RETRIEVE_SUCCESS message is returned • If the information is not available, a RETRIEVE_ERROR message is returned.
• Any secret keys used in the RADIUS server for the generation of pseudonyms cannot be recovered even if a number of matching permanent identities and pseudonyms are available. • For any given pseudonym or a number of correlated pseudonyms, it is impossible to recover the corresponding permanent identity. • It is impossible to determine whether two pseudonyms correspond to the same permanent identity.
Configuring for Pseudonym Identity Support To use pseudonym identity support, the realm configuration in the EAP-Type SIM{} or EAP-Type AKA{} block in EAP.authfile must specify the parameters described in Table 51. Table 51 EAP.authfile Configuration Parameters Parameter Description Pseudonym-Lookup The Pseudonym-Lookup parameter specifies an AATV and an Xstring parameter for this AATV. This AATV is invoked to map a pseudonym to the user's real identity.
Table 52 The aaa.config Parameters for Algorithm-based Pseudonym Identity Parameter Description Pseudonym-Algorithm-Key-n The HP-UX AAA Server can generate pseudonyms as an encrypted form of the permanent identity, which can be subsequently decrypted to reproduce the permanent identity. This set of parameters (n = 1 to 16) can be used to specify up to 16 encryption keys for encryption or decryption.
. # Following are the mandatory parameters: Pseudonym-Lookup "" Pseudonym-Update "” Generate-Random-Character-Pseudonyms Yes Pseudonym-Lifetime 604800 # Following are the optional parameters: Pseudonym-Lifetime 604800 } } NOTE: No global configuration is required for random pseudonym identity support. Sample EAP.
Sample aaa.config Configuration for Algorithm-based Pseudonym Identity Support ################################################################# ### Add the following in /etc/opt/aaa/aaa.config ################################################################# aatv.SIMAKA { #Configure other global parameters, if required . . #Atleast one Pseudonym-Algorithm-Key is mandatory Pseudonym-Algorithm-Key-1 0x00010203.04050607.08090a0b.0c0d0e0f Pseudonym-Algorithm-Key-11 0xa0a1a2a3.a4a5a6a7.a8a9aaab.
There are two AATVs involved in pseudonym handling. One AATV performs the lookup and the other performs the update. This section describes the following AATVs: • “Pseudonym Database Update AATV” (page 191) • “Pseudonym Database Lookup AATV” (page 192) Pseudonym Database Update AATV As a result of a full authentication, the database may require a new record for the pseudonym information.
The AATV returns ACK if the database is updated successfully. If the result of the update is NAK, the update has failed. However, it does not affect the outcome of the current authentication. NOTE: If the Pseudonym-Expiration-Time is not present as a result of the Lookup AATV handling the expiration check, the Last-Used-Pseudonym-Expiration-Time of the database may need to be updated with the Last-Assigned-Pseudonym-Expiration-Time value by the Lookup AATV.
Table 55 Lookup AATV Output Attributes (continued) Attribute Description present, the Pseudonym Update AATV is called with the Last-Used-Pseudonym-Expiration-Time present, along with the Pseudonym-Expiration-Time value. If this attribute is not returned, the Last-Used-Pseudonym-Expiration-Time in the database must be updated by the Lookup AATV. The Lookup AATV for EAP-SIM can also return credentials and other reply items while retrieving the user's Real-Username.
Table 57 Lookup AATV Attributes for EAP-AKA (continued) Attribute Description AKA-Algorithm An optional string attribute that contains the name of the AKA algorithm used to authenticate the user. This attribute is optional if a default value is configured for the realm. The value is case-sensitive. AKA-Sequence-Number A fixed-length binary string (octets) attribute that contains the 48-bit sequence number, which is used to authenticate the user.
information on how to modify the examples or create your own A3, A8, AKA algorithm plug-ins, see “Creating Plug-ins for AATVs” (page 335). 3GPP Milenage A3, A8, and AKA Algorithm An implementation of the 3GPP Milenage A3 and A8 algorithm functions for EAP-SIM authentication and the AKA algorithm for EAP-AKA are included in the server. The 3GPP Milenage A3, A8, and AKA algorithm plug-in module includes configuration parameters that allow it to be customized for a specific operator.
Table 59 Configuration Parameters of aatv.3GPP-Milenage{} Block (continued) Parameter Description If not explicitly configured, the default value is 0x00000000.00000000.00000000.00000000. Use of this value generates a warning message in the logfile. C1 128-bit computation constant. C1 must have even parity. Use of a value with odd parity generates a warning message in the logfile. Milenage specifies the default value. If not explicitly configured, the default value is 0x00000000.00000000.00000000.
Table 59 Configuration Parameters of aatv.3GPP-Milenage{} Block (continued) Parameter Description If not explicitly configured, the default value is 96. A3-Variant Plug-in module that supports the selection of Milenage variant #1 or #2. A3-Variant must be 1 or 2. For information on whether an alternative SRES derivation function is required, see “Creating Plug-ins for AATVs” (page 335). The AKA algorithm is unaffected by this parameter. If not explicitly configured, the default value is 1.
18 Configuring HP-UX AAA Server for Scalability and High-Availability This chapter describes how to configure the HP-UX AAA Server for scalability and high-availability. Starting with the HP-UX AAA Server A.08.01 release, HP-UX AAA Server supports configuring for scalability and high-availability.
present on a single or multiple hosts. Each group is associated with a group name, and each HP-UX AAA Server within a group is associated with a server name. Typically, groups contain cloned HP-UX AAA Servers or administration-related HP-UX AAA Servers, although this is not a restriction. In a group with cloned HP-UX AAA Servers, each HP-UX AAA Server is a clone of the primary HP-UX AAA Server in the group.
Server. Running multiple HP-UX AAA Servers on the same host ensures better utilization of system resources, thus ensuring greater scalability. And running cloned HP-UX AAA Servers belonging to a single group on multiple hosts provides high-availability of the AAA services. For easier management of the HP-UX AAA Servers, each server is associated with a group.
• “Adding a Server” (page 202) • “Modifying a Server” (page 205) • “Deleting a Server” (page 206) • “Cloning a Server” (page 206) NOTE: You can also perform other administration tasks, such as, Start, Stop, and Reload the HP-UX AAA Server using the HP-UX AAA Server Manager. For more information on how to perform the tasks using HP-UX AAA Server Manager, see Chapter 4 (page 49). Logging In To log in to HP-UX AAA Server Manager, complete the following steps: 1.
3. 4. Enter the name of the group in the Name field. Enter the values of the group attributes. Table 60 describes the group-specific fields. Table 60 Group Attributes Option Description Enable Common Log Enables common logfile for all the instances in the group. Common Log Directory Specifies the directory where the common logfile and radius.debug files are located. The default directory is /var/opt/aaa/logs/.
3. Click New Server under Servers. The Servers: Add Server page is displayed, as shown in Figure 58. Figure 58 Adding a Server 4. Enter the values of the server attributes. Table 61 describes the server-specific fields. Table 61 Server Attributes Option Description Authentication Port number to listen to authentication requests. The default Authentication port number is 1812. Accounting Port number to listen to accounting requests. The default Accounting port number is 1813.
Table 61 Server Attributes (continued) Option Description Reset Session Table Empties stored session table at server startup. IMPORTANT: This option is only intended for experimental use or testing and not for a live production server. If you reset a production server, the server loses track of the sessions that are still active. Timeout Specifies the timeout value in seconds. The default value is five seconds. Number of Retries Specifies the number of retries to retrieve the status of the server.
NOTE: If the Listen IP address is not specified, all addresses configured on the host are considered. Default Authentication, Accounting, and Dynamic Authorization port values are displayed. However, you can modify those values, if required. Following are the conditions that must be considered while configuring the server attributes: • The combination of the Listen IP address and the Administration port values must be unique. • The combination of the server name and the group name must be unique.
NOTE: Selecting Save Server Attributes to the configured server (specified in the 'Domain Name or IP Address' field) on clicking the 'Modify' button saves the server attributes to the server. You must perform this step to enable the HP-UX AAA Server Admin Tool for administration tasks. For more information on HP-UX AAA Server Admin Tool, see “Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool (Command Line)” (page 208). Deleting a Server To delete a server, complete the following steps: 1.
Figure 60 Loading Configuration Completed 5. 6. Modify the configuration files using the options under Edit Configuration in the left window, if required. Click Save Configuration in the left window. The list of servers in the group is displayed, as shown in Figure 61. Figure 61 Cloning Server 7. Select the target server, and click Save. The configurations files and the server attributes are copied to the selected servers.
NOTE: Although loading and saving configurations are required to clone HP-UX AAA Servers, you can perform those tasks independently, without associating them with cloning. To perform any administration tasks, such as loading, saving, and maintenance, you must select the servers within the group that is administered. Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool (Command Line) You can administer the HP-UX AAA Servers running on a host using HP-UX AAA Server Admin Tool (rad_admin).
# /opt/aaa/bin/rad_admin.sh reload group1:server1,server2 group2:server3,server4 Following is an example to retrieve the status of all the servers belonging to group1: # /opt/aaa/bin/rad_admin.sh status group1:all NOTE: You must save the HP-UX AAA Server attributes on the respective server to use HP-UX AAA Server Admin tool. Administering HP-UX AAA Servers Using Interactive User Interface This section describes how to administer the HP-UX AAA Servers using the interactive user interface.
where, the variables are described as follows: 2. • - host on which the configuration files are backed up • - location on the to store the configuration files • - the user account with privileges to store files under on the Enter the password for the on the , if prompted. The configuration files are now available in the desired path , on the .
19 Configuring the HP-UX AAA Server for Client Functionality This chapter describes the client functionality of the HP-UX AAA Server. The chapter discusses the following topics: • “Overview” (page 211) • “CLIENT AATV” (page 211) • “Supported APIs” (page 213) Overview Currently, the HP-UX AAA Server works in the server mode. It receives requests from clients, processes them, and sends out appropriate responses, based on the request type.
aatv.CLIENT { .client_timer_value
Figure 63 CLIENT AATV Flowchart Supported APIs This section lists the Application Programming Interfaces (APIs) included in the Software Development Kit (SDK), to support the client functionality. New APIs are included or existing APIs are modified to support the client functionality. Table 29–1 describes the APIs supporting the client functionality. Table 63 APIs Supporting Client Functionality API Description sdk_authreq_allocate Generates a new request.
Table 64 Pre-defined Mapping Functions for Client Functionality Mapping Type Mapping Function Description Target set_radius_msg_type Sets the RADIUS message type for client requests. Target set_target_host Sets the target host to which a client request must be sent. Source get_from_host Returns the hostname from which a RADIUS request was received. Source get_cur_timestamp Returns the current timestamp. Source gen_state Generates a value that can be used as the value of the State attribute.
20 Configuring the HP-UX AAA Server for Dynamic Authorization This chapter discusses the Dynamic Authorization capability of the HP-UX AAA Server. The Dynamic Authorization capability is based on the client functionality of the HP-UX AAA Server.
In the following process flow, step 1 to step 5 (highlighted in blue in the figure) are related to creating RADIUS sessions and step 6 to step 10 (highlighted in green in the figure) are related to the Dynamic Authorization operation: 1. A client requests for access to a protected resource by sending user credentials to the authenticator. 2. The authenticator forwards the request to the HP-UX AAA Server. 3. The HP-UX AAA Server verifies the credentials.
5. 6. 7. 8. 9. The client request egress policy is invoked. In this step the policies configured in /etc/opt/ aaa/client-request-egress.grp are executed. This policy file can be used to insert, modify and delete attributes from the dynamic authorization request. ReplySend AATV is invoked. The dynamic authorization request is sent to the target host by the ReplySend AATV. Subsequently, the request waits for a response.
Figure 66 Flowchart for Basic and Advanced Configuration Basic Configuration A basic implementation of the Dynamic Authorization capability for initiating and processing the Disconnect and CoA requests is available with the SQL Access reference implementation.
• “Configuring for Failover” (page 233) • “Security Consideration in Dynamic Authorization” (page 234) Migrating Existing SQL Access Deployments for Dynamic Authorization If session management using SQL Access is already configured based on the reference implementation files delivered with HP-UX AAA Server version A.07.01 or earlier, you must complete the following additional steps for the Disconnect and CoA functionalities: 1.
FUNC(get_server_name) 4. 5. DBP(11, 259, CHAR) sess_mod_time — Specifies the time when the session entry was modified. The initial value is Current timestamp. This column does not require mapping. The current_timestamp function is directly used in the SQL statement. filter_id — Specifies the data filter used for this session. The value is retrieved from the Filter-Id attribute. You can configure Filter-Id using either the user profile or through policy.
Figure 67 Multiple HP-UX AAA Servers in a Group for Dynamic Authorization In Figure 67, sessions in the database that must either be disconnected or changed are distributed among the live HP-UX AAA Servers within the group. Each HP-UX AAA Server within the group subsequently, initiates Disconnect or CoA message exchanges with the authenticator for the sessions assigned to it.
Configuring for Disconnect and CoA Request Processing This section describes the procedure to configure all the HP-UX AAA Servers in a group to perform authentication, accounting, and dynamic authorization. To dedicate some HP-UX AAA Servers in a group for dynamic authorization, see “Dedicated HP-UX AAA Servers for Dynamic Authorization” (page 225). To configure for Disconnect and CoA request processing when multiple HP-UX AAA Servers belong to a group, complete the following steps: 1.
7. To use the new SQLActions, modify the policy files as follows: In /etc/opt/aaa/client-request-init.
NOTE: The following requirement is applicable for Oracle only. If DHCP is enabled, replace the following line in the /etc/opt/aaa/client-reply-ingress.grp file: insert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession" with insert Client-Request-Cleanup-ActionId = "CleanupDisconnectedSession-DHCP" 8. To enable the Disconnect functionality, complete the following steps: NOTE: You must perform this step only if you want the Disconnect functionality. Otherwise, you can ignore this step. 1. 2.
Figure 70 Server Properties: Modify Property 5. Select New Action. The Client Action Properties window is displayed as follows: Figure 71 Client Action Properties 6. Enter the following values in the respective fields, within the Client Action Properties window: Action Name: Disconnect Timer Value: 1 Max Requests: 0 9. To enable the CoA functionality, complete the following steps: NOTE: You must complete this procedure only if you want the CoA functionality. Otherwise, you can ignore this procedure.
2. Copy the SQLAction definition for StartSessionServerGroup from • For Oracle — /opt/aaa/examples/sqlaccess/oracle-1/ sqlaccess.config.dynauth_server_group • For MySQL — /opt/aaa/examples/sqlaccess/mysql-1/ sqlaccess.config.dynauth_server_group to /etc/opt/aaa/sqlaccess.config, and replace with the name of the group. 3. To create sessions using the new SQLAction, modify the FSM as follows: Replace the following line in /etc/opt/aaa/radius.fsm: *.*.
$ sed "s//test_group/g" /opt/aaa/examples/sqlaccess/oracle-1/sqlaccess.config.dynauth_server_group >> /etc/opt/aaa/sqlaccess.config For MySQL, enter the following command at the prompt: $ sed "s//test_group/g" /opt/aaa/examples/sqlaccess/mysql-1/sqlaccess.config.dynauth_server_group >> /etc/opt/aaa/sqlaccess.config 6. Copy the required policy files. Enter the following commands at the HP-UX prompt: • $ cp /opt/aaa/examples/config/client-request-init.grp.
In /etc/opt/aaa/client-reply-ingress.
Figure 73 Server Properties (CLIENT) 4. Click Client Action Properties. The Server Properties: Modify Property window is displayed as follows: Figure 74 Server Properties: Modify Property 5. Select New Action. The Client Action Properties window is displayed as follows: Figure 75 Client Action Properties 6. Enter the following values in the respective fields, within the Client Action Properties window: Action Name: Disconnect Timer Value: 1 Max Requests: 0 9.
6. Enter the following values in the respective fields, within the Client Action Properties window: Name: COA Timer Value: 60 Max Requests: 0 10. To activate the changes, restart the HP-UX AAA Server. Dynamic Authorization in Authorize Only Mode To ensure simplicity of translation between RADIUS and DIAMETER, RFC 5176 describes a different sequence of message exchanges between the HP-UX AAA Server and the NAS for Disconnect and CoA. Figure 76 illustrates dynamic authorization in authorize only mode.
## Set the RADIUS message type of the request to COA-Request. insert Interlink-Packet-Code = "COA-Request" • Insert a Service-Type attribute. Assign Authorize-Only as the value of the attribute. Append the following lines at the end of the /etc/opt/aaa/ client-request-init.grp file: ## Add Service-Type attribute with value "Authorize Only" insert Service-Type = "Authorize-Only" 3.
} } } } NOTE: The following requirement is applicable for Oracle only. If DHCP is enabled, replace the following line in the /etc/opt/aaa/client-reply-ingress.
Figure 77 Proxy Functionality Configuring for Dynamic Authorization Proxy Functionality To configure the HP-UX AAA Server for Dynamic Authorization proxy functionality, you must configure the routing tables for the requests in the /etc/opt/aaa/proxy-egress.grp proxy egress policy file. You can configure the routing tables on the basis of attributes, such as user's realm and target NAS (authenticator), in the incoming request.
Security Consideration in Dynamic Authorization This section describes the security features in Dynamic Authorization. The following features are supported: • “Replay Protection” (page 234) • “Message-Authenticator” (page 235) • “Reverse Path Forwarding Check for Proxies” (page 236) Replay Protection The Replay Protection feature protects the network from fraudulent transmissions using valid data. The Event-Timestamp attribute is used for enforcing replay protection.
Figure 78 Server Properties 3. Click AAA Server as a Client Properties. The Server Properties (CLIENT) window is displayed as follows: Figure 79 Server Properties (CLIENT) 4. Click Global Event Timestamp Window . The Server Properties: Modify Property window is displayed as follows: Figure 80 Server Properties: Modify Property (Event Timestamp) 5. Enter the time window (in seconds) for which the incoming Event-Timestamp attribute is valid.
The verification of the Message-Authenticator attribute occurs only if the attribute is present in the incoming message. If the attribute is absent, the attribute is ignored. To ensure that the Message-Authenticator checking occurs, add the following lines in the /etc/opt/aaa/ client-reply-ingress.grp client reply ingress policy file. For more information on Message-Authenticator, see RFC 2869.
Figure 82 Server Properties (CLIENT) 4. Click Enable Reverse Path Forwarding Check. The Server Properties: Modify Property window is displayed as follows: Figure 83 Reverse Path Forwarding Check 5. Click Yes to enable RPF. Sample Configuration Files This section describes the sample configuration files that are used to configure the HP-UX AAA Server for Dynamic Authorization. This section addresses the following topics: • “The client-request-init.grp.
4. 5. The RADIUS message type of the request is set in the attribute Interlink-Packet-Code. For CoA, the Filter-Id attribute is set based on the time of the day. The attribute Client-Action-Name is used to differentiate between Disconnect and CoA requests. The client-reply-ingress.grp.dynauth Sample File The client-reply-ingress.grp.dynauth file is the sample client reply ingress policy file.
Table 66 SQL Actions that Support Dynamic Authorization (continued) SQL action Description RestoreDroppedSessions Checks the database for sessions for which the Disconnect or CoA requests cannot be sent after updating the session_status attribute. For example, if a HUP signal is received, all the requests are purged from the queue. Under such circumstances, sessions that are updated with DISCONNECT_INIT will not be processed again.
Table 67 SQL Actions that Support Dynamic Authorization in Groups (continued) SQL Action Description SuspendDisconnectedSessionServerGroup Updates the status of a session entry for which Disconnect-NAK was received. This SQL action is used only when multiple HP-UX AAA Servers are configured as a group. DistributeCoASessions Distributes the list of sessions for which CoA requests must be sent, among the live HP-UX AAA Servers in the group.
Table 68 Tables and Stored Procedures in the dbsetup.sql.dynauth_server_group File (continued) Tables and Stored Procedures Description RAD_SERVER_TABLE. If an entry for the server is not available in the table, an entry is added in the table. distribute_disconnect_sessions Distributes those expired sessions that need to be disconnected among the live HP-UX AAA Servers of a group, for Disconnect request processing.
Part IV Integrating the HP-UX AAA Server With External Services This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 21: “LDAP Authentication” (page 245) • Chapter 22: “SQL Access” (page 248) • Chapter 23: “Simple Network Management Protocol (SNMP) Support” (page 283) • Chapter 24: “VPN Tunneling” (page 285) • Chapter 25: “Using DHCP” (page 286)
Contents 21 LDAP Authentication..............................................................................245 LDAP Server Compatibility ....................................................................................................245 Related LDAP Documentation .................................................................................................245 Authentication with LDAP ......................................................................................................
Managing Users..............................................................................................................274 Adding Users to an SQL Database................................................................................275 Modifying User Credentials..........................................................................................276 Managing Users Using OTP to Authenticate........................................................................
21 LDAP Authentication The Lightweight Directory Access Protocol (LDAP) authentication type provides a method for storing user profiles on an LDAP server. LDAP servers are useful when managing a large number of user profiles. NOTE: You can download Red Hat/Netscape Directory Server for HP-UX from www.software.hp.com. LDAP Server Compatibility The HP-UX AAA Server is designed to interoperate with LDAP Version 3 compliant directories. See the HP-UX AAA Server Release Notes at http://docs.hp.
Table 69 The HP-UX AAA Server LDAP Schema LDAP Attribute Description aaacheck RADIUS Check items in A-V pair string format. aaadeny RADIUS Deny items in A-V pair string format. aaareply RADIUS Reply attributes in A-V pair string format. user-id User name*. user-password User password. If not present, userpassword from inetOrgPerson is used. * Can be specified by entering User-ID as the search filter in the LDAP client configuration in the AAA Server manager.
NOTE: See “Configuring Realms for LDAP ” (page 78) for information on configuring the AAA Server for LDAP Access.
22 SQL Access IMPORTANT: The Oracle authentication module is obsolete in A.08.00 release of the HP-UX AAA Server. The Oracle authentication module is supported using SQL Access. HP recommends that you set up your HP-UX AAA Server to interact with the Oracle database using the SQL Access feature. This chapter introduces the SQL Access feature, describes how it works and how to configure the HP-UX AAA Server for SQL Access.
Figure 84 SQL Access Components When the AAA Server receives a RADIUS request to perform an action (for example, authentication), it calls the SQL Access AATV if SQL Access is configured. The SQL Access AATV maps RADIUS attributes to database columns and prepares user defined SQL statements for execution. The connector libraries pass the SQL statements to vendor supplied database client libraries, which in turn communicate with the database.
of database columns (output source) to RADIUS reply attributes (output target). A new RADIUS attribute will be allocated for each output mapping. For maximum flexibility and customization, there are no pre-determined or hard coded relationships between database columns and RADIUS attributes; that relationship is created entirely through the sqlaccess.config file. See “sqlaccess.config File Configuration” (page 256) for complete configuration definitions of the sqlaccess.config file.
SQL Action Processing and Result Handling The SQL Access AATV processes all mapping entries of an SQL action in the order in which they are defined in the sqlaccess.config file. It first processes all input mapping entries in order, then executes the SQL statement, and finally processes the output mapping entries in order. SQL actions start with an event of ACK and mapping entries usually return an event of ACK.
Table 70 The sqlaccess.config Sample File SQL Action Table Operated On Operation RetrieveUser RAD_USERS_TABLE Retrieves the user profile. Uses SQL result mapping to test that at least one row is returned and sets event to RETRIEVE_SUCCESS upon exiting to the FSM. RetrieveToken RAD_TOKENS_TABLE Retrieves token information. Uses SQL result mapping to test that at least one row is returned and sets the event to RETRIEVE_SUCCESS on exiting to the FSM.
Table 70 The sqlaccess.config Sample File (continued) SQL Action Table Operated On Operation the entry with a matching session id from the session table. The returned IP address is passed to the AAAFreeIP mapping function to initiate the releasing of the IP address via DHCP. dbsetup.sql Sample File The dbsetup.
sess_start_time session_id user_name nasid nasport assigned_framed_ip client_hw_address client_identifier varchar2(100), session_timeout number(11), from_host varchar2(253), session_status varchar2(253), sess_mod_time TIMESTAMP, filter_id varchar2(253) In addition, the dbsetup.sql script for OCI creates a stored procedure to first retrieve the IP address for a session ID and then to delete it from the session table RAD_SESS_TABLE.
High Availability SQL Access provides multiple options to configure a highly available AAA Server environment: • Utilizing the high-availability features of the database client and server for fail-over and load balancing; • Configuring SQL Access such that alternate or secondary SQL actions are executed depending on database availability events, or to build in redundancy for critical database transactions; • Using the SQL Access database reconnection feature that automatically attempts reconnection to
1. Install the sample implementation. See the README files in the respective directory for the supported environments at /opt/aaa/examples/sqlaccess/ for specific implementation information. Review the sample implementation, and note any modifications and customizations required for your specific implementation. See “SQL Access Implementation Details” (page 255) for information on the functionality provided by the sample implementation.
/*SQL Action Definition*/ SQLAction action_ID { [TimedEvent [QueryType timed_event] multi_row] /* repeat as needed */ { [input [source . . [source [output [source . . [source target [conversion_function]] target [conversion_function]]] target [conversion_function]] target [conversion_function]]] [SQLStatement instance } /* end repeat */ {sql_statement}] } Database Connection Definition Define the database connection parameters in the data structure identified with the keyword DBID.
Table 71 Database Access Parameters (continued) Database Access Variable Description libraries require the password to be specified in their configuration file. These libraries ignore the DBPassword keyword. reconnect_wait_time Optional. Timer in seconds after which reconnection to the database is attempted, when connection fails. Default: 60 reconnect_err_code Optional: Comma separated native database error codes got if database is unreachable or shutdown.
SQLAction action_ID { [TimedEvent timed_event] [QueryType multi_row] /* repeat as needed */ { [input [source target [conversion_function]] . . [source target [conversion_function]]] [output [source . . [source target [conversion_function]] target [conversion_function]]] [SQLStatement instance } /* end repeat * Where: action_ID {sql_statement}] Required. Specifies a unique instance of an SQL action.
Table 72 Input Mapping Data Types and Syntax Input Mapping Type Syntax source • RAD(vendor_id:attribute, attr_type, MAND) • FUNC(mappingfunction) • DBR(result) or DBR(ret code:error code) target • RAD(vendor_id:attribute, attr_type, MAND) • FUNC(mappingfunction) • DBP(placeholder, db_width, db_type) • RET (return event) Table 73 Output Mapping Data Types and Syntax Output Mapping Type Syntax source • RAD(vendor_id:attribute, attr_type, MAND) • DBC(db_column, db_width, db_type) • DBP(placeholder, db
attr_type. When RAD is specified as a target mapping, a new attribute is created to hold the data. Table 74 (page 261) lists the RAD mapping parameters and their descriptions: Table 74 RAD Mapping Parameters Parameter Description vendor_id Optional. Specifies the RADIUS vendor ID in the string format. The RADIUS vendor ID must exist in the dictionary. Default: 0 (standard RADIUS) attribute. attribute Mandatory. Specifies the RADIUS attribute ID in the string format as defined in the dictionary.
DBP Mapping DBP is the placeholder mapping using the placeholder syntax in the SQL statements and parameter bind functions as defined by the OCI and ODBC library APIs. If used as a target in input mapping, it contains a placeholder to the local data to bind to using SQL placeholders. If used as a source in output mapping, it contains the value to be retrieved from the placeholder after execution of a stored procedure. For more information on stored procedure, see “Stored Procedures” (page 272).
Example 3 User and Password Input and Output Mappings For OCI: input RAD(User-ID, REPLY) DBP(userid,64,CHAR) output DBC(user_password,128,CHAR) RAD(Password, CHECK) DBC(address_pool, 128, CHAR) RAD(Address-Pool, REPLY) For ODBC: input RAD(User-Id, REPLY) DBP(1, 254,CHAR) output DBC(user_password, 128, CHAR) DBC(address_pool, 128, CHAR) RAD(Password,CHECK) RAD(Address-Pool,REPLY) The input mapping locates the RADIUS attribute User-Id in the reply queue and associates a data pointer to the local value.
Table 77 Pre-defined Mapping Functions (continued) Mapping Type Mapping Function Description Source get_sid Retrieves the session ID from the RADIUS request’s CLASS attribute-value pair or generates a session ID if the CLASS attribute-value pair does not exist. Target AAAFreeIP Initiates the release of the input IP address via DHCP (IPv4 only). Can be used only if session management with DHCP is enabled in the FSM. Target ACKonAll Returns ACK irrespective of the input.
Table 78 Pre-defined Conversion Functions (continued) Conversion Function Description AAAStringtoIPv6Prefix Converts an ASCII string containing the prefix/length format as specified by RFC 2373 to the RADIUS IPv6 Prefix attribute type. AAAIPv6InterfaceIDto String Converts the RADIUS IPv6 interface identifier attribute type to an ASCII string as specified by RFC 2373. AAATagInttoOctets Converts the ASCII value of the Tagged Integer attribute represented as :: into octets.
Example 4 SQL Statement to Delete a Row For OCI: SQLAction StopSession { { input RAD(Class) DBP(sessid, 254, CHAR) output DBR(DBretCode) FUNC(ACKonZero) SQLStatement db_oci { DELETE FROM RAD_SESS_TABLE WHERE session_id=:sessid } } } For ODBC: SQLAction StopSession { { input RAD(Class) DBP(1, 254, CHAR) output DBR(DBretCode) FUNC(ACKonZero) SQLStatement db_odbc { DELETE FROM RAD_SESS_TABLE WHERE session_id=sessid } } } The following example is the equivalent replacement of the above examples for the new
DELETE FROM WHERE RAD_SESS_TABLE session_id=sessid } } } SQL Result Mapping The SQL Access AATV does not check the result of the SQL statement execution.
Table 79 Return Values and Description for OCI and ODBC APIs Return Values OCI ODBC 0 OCI_SUCCESS SQL_SUCCESS 1 OCI_SUCCESS_WITH_INFO SQL_SUCCESS_WITH_INFO 99 OCI_NEED_DATA SQL_NEED_DATA 100 OCI_NO_DATA SQL_NO_DATA –1 OCI_ERROR SQL_ERROR –2 OCI_INVALID_HANDLE SQL_INVALID_HANDLE –3123 OCI_STILL_EXECUTING 2 error code SQL_STILL_EXECUTING Native error codes from the database. For example, ORA-00000 for success. You can configure this error code as 0. Other examples are 1, 17, and 18.
Example 5 SQL Statement with Result Mapping - OCI SQLAction RetrieveUser { { input RAD(User-Id,REPLY) DBP(userid, 254, CHAR) output DBC(user_password, 128, CHAR) DBC(address_pool, 128, CHAR) DBR(DBretCode) SQLStatement db_oci { SELECT FROM WHERE RAD(Password,CHECK) RAD(Address-Pool,REPLY) FUNC(RETRIEVEonZero) user_password, address_pool RAD_USERS_TABLE user_name=:userid } } } Example 6 SQL Statement with Result Mapping - OCI Using the New Syntax SQLAction RetrieveUser { { input RAD(User-Id, REPLY) D
NOTE: In the above example, few entries have wild card “*” code configured which would match any error codes. This can be replaced with the explicit values that database returns. In case RET is configured to ACK and DBR entry matches the same, then all the mapping entries of the current mapping would be skipped and the next SQL mapping, if configured, would be executed whereas for other return events it would return from the SQL action.
int32 ConversionFunction (void *source, uint *sourceLen, void *Target, uint *TargetLen) Where: source Address of the data to convert. sourceLen Address of the length of the source data. Target Address to store the converted data. TargetLen Passes address of maximum length allowed for target buffer into function. Returns the actual data length copied to the target buffer. Return Values Custom or pre-defined event code. See “Event Names ” (page 293) for more information on pre-defined event codes.
Example 8 Timestamp Synchronization For OCI: SQLAction UpdateAcct { { input RAD(Class) output DBR(-1:*) DBR(0:0) DBR(*:*) SQLStatement DBP(sessid, 254, CHAR) RET(ERROR) RET(ACK) RET(NAK) db_oci { UPDATE RAD_ACCT_TABLE SET update_time=current_timestamp WHERE session_id=:sessid } } } Finite State Table Configuration in the FSM SQL Access for user profile retrieval requires no modification to the FSM. Use the Local Realm screen in the Server Manager to configure the SQL action for the desired realm.
Stored procedures are particularly useful, but not restricted to, the following: • Executing multi-statement transactions: Stored procedures simplify the SQL access configuration when multiple SQL statements forming a transaction need to be executed. For example, the sample configuration includes a stored procedure that deletes a session row from the session table, while returning the database column containing the IP address.
Example 10 Remove Session Stored Procedure Definition create or replace procedure remove_session(sessid IN varchar2, ipaddr OUT NUMBER) IS BEGIN select ASSIGNED_FRAMED_IP into ipaddr from RAD_SESS_TABLE where session_id=sessid; delete from RAD_SESS_TABLE where session_id=sessid; END; Run Stored Procedure Call to remove_session in SQL Action: SQLAction StopSession-DHCP { { input RAD(Class) DBP(sessid, 254, CHAR) output DBR(-1:*) RET(ERROR) DBP(ipaddr, 11, INT) FUNC(AAAFreeIP DBR(0:0) RET(ACK) DBR(*:*) RET
Adding Users to an SQL Database To add a user into the SQL database, complete the following steps: 1. Enter the following URL to launch the User Database Administration Manager on your browser: https:///userdb/admin/ 2. Enter your login and password when prompted. The User Database Administration Manager launches, as shown in Figure 86. Figure 86 The User Database Administration Manager 3. Click Add User.
Table 80 Fields in the Add Users Form Field Name Description User Name Assign a user ID for the user. A user ID can comprise alpha-numeric characters, '-', '_', '!' and '@'. A user ID cannot exceed 128 characters. First Name, Last Name Enter the first name and last name of the user. The names can comprise alpha-numeric characters, '_', '-', '.', and the space character. User Password and Confirm Password Enter the password in the Password field.
4. • L. Name or F. Name • Work Phone • Token Serial Number A list of matching users is displayed. Click Modify User or the matching user listed. The Manage User screen is displayed. 5. 6. Modify the relevant information. For information on modifying token information such as token status, see “Valid Token Status Values” (page 281). For information on validating tokens, see “Synchronizing Tokens (Procedure for Users)” (page 279). Click Modify User Info.
Figure 88 The Token Validate Screen 3. 4. Enter two consecutive OTPs generated by the device. If OTP validation is successful, assign the token to the user by clicking Add User or Modify User Info at the bottom of the screen. The token is assigned to the user and its status changes from AVAILABLE to ASSIGNED. Additionally, the User Database Administration Manager generates and e-mails an activation code to the user. 5. If you are using a token device, mail it to the user.
2. 3. Type in the log-in name and the answer to the Security question that you have provided while activating the token. From the main screen of the User Database Administration Manager, click Enroll Token. The Enroll Token screen appears as shown in Figure 89. Figure 89 The Enroll Token Screen 4. Complete the form in the Enroll Token screen according to the information in Table 81. Table 81 Fields in the Enroll Token Device Form 5.
Users can also use this procedure to unlock locked tokens. To synchronize your tokens, complete the following steps: 1. In your browser window, enter the url of the User Database Administration Manager as follows: https:///userdb/user/ NOTE: 2. 3. The connection between the browser and web server is secured using HTTPS. Type in the log-in name and the answer to the Security question that you have provided while activating the token.
Figure 91 The User Statistics Screen Valid Token Status Values Table 83 lists the valid values that can be assigned to a token. Table 83 Valid Token Status Values Token Status Description ASSIGN Indicates that the token has been assigned to a user, but has not yet been activated. Once the token is activated, the token status changes to ACTIVE. ACTIVE Indicates that the token is currently assigned to a user AVAILABLE Indicates that the token is free and can be assigned to a user.
If example.com is hosting the User Database Manager Interface: # sed 's#8021x/8021x_advisor.html#https://example.com/userdb/admin//#g' /tmp/menu-item-userdb.html > menu-item-userdb.html \ A menu item file for Server manager, menu-item-userdb.html is created. 4. Reload the Server Manager screen to invoke the User Database Administration Manager from the Server Manager Screen. Multi-Row Support For SQL Access Currently, SQL Access handles only one row returned by an SQL query.
23 Simple Network Management Protocol (SNMP) Support Simple Network Management Protocol (SNMP) Support provides a mechanism for a centrally located management workstation to monitor the activity of remote computers and network services.
10. To configure the SNMP manager to monitor the RADIUS information, complete the required steps for your SNMP manager. NOTE: You must specify the same context name that you used to start the RADIUS server while configuring your SNMP manager to monitor RADIUS information. The SNMP manager uses the context name to distinguish one HP-UX AAA Server from another, on the same host. For more information on context name, see Table 9 (page 53).
24 VPN Tunneling Tunneling involves access to a server that provides secure intranet or other network functionality through a dial-up or Internet connection from a client workstation. This process can be categorized as one of two types: voluntary or compulsory. Some applications, such as secure access to corporate intranets through the Internet, are characterized by voluntary tunneling, where users create the tunnel through client software at their workstation.
25 Using DHCP The HP-UX AAA server can act as a Dynamic Host Configuration Protocol (DHCP) relay to request IP address assignments from a DCHP server. Currently, only DHCPv4 is supported. To use DHCP, you must associate address pools with the AAA server’s incoming requests.
Associating Address Pools with Realms and Other Conditions Use the following steps to associate address pools with realms and other conditions by modifying HP-UX AAA Server decision files. See Chapter 26: “Customizing the HP-UX AAA Server Using the Finite State Machine” (page 291) andChapter 27 (page 301) for more information. The following steps and examples associate an IP address pool named test_pool with a realm named test.com. 1. Create a policy file in/etc/opt/aaa/dhcp.
Part V Customizing the HP-UX AAA Server This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 26: “Customizing the HP-UX AAA Server Using the Finite State Machine” (page 291) • Chapter 27: “Customizing the HP-UX AAA Server Using Policies” (page 301) • Chapter 28: “Customizing the HP-UX AAA Server Using the SDK” (page 329)
Contents 26 Customizing the HP-UX AAA Server Using the Finite State Machine.............291 States .................................................................................................................................291 Using Xstring to call Policy ...............................................................................................293 Using Xstring to Call an Alternate authfile ..........................................................................293 Event Names ..................
Reply Egress Policy......................................................................................................323 Proxy Egress Policy......................................................................................................323 Proxy Ingress Policy.....................................................................................................324 Useful Attributes for Policy Conditions.................................................................................
26 Customizing the HP-UX AAA Server Using the Finite State Machine The main component of the server’s software engine is the Finite State Machine (FSM) and a few associated routines. At server startup, the FSM reads instructions from a state table by loading and parsing a .fsm file. By default, it loads the radius.fsm file, unless it is missing or if you have specified another .fsm file using the radiusd -f command. The .
The server can be set up to do a variety of different functions by modifying existing or creating new FSM state tables. For example, interim accounting messages can be logged by calling the appropriate module at a certain point in the authentication process. Each state defined in a finite state table starts with a line containing the name of the state, followed by a colon character. Each subsequent line is an event handler with three required and two optional fields, delimited by spaces or tabs.
Using Xstring to call Policy With the POLICY module, you can use the Xstring parameter to specify an URL where policy definitions are stored. These policies group requests based on Attribute Value (A-V) pairs in an Access-Request. These policies allow the request to be resolved differently according to those values.
Table 85 Predefined Event Names (continued) Event Name Description ACCT_OFF Received accounting message has a Status-Type of Accounting-Off. ACCT_ON Received accounting message has a Status-Type of Accounting-On. ACCT_START Received accounting message has a Status-Type of Start. ACCT_STOP Received accounting message has a Status-Type of Stop. ACCT_TUNNEL_LINK_START The incoming Accounting-Request is a message to start a session through an established tunnel.
Table 85 Predefined Event Names (continued) Event Name Description PROXY_CREDENTIAL Proxies OTP to the target proxy server when OTP authentication is configured. NOTE: The default policy file uses RAD2RAD AATV. PROXY_EGRESS This event may be returned by the RAD2RAD AATV (RADIUS proxy) module to indicate that a request is about to be forwarded. In the default FSM this invokes the proxy reply-egress policy. This event is not pre-defined, it must be defined in the FSM file.
Name Can be any alphanumeric string and can include underscores (_). Actions The actions in the state table correspond to the AATV actions defined. These actions perform discrete functions, such as initiating an authentication request, replying to an authentication request, or logging an accounting record. Any action in the state table must exist in a HP-UX AAA library or plug-in (located in the /opt/aaa/aatv directory). Table 86 lists some of the available actions.
Table 86 Available Actions (continued) Actions Description REALM Handles realm-based authentication REDO Repeat an action REPLY Send a RADIUS reply (access or accounting) to a client ReplyDispatch Translates the Interlink-Reply-Status attribute to an FSM event. ReplyPrep Prepares to generate reply messages prior to reply-egress policy. ReplySend Generates reply messages after reply-egress policy. RequestDispatch Translates the Interlink-Proxy-Action attribute to an FSM event.
Table 87 Predefined FSM Tables (continued) Filename Function /opt/aaa/examples/config/ sqlacess-acct.fsm Sample FSM file required to implement accounting without session management using SQL access /opt/aaa/examples/config/ sqlaccess-acct-sess.fsm Sample FSM file required to implement accounting with session management using SQL access To use any of the above predefined state tables for the HP-UX AAA server, copy the required .fsm file to /etc/opt/aaa/radius.
Line 5 If PREPROC returns an ACK value, handling of the request continues normally with the modified user name. Line 6 If PREPROC returns a NAK value, the request will be rejected. NOTE: When listing an event, you need to specify the last action only if it is required for the finite state table to correctly determine the next action. In this case, the Preauth events *.*.ACK and *.*.NAK on lines 5 and 6 would also work.
9 *.*.ACK REPLY Hold 10 *.*.NAK REPLY Hold 11 *.*.ACC_CHAL REPLY Hold 12 *.*.ACCT_DUP RAD2RAD REPLYHold Xstring="default.accounting.proxy.server" 13 Hold: 14 *.*.TIMEOUT NULL End 15 End: Line 1 to 2 The FSM handles the request normally until it reaches the ACCTwait state. Lines 2 to 4 RAD2RAD forwards the message to default.accouting.proxy.server. When a response is received from the remote server, the FSM transitions to the REPLYHold state.
27 Customizing the HP-UX AAA Server Using Policies This chapter explains how you can use policies to customize the HP-UX AAA Server. This chapter also discusses some sample policy implementations.
Notes: • Customers can also write their own policy decision files and invoke them from the FSM or the user profiles. • This chapter discusses only the new (and easier to use) format for creating decision files. The old format contains policy group entries that are still supported. However, the old format is not documented in this chapter. For information about the old syntax, see Appendix E (page 443). • You cannot create a single decision file using syntax from both formats.
Action Commands A decision file contains a series of action commands that specify the action to be performed by the policy. Following are the action commands that you can specify: • “The delete Command.” • “The insert Command.” • “The modify Command” (page 305) • “The exit Command” (page 306) • “The log Command” (page 307) • “The if Command” (page 307) The following sections discuss these action commands in detail.
Table 88 Examples Illustrating the Use of the delete Command (continued) Attributes in the Request Command Result NAS-Port = 2 Reply-Message = "Hello, world!" delete NAS-IP-Address[0] NAS-Port = 2 Reply-Message = " Hello, world!" NAS-Port = 2 Reply-Message = "Hello, world!" delete NAS-IP-Address[last] NAS-Port = 2 Reply-Message = " Hello, world!" The insert Command Syntax insert = Parameters • : The parameter is an attribute specification.
Table 90 Examples Illustrating the Use of the insert Command (continued) Attributes in the Request Command Reply-Message = "message#2" Result NAS-IP-Address = "2.3.4.5" Reply-Message = "message#2" NAS-IP-Address = "2.3.4.5" NAS-Port = 2 insert Reply-Message[0] = Reply-Message = "message#1" "a new message" Reply-Message = "message#2" NAS-IP-Address = "2.3.4.5" NAS-Port = 2 Reply-Message = "a new message" Reply-Message = "message#1" Reply-Message = "message#2" NAS-IP-Address = "2.3.4.
Examples Table 91 discusses some examples illustrating the use of the modify command. Table 91 Examples Illustrating the Use of the modify Command Attributes in the Request Command Result Reply-Message = "123" Reply-Message = "456" modify Reply-Message = "abc" Reply-Message = "123" Reply-Message = "abc" Reply-Message = "123" Reply-Message = "456" modify Reply-Message = Reply-Message[0] Reply-Message = "123" Reply-Message = "123" NAS-Identifier = "abc.def.
The log Command Syntax log "" "” log "" "”, log "" "”, , , ... Parameters • : The parameter must be a quoted string and a log-level type. Following are the valid log levels: ◦ ERROR ◦ CRITICAL ◦ ALERT ◦ WARNING ◦ INFO NOTE: The parameter is case-insensitive. For example, ERROR is considered identical with Error.
arbitrary depth. When the else clause is omitted, can be considered as an empty sequence of action commands. Operation The if command first evaluates the boolean expression . If evaluates to true, the sequence of action commands is executed. If evaluates to false and an else clause is present, the sequence of action commands is executed.
Example 12 Examples Illustrating the Use of the if Command Example 1 The following if statement: if ( Session-Limit[1] < 30 ) { modify Session-Limit[1] = 30 } else { if ( Session-Limit[1] > 240 ) { modify Session-Limit[1] = 240 } } With the following input: Session-Limit[0] = 10 Session-Limit[1] = 300 Results in: Session-Limit[0] = 10 Session-Limit[1] = 240 Example 2 The following if statement: if ( (NAS-IP-Address = "192.168.1.2") && ((NAS-Identifier = .jack.
• “No Instance Specification.” • “Numeric Instance Specification.” • “Keyword Instance Specification” (page 310) The following sections describe these keywords in detail. Attribute Names Attribute names defined in the server's dictionary file can be used. Attribute names are case-insensitive. For example, Reply-Message is considered identical with REPLY-MESSAGE. For more information on attribute names, see “The dictionary File ” (page 391).
Using the begin keyword with other commands results in an invalid-instance-specification load-time error. • The last keyword: If you want to specify the last instance of an attribute , use the last keyword. Following is an example of a correctly formatted keyword instance specification: Reply-Message[last] NOTE: • This is the default value if no keyword is specified. The asterisk keyword: If you want to specify all instances of an attribute, use the asterisk (*) symbol.
The length Attribute Function Syntax length () Parameters The parameter is an attribute specification. For more information on specifying attributes, see “Attribute Specifications” (page 309). Operation Returns an integer value that indicates the number of characters in the string attribute. For a tag-str attribute, the tag octet is not included. If refers to an instance that is not present, then a no-such-instance run-time error is generated.
Table 92 Examples of the strcat Attribute Function (continued) Attributes in the Request Command Result Reply-Message = "123" Tunnel-Password = :2:"ABC" insert Tunnel-Password = strcat ( tolower( Tunnel-Password ), Reply-Message ) Reply-Message = "123" Tunnel-Password = :2:"ABC" Tunnel-Password = :0:"abc123" Reply-Message = "123" Tunnel-Password = :2:"abc" modify Tunnel-Password = strcat( Reply-Message, strcat ( "456", Tunnel-Password ) ) Reply-Message = "123" Tunnel-Password = :2:"123456abc" The s
Example 13 Examples Illustrating the Use of the offset Keyword If Reply-Message = "a string of characters" , then: Example 1 substr ( Reply-Message offset 0 length 8 ) returns the following string: a string Example 2 substr ( Reply-Message offset 16 length 82 ) returns the following string: acters Example 3 substr ( Reply-Message offset 12 ) returns the following string: characters Example 4 substr ( Reply-Message offset 32 ) returns an empty string.
Example 14 Examples Illustrating the Use of the before Keyword If Reply-Message = “a string of characters”, then: Example 1 substr ( Reply-Message before " of" ) returns the following string: a string Example 2 substr ( Reply-Message before last " " ) returns the following string: a string of Example 3 substr ( Reply-Message before "not-there" ) returns the entire string. NOTE: If refers to an instance that is not present, then a no-such-instance run-time error is generated.
Example 15 Examples Illustrating the Use of the after Keyword If Reply-Message = "a string of characters", then: Example 1 substr ( Reply-Message after " of" ) returns the following string: “ characters” Example 2 substr ( Reply-Message after last " " ) returns the following string: characters Example 3 substr ( Reply-Message after "not-there" ) returns an empty string. NOTE: If refers to an instance that is not present, then a no-such-instance run-time error is generated.
NOTE: • Integer values can be used with integer, tag-int, and short type attributes. Named Integer Values: Named integer values defined in the server's dictionary file can be specified by enclosing these values in double quotes. NOTE: Named integer values can only be used with attributes of type integer and tag-int that have defined name values in the dictionary. • String Values: String values are enclosed in double quotes ("). Tags can be specified by prefixing the :tag: syntax prefixed to the value.
• ◦ */ ◦ +- Association Rules: Following are the association rules in decreasing order: ◦ + - left-to-right ◦ * / left-to-right ◦ - (negation) non-associative The following example illustrates the use of arithmetic expressions.
Boolean Operator Precedence and Association When multiple operators appear in a Boolean expression, the following precedence and association rules are applied: • Precedence Rules: Following are the precedence rules in decreasing order: • ◦ () ◦ ! ◦ <, >, <=, >= ◦ != ◦ && ◦ || ◦ = Association Rules: Following are the association rules: ◦ && left-to-right ◦ || left-to-right ◦ ! right The following examples illustrate the rules of precedence: Defining a Policy in a Decision File 319
Example 17 Examples Illustrating Precedence Rules Example 1 The boolean expression: Reply-Message = "hello" && NAS-Port > 7 || Reply-Message = "goodbye" || Reply-Message = "nothing" is fully parenthesized as: ( ( (Reply-Message = "hello") && (NAS-Port > 7) ) || (Reply-Message = "goodbye") ) || (Reply-Message = "nothing") and is evaluated as: if ( Reply-Message = "hello" ) if ( NAS-Port > 7 ) return true if ( Reply-Message = "goodbye" ) return true if ( Reply-Message = "nothing" ) return true return false
Table 95 Compatible Attribute Types Value Type Compatible Attribute Types Integer-value • integer • tag-int • short • octet String-value • string • tag-str • octets Date-value • date IP-address-value • ipaddr • ipv6addr • ifid • ipv6prefix You must not mix attributes from different value-type groups, because this can cause a type mismatch load-time error. Invoking a Policy You can invoke policy using one of the following methods: • “Invoking Policies Through Predefined Policy Hooks.
Figure 93 Flow of the Request Ingress Policy User Policy After authentication, all requests are subjected to user policy. The user policy is applied only after successful authentication. A user policy can be specified in a Policy-Pointer attribute on the request, either as a check item or a reply item. If the Policy-Pointer attribute is found in the check items, then the HP-UX AAA Server does not look for one in the reply items.
carl Password = carl, Policy-Pointer = “decisionfile://path-to-file” or fred Password = fred Policy-Pointer = “decisionfile://path-to-file” Reply Egress Policy Reply egress policy can be defined in the reply-egress.grp decision file in the server's configuration directory. The reply egress policy is applied as the final step in the FSM, just before the RADIUS reply message is created and sent.
Figure 96 Flow of the Proxy Egress Policy Proxy Ingress Policy Proxy ingress policy can be defined in the proxy-ingress.grp decision file in the server's configuration directory. The proxy ingress policy is applied after the proxy response is received. The proxy ingress policy can be used to alter the request in one of the following ways: • A-V pairs may be added, modified, or removed. • The reply type may be altered. • The request may be rejected immediately.
Table 96 Attributes Typically Used in Policy Group Conditions and Replies Attribute Description Interlink-Packet-Code This attribute contains the code from the RADIUS packet header. It can have an Access-Request or an Accounting-request value. Interlink-Proxy-Action This attribute contains an event which indicates the type of the request. This is also the event which will be delivered to the FSM (as per the default FSM).
When a policy is evaluated, it can return an event to the FSM to direct the subsequent processing of a request. The policy can return events to the FSM in the following ways: • Exit Command: Using the Exit command terminates the evaluation of the policy. The specified event is returned to the FSM. • Default Event: If evaluation of a decision file reaches the end without encountering an Exit command, the default event is returned to the FSM. The default event is ACK.
1. Replace the radius.fsm file in the server's configuration directory with /opt/aaa/ examples/config/DAC.fsm. For example, if the server's configuration directory is /etc/ opt/aaa/radius.fsm, then enter the following command: # cp /opt/aaa/examples/config/DAC.fsm /etc/opt/aaa/radius.fsm NOTE: Take a backup of /etc/opt/aaa/radius.fsm before replacing it. IMPORTANT: If you are using a different decision file than the supplied DAC.
1. Replace the radius.fsm file in the server's configuration directory with /opt/aaa/ examples/config/DNIS.fsm. For example, if the server's configuration directory is /etc/ opt/aaa/radius.fsm, then enter the following command: # cp /opt/aaa/examples/config/DNIS.fsm /etc/opt/aaa/radius.fsm NOTE: 2. Take a backup of /etc/opt/aaa/radius.fsm before replacing it.
28 Customizing the HP-UX AAA Server Using the SDK This chapter describes how to use the Software Developer's Kit (SDK) to customize the HP-UX AAA Server. This chapter addresses the following topics: • “SDK Overview.
Example 18 Example of a Pre-Paid Billing Application Using a Plug-in Created Using the HP-UX AAA Server SDK In this example, a service provider wants to implement a service where blocks of connect time are purchased in advance. In addition to being authenticated, each user must be authorized based on his or her account balance. Only those users with a positive balance are granted network access and their session is limited to the time equivalent of their balance at the time they are authenticated.
SDK Directory Structure The HP-UX AAA Server SDK consists of the following files and directories: • The /opt/aaa/include/sdk.h header file • The following sample plug-ins: • ◦ /opt/aaa/examples/sdk/CSI/checkCSI.c ◦ /opt/aaa/examples/sdk/ace/samplesc.c READMEs that describe the sample AATVs Important Note: For information on the header files, data structures, and APIs included with the SDK, see Appendix D (page 430).
static int myaction(sdk_authreq_t *authreq, int value, const char *string); Following are the input parameters: authreq A pointer to the authreq value The Xvalue from the FSM table for this action if configured. If not, 0 is passed in by the Server. string This parameter can have one of the following values: • The Xstring from FSM table if the AATV is configured in the FSM. • The Xstring from authfile if the AATV is configured to process an authentication request.
The following sections describe the working of these sample plug-ins, as well as procedures to do the following tasks: • “Using AATVs to Create a Plug-in” (page 333) • “Compiling and Loading a Plug-in” (page 334) • “Testing and Debugging a Plug-in” (page 334) The ACE AATV The ACE AATV is a sample challenge-response authentication AATV. At a high level, this plug-in performs the following functions: 1. Checks that the User-Id A-V pair is present in the request.
4. aatv_count is the number of AATVs that are loaded. aatv_info_v2_t is the data structure containing the function pointer to the init(), action(), timer(), and cleanup() functions. For more information on the aatv_info_v2_t data structure, see “Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK” (page 430). Set the parameters of the aatv_info_v2_t data structure. Add them to aatv_list and set the value of aatv_count.
# kill 3. Enter the following command: # chatr +dbg enable /opt/aaa/bin/radiusd 4. Start radiusd by entering the following command: # /opt/aaa/bin/radiusd 5. Start the debugger by entering the following command: # gdb This command starts a gdb session in UNIX and the gdb prompt appears. You can access help by typing help at the gdb prompt. For more information about gdb, enter man gdb at the command prompt.
an individual GSM network operator. Therefore, the functions are not standardized. Instead, each operator specifies the functions. The A3 and A8 algorithm plug-ins are software modules that contain these specific functions. They customize the GSM authentication for each network operator. An A3 or A8 plug-in may include zero or one A3 algorithm. If you write a plug-in for A3, an A8 plug-in with the same name must exist. Similarly, if you write a plug-in for A8, an A3 plug-in with the same name must exist.
5. To implement the sample A3 algorithm, modify the following code: unsigned int idx; for ( idx = 0; idx < 4; ++idx ) { sres[idx] = 0; } return SDK_SUCCESS; On success, A3 Algorithm returns sdk_success. Otherwise, it returns sdk_failure. 6. To implement the sample A8 algorithm, modify the following code: unsigned int idx; for ( idx = 0; idx < 8; ++idx ) { kc[idx] = 0; } return SDK_SUCCESS; On success, A3 Algorithm returns sdk_success. Otherwise, it returns sdk_failure.
static int f3impl( const unsigned char const unsigned char unsigned char * ki, * rand, * ik ); static int f4impl( const unsigned char const unsigned char unsigned char * ki, * rand, * ck ); static int f5impl( const unsigned char const unsigned char unsigned char * ki, * rand, * ak ); static int f5ximpl( const unsigned char const unsigned char unsigned char * ki, * rand, * ak ); NOTE: Changing the function names is not mandatory. However, the parameters must not be modified. 4.
6. To implement the sample f1x() algorithm, modify the following code in the f1ximpl function: unsigned int idx; for ( idx = 0; idx < 8; ++idx ) { maca[idx] = 0; } return SDK_SUCCESS; On success, the f1x() algorithm returns sdk_success. Otherwise, it returns sdk_failure. 7. To implement the sample f2() algorithm, modify the following code in the f2impl function: unsigned int idx; for ( idx = 0; idx < 8; ++idx ) { res[idx] = 0; } return SDK_SUCCESS; On success, the f2() algorithm returns sdk_success.
Part VI Troubleshooting This part of the HP-UX AAA Server A.08.02.10 Administrator’s Guide is organized as follows: • Chapter 29: “Troubleshooting Overview” (page 343): Describes the AAA environment and an overview of HP-UX AAA Server troubleshooting. • Chapter 30: “Troubleshooting Procedures” (page 347): Provides a troubleshooting flowchart followed by specific troubleshooting tables that enable you to identify the problem, and take the necessary corrective actions.
Contents 29 Troubleshooting Overview.....................................................................343 AAA Environment Components...............................................................................................343 HP-UX AAA Server Operation................................................................................................344 Probable Causes for Failure...................................................................................................
Access Points...................................................................................................................
29 Troubleshooting Overview This chapter of the HP-UX AAA Server Administrator's Guide provides an overview of HP-UX AAA Server troubleshooting with respect to the AAA environment.
HP-UX AAA Server Operation Figure 100 depicts the HP-UX AAA Server operation from the troubleshooting perspective. Figure 100 HP-UX AAA Server Operation The HP-UX AAA Server operation consists of the following steps: 1. The user or device that requires authentication communicates with the RADIUS client and provides authentication credentials such as user name and password.
The HP-UX AAA Server is administered through the Server Manager. Here, problems with the browser, Tomcat, and RMI object, or incorrect credentials by the administrator can lead to problems while launching or using the Server Manager. Probable Causes for Failure This section discusses the problems, limitations, and considerations before troubleshooting the AAA environment. Configuration Problems The RADIUS client, supplicant, or the HP-UX AAA Server is configured incorrectly and lead to problems.
RADIUS Client and Supplicant Considerations The HP-UX AAA Server supports several RADIUS clients, supplicants, and OTP token generators. For a list of RADIUS clients, supplicants, and OTP token generators that have been certified for the HP-UX AAA Server, see HP-UX AAA Server A.08.02.10 Release Notes. Consider the following: • If the RADIUS client does not receive a reply from the HP-UX AAA Server, it behaves as if the HP-UX AAA Server is offline.
30 Troubleshooting Procedures This chapter describes how to troubleshoot problems that you encounter while using the HP-UX AAA Server in the AAA environment. This chapter includes a diagnostic flowchart and troubleshooting tables that enable you to identify the problem and perform the appropriate corrective actions.
Figure 101 Troubleshooting Flowchart Troubleshooting Flowchart Process This section describes the troubleshooting process that you can follow to troubleshoot and identify problems with the HP-UX AAA Server. Each step listed below maps to the problem that is depicted in Figure 101.
1. Can launch Server Manager and view all applets and icons? Launch the Server Manager administration and verify if all the applets and icons can be viewed. Problem Resolution Unable to launch Server Manager? See “Troubleshooting the Server Manager Administration Utility” (page 350). If you are able to resolve the problem using the suggestions listed in this section, but are facing other problems, proceed to step 2. If you are not facing any other problems, end the troubleshooting process.
4. HP-UX AAA Server returns Access-Accept (when the user is expecting an Access-Accept)? Check to see if the HP-UX AAA Server returns Access-Accepts to clients/supplicants. Problem Resolution Is the server returning AccessRejects? See “Troubleshooting Access-Rejects from the HP-UX AAA Server” (page 364). If you are able to resolve the problem using the suggestions listed in this section, but the user still cannot connect to the network service, see “Troubleshooting Provisioning Errors” (page 371).
Table 98 Common Problems with the Server Manager (continued) Problem Cause Solution on the HP-UX AAA Server and the system running the Server Manager. 4. Check the RMI log files in /opt/ aaa/remotecontrol/. 5. Ensure that Java Version 6.0 is used. For more information, see “Troubleshooting Remote Management Problems” (page 353). Can launch the Server Manager, but Tomcat is not IPv6 enabled.
Table 98 Common Problems with the Server Manager (continued) Problem Can launch the Server Manager, but get ‘Parse Error’ in the HP-UX AAA Server Status Frame. Cause Solution Address’ do not correspond to the same host. HP-UX AAA Server Manager has not validated theses values because the RMI object was not running when the server was configured. Using HP-UX AAA Server Manager” (page 200) Error while parsing the group configuration file. 1. Stop the HP-UX AAA Server Manager and Tomcat. 2.
NOTE: The lsof tool is an open source tool and is not available by default on HP-UX operating systems. 6. If the problem persists, report it to HP after collecting the information listed in Chapter 32: “Reporting Problems” (page 377). Troubleshooting Remote Management Problems This section describes how to troubleshoot remote management problems. If you are unable to use the Server Manager to administer an HP-UX AAA Server, complete the following steps: 1.
Troubleshooting the HP-UX AAA Server This section describes how to troubleshoot problems with HP-UX AAA Server startup and operation.
Table 99 Common Problems with HP-UX AAA Server Startup (continued) Problem Unable to load AATVs Troubleshooting Solution 1. Use grep to verify if the radiusd daemon is running. If the daemon is running, use the existing instance of the daemon, or restart radiusd after killing the existing instance. 2. Check for other processes using the authentication and accounting port configured for the radiusd and radacct entries, respectively in /etc/services. 3.
Table 99 Common Problems with HP-UX AAA Server Startup (continued) Problem HP-UX AAA Server fails to start Troubleshooting Log Message doconfig: init_fsm() failed rad_fsminit: duplicate state: line
If you are unable to start the HP-UX AAA Server, complete the following steps: 1. Check if the radiusd daemon is already running by entering the following command: # ps -ef |grep radiusd If radiusd is running, the radiusd process must be displayed. If the radiusd daemon is already running, you can stop and start the HP-UX AAA Server from the Server Manager Administration utility or the command line.
Table 100 Common Configuration Problems Problem Troubleshooting Request dropped Log Message Request from unknown client dropped. Configure client in /etc/opt/aaa/clients or Access Devices screen in Server Manager. Cause The HP-UX AAA Server is not configured to receive requests from the RADIUS client. Solution 1. Ensure that the RADIUS client is sending requests to the correct HP-UX AAA Server. 2.
Table 100 Common Configuration Problems (continued) Problem Request dropped Troubleshooting Resolution If the string is specified as a string constant, check that it is enclosed within double quotes. If it specified as an attribute, check that it is defined in the dictionary file. Log Message The specified attribute instance 'RADIUS:State[10]' could not be found. Cause This error can occur if one of the policy files is using an attribute instance that is not present in the incoming request.
Table 100 Common Configuration Problems (continued) Problem Troubleshooting aaa.config file match the CLIENT action names used in this policy file. For more information on HP-UX AAA Server client functionality, see “Configuring the HP-UX AAA Server for Client Functionality ” (page 211) Responses to client requests getting dropped.
Table 101 External Service Failure Problems (continued) Problem Troubleshooting properties in the Local Realms configuration in Server Manager or verify LDAP server host and port configuration values in the appropriate authfile in '/etc/opt/aaa Cause This problem may occur if the LDAP Server is not running, or if the LDAP properties are not correctly configured. Solution 1. Ensure that the LDAP server is running. 2.
Table 101 External Service Failure Problems (continued) Problem Troubleshooting Solution Specify the correct server and port specified in the DBID structure of /etc/opt/aaa/sqlaccess.config.For more information on using the SQL Access feature with Oracle, see Chapter 17, SQL Access on page 221.If the sqlaccess.config configuration is correct, the OCI client is unable to resolve the database name. Ensure that the tnsnames.ora file contains all the databases that your OCI client can connect to.
Table 101 External Service Failure Problems (continued) Problem Troubleshooting Solution Verify if the DHCP server is running and can service IP address requests. Or, Specify an alternate DHCP server. Two-factor Log Message authentication using MS-CHAP v2 fails when the encrypted user password is stored in LDAP and the token information is stored in SQL database.
If proxy HP-UX AAA Servers are used, verify the proxy configuration for each proxy starting with the proxy server closest to the RADIUS client/supplicant. For each proxy server, use the Add/Modify Proxy screen of the Server Manager and verify the following. • Shared Secret: The shared secret on the proxy server must match that of the remote server to which the requests are forwarded. • Realms to Forward: Ensure that the appropriate realms are selected.
Table 102 Common Authentication Failure Problems (continued) Problem Unable to authenticate Troubleshooting Solution 1. Ensure that the shared secret configured on the RADIUS client matches the one specified in the Access Devices screen of the Server Manager. 2. Ensure that the password supplied by the user is correct. Log Message session_allowed: Access rejected.
Table 102 Common Authentication Failure Problems (continued) Problem Troubleshooting Cause An invalid password hash mechanism is specified manually for the user in the user profile. Solution 1. Navigate to the Users screen of the Server Manager and select the user. 2. Select a password hash mechanism. If you have modified the configuration, save the configuration and restart HP-UX AAA Server. Unable to authenticate Log Message check_request: Access denied.
Table 102 Common Authentication Failure Problems (continued) Problem Unable to authenticate Troubleshooting Solution Manually edit the /etc/opt/aaa/dictionary file and add the attribute . Log Message Sequence counter resynchronization failed for user in realm after unsuccessful OTP validations. The last sequence counter attempted is .
Table 102 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message The token for user in realm is not active. HP-UX AAA Server validates the OTP only for active tokens. Verify the token status in the token repository. Or The token with serial number for user in realm is not active. The current token status is . HP-UX AAA Server validates the OTP only for active tokens.
Table 102 Common Authentication Failure Problems (continued) Problem Troubleshooting Unable to authenticate Log Message Invalid hexadecimal string. Configured hexadecimal string for user of realm is NULL. Verify the configured hexadecimal string in the token repository. Cause The shared secret is not configured. Resolution Check the tokens table in the SQL database to check that the shared secret is configured for that user.
Table 103 EAP Problems (continued) Problem Unable to authenticate Troubleshooting Log Message ProcessHandshake TLS: AAA Server generated TLS alert: 'certificate_expired'. Verify the validity of the user and CA certificates. Cause The client or supplicant certificate has expired. Solution Advise the user to acquire a new certificate from the administrator or ISP, and retry authentication. Log Message ProcessHandshake TLS: AAA Server generated TLS alert: 'certificate_revoked'.
Table 103 EAP Problems (continued) Problem Troubleshooting Resolution You must merge the changes present in the legacy FSM with the radius.fsm file available in the HP-UX AAA Server A.08.02.10 release. For more information, see “Upgrading to Version A.08.02.10” (page 34) EAP-AKA functionality disabled Log Message EAP-AKA : FSM does not define all of these events: 'AKA_AUTH_BY_PERMANENT_ID', 'AKA_AUTH_BY_PSEUDON YM', 'AKA_AUTH_BY_FAST_REAUTH_ID', 'AKA_UPDATE' 'AKA_RESYNCHRONIZATION'. Disabling EAP-AKA.
4. the /var/opt/aaa/logs/radius.debug file for attributes sent to the Access-Accept message. Ensure that the client is configured to expect the reply items sent by the HP-UX AAA Server. If you have modified the user profile through the Server Manager, save the changes to the HP-UX AAA Server. Troubleshooting the HP-UX AAA Server Admin Utility This section describes how to troubleshoot the HP-UX AAA Server Admin Tool.
Table 104 (continued) 3. Modify the configured Server Attributes which is failing to start using HP-UX AAA Server Manager. For more information, see “Administering HP-UX AAA Servers Using HP-UX AAA Server Manager” (page 200) 4. Save the Server Attributes using the HP-UX AAA Server as follows: a. Click the ‘Server Connections’ from the left panel. Select the group in which the servers that need to be run belong to from the ‘Select a group for administration’ menu. b.
31 Troubleshooting Resources The HP-UX AAA Server includes a set of utility programs that can: • check the status of the HP-UX AAA Server • emulate a RADIUS client • turn debugging on and off • set and modify the debug level Additionally, the RADIUS client and EAP supplicant vendors typically provide troubleshooting capabilities for their components. Protocol analyzers can also be used if more detailed troubleshooting is required.
information to the HP-UX AAA Server. The HP-UX AAA Server processes the received requests and returns an ACCEPT or REJECT reply. Following is the syntax for the radpwtst command: radpwtst -s server [-a acks] [-c code] [-f fileprefix] [-g group] [-h][-i clientaddress] [-l asyncport] [-n] [-p port] [-r retries] [-t timeout] [-u type] [-v version] [-w password] [-x|X] [[-:attribute=value]...
The HP-UX AAA Server Logfile The server log file /var/opt/aaa/logs/logfile includes information about start and stop of HP-UX AAA Server, RADIUS requests, success and failure of access and accounting requests, warnings, and internal events. Following are the other log files related to the HP-UX AAA Server: • /var/opt/aaa/logs/logfile_part<01-09>.yyyymmdd.gz - The compressed daily HP-UX AAA Server log. • /var/opt/aaa/acct/session.yyyy-mm-dd.
32 Reporting Problems If you are unable to solve the problem, do the following: 1. Read the release Notes for [Product/Platform/Component] to see if the problem is known. If it is, follow the workaround offered to solve the problem. 2. Determine whether the product is still under warranty or whether your company purchased support services for the product. Your operations manager can supply you with the necessary information. 3. Access http://www.hp.
External Components Include information on the following external components that interoperate with HP-UX AAA Server: External Databases • Database type and version number • Configuration details • Log files and debug information SNMP Servers • Vendor name and version number • Configuration details • Log files and debug information DHCP Servers • Vendor name and version number • Configuration details • Log files and debug information OpenSSL • Version number • Configuration details EA
Part VII Reference This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters: • Chapter 33: “Configuration Files ” (page 382) • Chapter 34: “Attribute-Value Pairs” (page 403) • Chapter 35: “MIB Objects” (page 418)
Contents 33 Configuration Files ...............................................................................382 HUP Processing....................................................................................................................382 The aaa.config File...............................................................................................................383 Variables in the aaa.config File..........................................................................................
Multiple Logging Streams ............................................................................................400 Logging Based on attributes..........................................................................................400 Accounting Log Based on Attribute Value.......................................................................401 Changing the Accounting Log Rollover Interval................................................................402 34 Attribute-Value Pairs..................
33 Configuration Files The Server Manager interface configures most of the HP-UX AAA Server’s configuration files. However, some features of the HP-UX AAA Server cannot be configured through the Server Manager interface. If you want to define policy, vendor-specific attributes, or logging behavior, you must manually edit the configuration files. The information in this chapter is provided as a reference for the configuration files that Server Manager cannot configure.
The aaa.config File The aaa.config file contains keyword-value entries, one-per-line, which allows the user to override compiled-in default values in the AAA server. The aaa.config file can be used for performance tuning, debugging, or overriding built-in defaults. IMPORTANT: Configuration files have maximum input line length of 255 characters. No checking is done to ensure that a configuration statement has not exceeded this limit.
• Timeout sets the number of seconds that an LDAP connection will remain open when the AAA server has not been able to successfully perform any successful LDAP operation. This parameter allows better handling of the situation where the LDAP directory times out client connections. • TCP-Timeout sets the number of seconds that the AAA server will wait for an LDAP server when trying to establish the TCP connection. • Debug determines whether OpenLDAP debug messages must be written to the radius.
The list_copy_limit Variable This variable can be used for customized server configurations that accumulate A-V pairs or generate large responses. The default (and maximum) value is 512. Following is the syntax of the list_copy_limit variable: list_copy_limit=256 The localUsersFile.FilterType Property This property can be used to specify the case matching for each users file. Following is the syntax of the localUsersFile.FilterType property: localUserFile.
Traditional IP (IPv4) address: ourhostname=192.0.2.0 IPv6 Address: ourhostname=fedc:ba98:7654:3210:fedc:ba98:7654:3210 CAUTION: If you configure an IPv6 address in the ourhostname variable, then traditional IP (IPv4) hosts will not be able to send or receive messages. Similarly, if you configure an IPv4 address here, then IPv6 hosts will not be able to send or receive messages. If you configure a DNS name, then the first address returned by the DNS server is used.
NOTE: This feature may not work well in situations where the HP-UX AAA Server is communicating with non-HP servers. OTP Authentication-Related Configuration Items The following OTP authentication related configuration items can be set in the aaa.
IMPORTANT: Configuration files have a maximum input line length of 255 characters. No checking is done to ensure that a configuration statement has not exceeded this limit. Syntax of a Client Entry Name:authport:acctport:dynport Shared-Secret Type=vendor:{NAS|PROXY}options Version Prefix An IPv4 example of a client that is a NAS: 192.0.2.0 secret type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1 An IPv4 example of a client that is a proxy: 192.0.2.
fedc::ba98:fe* The users File User profiles associate information, like check and reply items, with a user name. The server configuration must include profiles for all the users that can access services through the AAA server. Profiles can be stored in flat text files, or in an external database. If a user profile is not included in the configuration, the server will reject the user's access request. The default users, realm, or prefix.users files may contain user profiles for authentication.
Framed-IPv6-Prefix This attribute indicates an IPv6 prefix to be configured for the user. Example 21 Examples of Framed-IPv6-Prefix Attribute Syntax 0/64/12ab::cd30:0:0:0:0 0/28/fedc:ba98:7654:3210 The first field in the above examples is the Reserved field. If you do not list this field, the default value 0 will be used. However, HP recommends using 0 in the Reserved field to comply with RFC 3162. The second field in the above example is the Prefix-Length field.
Example 24 Example of a Framed-IPv6-Pool Attribute Syntax Pool1 UserPool With Tunneling When the AAA server receives an Access-Request from a client that matches the user, fred-eng, it will first attempt to match the password to the User-Password attribute value in the request and then will check the request for a tunnel hint.
IMPORTANT: Configuration files have a maximum input line length of 255 characters. No checking is done to insure that a configuration statement has not exceeded this limit. All configuration files must end with a new line. You can track different versions of the dictionary file by adding the following line to the file: %DICTID Version-String Version-String is the version information. This string will appear in radcheck output.
pruning in the clients file, see “The clients File” (page 387). The pruning to apply is defined by pruning expressions in the dictionary's attribute entries. These optional expressions are defined in an attribute entry as follows: (ack, nak, chall, {NOLOG | ENCAPS | NOENCAPS | CONFIG | INTERNAL}) NOTE: If any value is omitted, but the comma is present for that value, that value will use its default. If the expression is omitted, all values use their defaults.
# VALUE VALUE VALUE VALUE VALUE Framed Protocol Values Framed-Protocol Framed-Protocol Framed-Protocol Framed-Protocol Framed-Protocol PPP SLIP ARA Gandalf Xylogics # LAS Session Termination Code Values Merit.VALUE LAS-Code LAS-Normal Merit.VALUE LAS-Code LAS-Reject Merit.VALUE LAS-Code LAS-Cancel Merit.VALUE LAS-Code LAS-Noconfirm Merit.VALUE LAS-Code LAS-Overtime Merit.VALUE LAS-Code LAS-Unknown Merit.VALUE LAS-Code LAS-Notoken Merit.VALUE LAS-Code LAS-Notlocal Merit.VALUE LAS-Code LAS-Suspend Merit.
Table 107 Default LAS Session Timing Parameters (continued) Parameter Default Description counted as a simultaneous session. This parameter us only used for Hunt-groups. Session-Kill-Time 300 seconds (5 minutes) Tells LAS when to remove a session when it is in the Not-Confirmed, Disconnected, Rejected, Collided, or Rebooted state. Session-Check-Time 300 seconds (5 minutes) States the time interval to check the session table.
Realm realm-name Authorization Accounting LAS-authorization-AATV LAS-accounting-AATV Service service-name service-name . . . End-Service number-of-services Tokenpool number-of-tokenpools Token-pool-name max-number-of-tokens Token-pool-name max-number-of-tokens . . . End-Tokenpool End-Realm Realm defines a name for the realm. Authorization specifies the AATV for performing authorization. The default is LASGEN. Accounting specifies the AATV to use for user accounting. The default is GENACCT.
value-string An optional string that defaults to Value when not specified. Non-default strings can be used to specify vendor specific values in the dictionary file. vendor-code The private enterprise number assigned by IANA. vendor-name The vendor name that can appear in the clients file as a type=vendor:nas entry, or in the dictionary and users files in vendor specific attribute names. standard-value The external or common attribute number in RADIUS requests on the network.
aatv Specifies one of the following AATVs to use for logging. • LOG_ACCT (Livingston/Lucent/RABU style call detail format, default) • LOG_ALL (logs all streams defined in log.config) • LOG_BRIEF (simple session format) • LOG_BY_ATTRIBUTE (logging based on user specified attribute in radius.
Values Logged by Default The default LOG_v2_0value used for session logs records the information listed in Table 108. Table 108 Information Recorded by LOG_V2_o Field Type Value Description 1 seconds since midnight Jan. 1, 1970. LAS_start_time Start of session, as calculated by the LAS. 2 integer LAS_code LAS termination code.
stream *default* { aatv log_acct buffer 1 close on filename session.%Y-%m-%d.log update 900 wrap 3 } end Multiple Logging Streams By specifying log_all for aatv, LOG will generate a record for each stream defined in the log.config file (before the end keyword). Following is the syntax: stream *default* stream old { aatv buffer close filename } stream new { aatv aatv-value buffer close filename aatv log_all log_v1_1 1 on record.%y%m%d.las log_v2_0 7 1 on recordv2.%y%m%d.
Accounting Log Based on Attribute Value You can write accounting log to different log files, based on the RADIUS attribute value in the RADIUS accounting-request. To write accounting log to a different log file, you must modify the /etc/opt/aaa/log.config and /etc/opt/aaa/radius.fsm files. To write accounting log to different log files, complete the following steps: 1. Modify the /etc/opt/aaa/log.
Changing the Accounting Log Rollover Interval The log rollover interval (how often a new log file is created to store accounting records) is determined by the timestamp portion of the filename. To change the interval follow the steps described in “Changing the Accounting Log Filename” (page 106). The logging interval will change to the finest unit of time in the timestamp portion of the filename. For example, %Y-%m-%d-%H, will change the rollover interval to hourly.
34 Attribute-Value Pairs The RADIUS protocol defines things in terms of attributes. Each attribute may take on one of a set of values. When a RADIUS packet is exchanged among clients and servers, one or more attributes and values are sent pairwise as an Attribute-Value pair (A-V pair). For the HP-UX AAA Server software, all valid attributes and values are listed in the dictionary file.
Tagged Attributes A RADIUS message can include multiple values for one or more attributes that are tagged to organize the attributes into defined groups. Depending on its capabilities, a client or server can selectively use one set of tagged attributes. For example, an Access-Accept can contain several different tunnel definitions. If it supports tagged attributes, the client can select the definition to use. Tagged attributes can be used as check or reply items.
Deny-Message = "*" NAS-Port != 3160 This wildcard string sends the following message indicating what deny item triggered the rejection: Access denied, NAS-Port != 3160 IMPORTANT: The Deny-Message will only be returned if a deny item (Attribute!= Value) comparison fails. It will not be returned if a check item fails. Expiration In date format, specifies when an entry expires.
Local Authorization Service (LAS) Configuration Some configuration-only attributes define information for authorization through the servers LAS. To activate the features related to these attributes for users in a given realm, you must enable session tracking for the user’s realm. A NULL realm entry will still be required if the user does not belong to a realm. The Simultaneous-Use attribute can be used in a user entry for LAS functions.
NAS-Identifier This attribute contains a string identifying the NAS originating the Access-Request. Either the NAS -IP-Address, NAS-IPv6-Address, or the NAS-Identifier must be present in an Access-Request. NAS-Port This attribute indicates the physical port number of the NAS which is authenticating the user. NOTE: NAS port refers to a physical connection on the NAS, not a TCP or UDP port number.
system clock of the machine hosting the AAA server that is making the comparison. Auth-Grace-Period The server will terminate a session after the Session-Timeout or the combined Authorization-Lifetime and Auth-Grace-Period value expires. Reply Items Table 109 identifies which reply item attributes may appear as a hint that could be checked by the server, and those that would not appear as a hint that could be checked.
Table 109 Reply Item Attributes (continued) Attribute Check Item (HInt) Reply Item Reply-If-Ack-Message No Yes Reply-Message No Yes Service-Type Yes Yes Session-Timeout No Yes Tunnel-Assignment-ID No Yes Tunnel-Client-Auth-ID Yes Yes Tunnel-Client-Endpoint Yes Yes Tunnel-Medium-Type Yes Yes Tunnel-Password Yes Yes Tunnel-Preference Yes Yes Tunnel-Private-Group-ID Yes Yes Tunnel-Server-Auth-ID Yes Yes Tunnel-Server-Endpoint Yes Yes Tunnel-Type Yes Yes General Attr
Session-Timeout This attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. Idle-Timeout This attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. Filter-ID This attribute indicates the name of the filter list for this user. Different attribute values may be used to add more than one Filter-ID reply item to an entry.
• Gandalf (proprietary SingleLink/MultiLink protocol) • Xylogics (proprietary IPX/SLIP) Framed-IP-Address This attribute indicates the IP address to be configured for the user. Framed-IPv6-Prefix This attribute indicates an IPv6 prefix to be configured for the user. Framed-Interface-Id This attribute indicates the IPv6 interface identifier to be configured for the user. Framed-IP-Netmask This attribute indicates the IP netmask to be configured for the user when the user is a router on a network.
will be used to establish the tunnel. When you use a tunneling attribute as a check item, you are controlling access to the tunnel server based on what the user is requesting. Tunnel-Type Indicates the tunneling protocol to use when establishing the tunnel.
Tunnel-Private-Group-ID A group identifier for a private session. Private groups may be used to associate a tunneled session with a particular group of users. For example, it may be used to facilitate routing of unregistered IP addresses through a particular interface. Tunnel-Assignment-ID This attribute indicates what tunnel will be used to provide an appropriate level of service for the user. Data transfer for users that share the same assignment will be multiplexed over a shared tunnel.
Configuration-Token The Configuration-Token Attribute is supported by the AAA Server as a reply item and is an implementation specific attribute that is based upon a lookup table configured outside of the AAA server. It is used in large distributed authentication networks and is sent from a RADIUS Proxy Server to a RADIUS Proxy Client in an Access-Accept message that indicates a type of user profile to be used.
• 12 (Tunnel-Link-Start) • 13 (Tunnel-Link-Stop) • 14 (Tunnel-Link-Reject) • 15 (Reserved for Failed) Acct-Delay-Time How many seconds the client has been trying to send this record, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.) Acct-Input-Octets How many octets have been received from the port over the course of this service being provided.
Table 110 Session Termination Causes (continued) 416 Cause Description NAS Error NAS detected some error (other than on the port) which required ending the session. NAS Request NAS ended session for a non-error reason not otherwise listed here. NAS Reboot The NAS ended the session in order to reboot. Port Unneeded Client ended session because resource usage fell below low-water mark (for example, if a bandwidth-on-demand algorithm decided that the port was no longer needed).
NOTE: The Acct-Interim-Interval value field contains the number of seconds between each interim update to be sent from the NAS for a session. The value must not be smaller than 60 seconds or greater than 600. Careful consideration must be given to impact on network traffic. Event-Timestamp This attribute is included in an Accounting-Request packet to record the time that an event had stopped on the NAS, and is recorded in seconds since January 1, 1970 00:00 UTC.
35 MIB Objects RFCs 2619, 2621, and 4672 describe the MIB objects for HP-UX AAA Server. All of the RADIUS MIB objects that are sent to the management workstation by the server in response to SNMP requests are read-only, except radiusAuthServConfigReset and radiusAcctServConfigReset. Notes: • When you check the server status, the server increases the radiusAuthServTotalAccessRequests count but does not increase radiusAuthServAccessRequests for any client.
Table 111 MIB Objects and Definitions (continued) MIB Object Definition radiusAuthServTotalAccessAccepts Total number of successful authentications (Access-Accept messages sent). radiusAccServTotalResponses Total number of accounting responses sent to clients. radiusAuthServTotalAccessRejects Total number of failed authentications (Access-Reject messages sent). radiusAuthServTotalAccessChallenges Total number of challenges sent to clients.
Table 111 MIB Objects and Definitions (continued) MIB Object Definition • radiusAuthServDupAccessRequests • radiusAuthServAccessAccepts • radiusAuthServAccessRejects • radiusAuthServAccessChallenges • radiusAuthServMalformedAccess Requests • radiusAuthServBadAuthenticators • radiusAuthServPacketsDropped • radiusAuthServUnknownTypes radiusAuthClientIndex, radiusAccClientIndex A number that identifies a radiusAuthClientEntry or radiusAccClientEntry object that represents a client.
Table 111 MIB Objects and Definitions (continued) MIB Object Definition radiusAuthServPacketsDropped, radiusAccServPacketsDropped Number of incoming packets from the the corresponding client entry that were silently discarded for some reason other than malformed, bad authenticators, or unknown types. radiusAuthServUnknownTypes, radiusAccServUnknownTypes Number of unknown RADIUS messages received from the corresponding client.
Table 111 MIB Objects and Definitions (continued) MIB Object Definition • radiusDynAuthClientUnknownTypes • radiusDynAuthClientCounterDiscontinuity radiusDynAuthServerIndex A unique number identifying the Dynamic Authorization server (DAS). radiusDynAuthServerAddressType The type of IP address of the DAS. radiusDynAuthServerAddress IP address of the DAS. radiusDynAuthServerClientPortNumber The UDP port that is used by AAA Server to send request to the DAS.
Table 111 MIB Objects and Definitions (continued) MIB Object Definition radiusDynAuthClientDisconPacketsDropped, radiusDynAuthClientCoAPacketsDropped The number of incoming RADIUS Disconnect/CoA Ack and Disconnect/CoA Nak from this DAS that were dropped. This excludes the packet that was malformed, or had bad authenticator, or unknown types. radiusDynAuthClientCounterDiscontinuity The time (in hundredths of a second) since the last counter discontinuity (AAA Server restart or re-initialization).
A Supported IETF RFCs Table 112 lists the key IETF RFCs the HP-UX AAA Server supports. See the IETF Website for more information on these RFCs at http://www.ietf.org.
Table 113 Additional IETF RFCs Supported by HP-UX AAA Server (continued) RFC # RFC Title 4187 EAP Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) 4226 HOTP: An HMAC-Based One-Time Password Algorithm 4672 RADIUS Dynamic Authorization Client MIB 5176 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) Table 114 lists the IETF AAA RFCs supported by HP-UX AAA Server.
B Supported Authentication Methods The following list describes the authentication methods the HP-UX AAA Server supports: Password Authentication Protocol (PAP) This authentication method is most appropriately used where a plaintext password must be used to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.
• Protected EAP (PEAP): Functionally very similar to TTLS, but does not encapsulate legacy authentication methods. PEAP features include: Dynamic Key Exchange; Mutual Authentication; and, Encrypted Tunnelling. • Message Digest 5 (MD5): Passwords are hashed using the MD5 algorithm. Can be deployed for protecting access to LAN switches where the authentication traffic will not be transmitted over airwaves. Can also be safely deployed for wireless authentication inside EAP tunnel methods.
C RADIUS Data Packets The Access-Request and other RADIUS data packets contain a header and a set of attribute-value (A-V) pairs, which are used by the server during the AAA transaction. The RADIUS RFC 2865 defines how vendors can extend the protocol. Encapsulation is the RFC defined way of extending RADIUS. Conflicts can occur when the RFC is not followed. In those cases, the server can map the attributes to unique internal values for processing.
Figure 103 Attribute-Value Pair Format Table 116 Attribute Value Pair Format Description Data Description attribute 8-bit value-pair code, listed in the dictionary file length 8-bit integer from 2-255 value 0 - 253 octet information item. (The data type of value is determined by the data type associated with the attribute code.) As shown in Figure 103, the Access-Request contains a set of attribute-value pairs.
D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK This appendix discusses the header files, data structures, and APIs that the HP-UX AAA Server SDK includes. This chapter addresses the following topics: • “Header Files and Data Structures in the SDK.” • “APIs in the HP-UX AAA Server SDK” (page 430) Header Files and Data Structures in the SDK This section lists the header files and the predefined data structures that the SDK includes. The HP-UX AAA Server SDK includes the sdk.
void sdk_avp_free() void sdk_avp_free (sdk_avp_t *avp) Usage Frees the memory and any allocated string storage associated with an A-V pair. The string storage must not be shared with other objects. Input avp A pointer to the A-V pair that must be freed. int sdk_get_avp_info() int sdk_get_avp_info (sdk_avp_t *avp, uint32_t *vendid, uint32_t *attrid, uint32_t *attrlen, void ** attrval, u_char *tag) Usage Obtains information from an A-V pair. Input avp A pointer to an A-V pair.
attrid The attribute ID to be set or modified. attrlen The length of the attribute (in bytes) to be set or modified. attrval The attribute value to be set or modified. tag The tag for the tagged attribute. This value is 0 if the attribute is untagged.
Usage Discovers the next standard RADIUS A-V pair with the specified attribute ID, attribute length, attribute value, and the tag for a tagged attribute, after the specified position in the authreq’s A-V pair list of qtype. For example, if position points to one A-V pair in the list, this API starts searching from the next A-V pair after position. If position is NULL, this API searches from the beginning of the list. Input authreq A pointer to an authreq qtype The type of list to be accessed.
The attribute length to be matched. If the attrlen value is 0, the attribute length and value are not considered in the match. For vendor-specific attributes, the attribute length (attrlen) is the vendor length. The attribute value to be matched. If the attrvalue value is NULL, the attribute length and value are not considered in the match. For a vendor-specific attribute, the attribute value (attrvalue) is the sub-attribute value. Pointer to an A-V pair already found in the list.
Table 117 Actions Performed as a Result of the loc_avp A-V Pair (continued) Parameter Value Action The value of the loc_avp A-V pair is null and the value The new_avp A-V pair is prepended to the list. of the position parameter is INSERT_BEFORE. The value of the loc_avp A-V pair is null and the value The new_avp A-V pair is appended to the list. of the position parameter is INSERT_AFTER. Input authreq qtype loc_avp position A pointer to an authreq The type of list to insert the A-V pair into.
Table 118 Information Types (continued) len value Output len value Information Type Description AUTHREQ_EXPIRE_TIME The time to live (in seconds) of an authentication request. The request is removed from the authentication request queue when the specified time elapses. The time to live has a type of unsigned character. AUTHREQ_CLIENT_PORT The client UDP port where the request came from. The port has a type of unsigned short.
• Use LOG_CRIT for critical conditions • Use LOG_ERR for error conditions • Use LOG_WARNING for warning conditions • Use LOG_NOTICE for normal but signification conditions • Use LOG_INFO for informational conditions NOTE: format arg To use the above log levels, you must include syslog.h in your program. A printf-style format string. Arguments to replace values in the format string. For more information, see the printf(3) manpage.
Return Returns one of the following values: 0 If the message is logged. 1 If the message is queued. -1 If the message is not logged or queued. Asynchronous Event and I/O APIs The HP-UX AAA Server maintains a global list of file descriptors and calls system functions, to monitor file descriptors for inbound messages.
Usage Adds an authentication request and an event to the AAA global authentication request list to schedule an event. Input authreq A pointer to an authentication request. aatv_name The name of the AATV supplied for processing the request. event_code The event code to resume processing the request from where it was left off on the FSM. Return Returns one of the following values: • SDK_SUCCESS if the operation succeeds. • SDK_INVALID_ARG if the arguments are invalid.
infotype The information type. It can be set to one of the following: • AUTHREQ_TTL — the time to live of an authentication request. The time to live has a type of unsigned character. • AUTHREQ_CODE — the message type or (code) of a request. The message type (code) has a type of unsigned short. • AUTHREQ_TARGET_HOST — the target host to which the request must be sent. It has a type of string. len The length of the value to be set in bytes. value A pointer pointing to the value to be set.
Returns one of the following values: • SDK_SUCCESS if the operation succeeds. • SDK_INVALID_ARG if the arguments are invalid. • SDK_FAILURE if the operation fails. int sdk_decrypt_passwd() int sdk_decrypt_passwd(sdk_authreq_t *authreq, char *enpasswd, uint32_t enpwlen, char *clpasswd, uint32_t *clpwlen) Usage Decrypts the password Input authreq A pointer to an authentication request. enpasswd A pointer to the encrypted password string. enpwlen Length of encrypted password.
Usage Allocates memory for a request. Return Returns a pointer to the allocated authreq structure or NULL if there is not enough memory. void sdk_authreq_free void sdk_authreq_free(sdk_authreq_t * authreq) Usage Frees the memory allocated for a request. Input authreq A pointer to an authreq. int sdk_enqueue_authreq int sdk_enqueue_authreq( sdk_authreq_t * authreq) Usage Enqueues the request to a request queue. Input authreq A pointer to an authreq.
E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server This appendix describes the syntax of the decision files that are present in earlier versions of the HP-UX AAA Server. While decision files created using this syntax are supported in this version of the HP-UX AAA Server, HP encourages customers to use the syntax described in Chapter 27 (page 301) to create new decision files.
Table 122 A-V Pair Expression Examples Expression Example Description Calling-Station-Id = 123456789 ||Called-Station-Id = 8005551212 Allows access if either the calling number or the called number match the specified values. Day-Of-Week => Monday &&Day-Of-Week <= Friday Allows access if the day of the week is between Monday and Friday.
test or assign a substring of the specified Value attribute. Pos indicates the index position in the attribute's value to begin the substring and if specified Len determines the length. When used in the condition section of a group entry, indirection checks values. When used in the reply section, it assigns a value. For example, in an expression Port-Id <= $Port-Limit would only allow access to users who access the server through ports that don't exceed the limit set in their profile.
25 } 26 } Line 1 Lines 2 to 5 Lines 7 to 9 Line 10 Line 13 Lines 14 to 16 Lines 18 Line 19 Line 22 Line 24 Names the first group entry Controlled-Access. If the user calls from 1234567890, or calls into 8005551212, the user belongs to this group. The Authentication-Type attribute indicates that requests from members of this group must be proxied. The Server-Name and Server-Port attributes specify flatland.com:1812 as the remote server that must receive the proxied request.
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 Decision = ACK Reply-Message = "Daytime access allowed" } } Group Nighttime-Access { Condition { (Access-Group = nighttime) && ((Time-Of-Day < 06:00) || (Time-Of-Day > 20:00)) } Reply { Decision = ACK Reply-Message = "Nighttime access allowed" } } Group Denied-by-timed-access { Reply { Decision = NAK Reply-Message = "Time-Based access denied" } } Line 1 Lines 2 to 5 Line 7 Line 8 Lines 11 to 30 Line 31 Line 33 Line 34 Names the first group entr
Glossary of Terms A-B A-V Pair Attribute-value pair. AAA Abbreviation for Authentication, Authorization, and Accounting. AAA Server A software application that performs authentication, authorization, and accounting functions. Access-Accept AAA Server returns an Access-Accept to the client when an Access-Request is valid. The Access-Accept will contain A-V pairs that specify what services the authenticated user is authorized to use.
DHCP (Dynamic Host Configuration Protocol) Protocol that automatically and dynamically assigns IP addressees. Dialed Number Identification Service Each request is authenticated locally or forwarded to a remote server according to the number called to access a network service. DNIS Dialed Number Identification Service. Dynamic Authorization A capability of the HP-UX AAA Server that enables RADIUS-server initiated requests to be sent to the authenticator. E-F-G EAP Extensible Authentication Protocol.
IPv6 IPv6 is the new version of the Internet Protocol (IP) that builds on the current version of IP (IPv4). IPv6 provides improvements in addressing, configuration, and security. IRTF Internet Research Task Force. ISDN Integrated Services Digital Network. ISP Internet service provider. L-M-N LAS Local Authorization Server. LDAP Lightweight Directory Access Protocol.
Proxy The mechanism that allows one system to mediate between two other systems in response to protocol requests. A RADIUS server can act as a proxy client and forward an Access-Request to another AAA server for authentication. As a proxy client, the server would mediate the requests and replies between the client where the Access-Request originated from and the server that the request was forwarded to. R-S RADIUS Remote Access Dial In User Service.
SQL Access A feature that allows AAA Server to interact with an SQL compliant database. T-U-V-W-X-Y-Z TLS (Transport Layer Security) Uses TLS (also known as SSL) to authenticate the client using its digital certificate. Note: some wireless supplicants require specific extensions to support certificates for EAP. TLS features include: Dynamic Key Exchange; Mutual Authentication; Digital Certificate/Token Card-based Authentication; and, Encrypted Tunnelling. Token See Simultaneous Access Token.
Index Symbols C 3GPP Milenage, 195 Certificate properties, 97 Change-Of-Authorization (CoA), 215 changing defaults, 43 changing defaults, RMI Objects, 43 changing defaults, secrets, 43 changing defaults, tomcat UID/password, 43 Check and Reply Items decision file attributes group entries - action, 444 group entries - Date-Time, 444 group entries - decision, 444 group entries - finite state machine, 444 group entries - Interlink-Packet-Code, 444 group entries - Interlink-Proxy-Action, 444 group entries -
E EAP action, 296 EAP AKA, 170 EAP, choosing a method, 114 EAP, key-exchange, 115 EAP, tunneling, 115 EAP-AKA user credentials, 172 EAP-SIM, 161 EAP.
mapping and conversion functions, 156 precedence rules, 140 process flow, 129 realm-level configuration, 141 system-wide configuration items, 140 user-level configuration, 142 OTP authentication attributes, 138 HOtp-Seq-Counter, 139 Otp-ActionId, 139 Otp-Add-Checksum, 139 Otp-Lookup-Window, 138 Otp-Retrieve-TokenInfo-Action Id, 140 Otp-Shared-Secret, 139 Otp-Token-Length, 139 Otp-Token-Lock-Counter, 139 Otp-Token-Serial-Number, 139 Reply-Egress-ActionId, 140 OTP authentication concepts using bit masks, 136
Database Server, 254 Finite State Machine, 254 Global definition, 270 Implementation, 251, 255 Interaction, 249 Mapping functions, 263 Mappings RAD, 260 Pre-requisites, 254 README, 251 Sample Implementing, 251 shared library path, 255 SQL Actions, 251 SQL statement, 265 sqlaccess.config, 256 SQL Access AATV, 249 SQL Access. See also Mapping, 249 SQL Actions, 258 sqlaccess.
