HP-UX AAA Server A.08.02.10 Administrator's Guide HP-UX 11i v3 (T1428-90093, November 2013)

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

141

142

143

144

145

146

147

148

149

150

4. If not appended, append the contents of the sample OTP reference implementation policy files

(located in /opt/aaa/examples/config) to the default policy files (located in /etc/opt/

aaa) using the following commands:

# cat /opt/aaa/examples/config/oath-request-ingress.grp >> /etc/opt/aaa/request-ingress.grp

# cat /opt/aaa/examples/config/oath-reply-egress.grp >> /etc/opt/aaa/reply-egress.grp

5. In the /etc/opt/aaa/request-ingress.grp file, replace the <realm> variable and

configure the Otp-ActionId attribute according to the following rules:

Then …

If you have

configured...

For RADIUS Standard Password, replace the <realm> variable in the following syntax with the

realm name configured in Step 1:

if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>"))

{

The realm for

RADIUS

standard

password or

MS-CHAP v2

authentication

insert Otp-ActionId = 112

exit "ACK"

}

For MS-CHAP v2, replace the <realm> variable in the following syntax with the realm name

configured in Step 1:

if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>"))

{

insert Otp-ActionId = 48

exit "ACK"

}

Replace the <realm> variable in the following syntax with the inner realm name configured in

Step 1:

if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>"))

{

Tunneled

realms with

different inner

and outer

realms for

insert Otp-ActionId = 112

exit "ACK"

}

EAP

authentication

Tunneled

realms with

1. Delete the following (default) condition in the request-ingress.grp file:

if ((count (User-Name) > 0) && (substr (User-Name after "@") = "<realm>"))

{

same inner

and outer

insert Otp-ActionId = 112

exit "ACK"

}

realms for

EAP

authentication

2. Based on the EAP authentication method you have configured, add one of the following

conditions in the /etc/opt/aaa/request-ingress.grp file, and replace the <realm>

variable with the inner realm name configured in step 1:

• If you have configured the realm for PEAP (EAP-GTC), add the following condition:

if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap"))

{

insert Otp-ActionId = 112

exit "ACK"

}

• If you have configured the realm for PEAP (EAP-MS-CHAP v2), add the following condition:

if ((count (User-Realm) > 0) && (User-Realm = "<realm>/peap"))

{

insert Otp-ActionId = 48

exit "ACK"

}

• If you have configured the realm for TTLS (PAP), add the following condition:

if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls"))

{

insert Otp-ActionId = 112

exit "ACK"

}

• If you have configured the realm for TTLS (MS-CHAP v2), add the following condition:

if ((count (User-Realm) > 0) && (User-Realm = "<realm>/ttls"))

{

148 OATH Standards-Based OTP Authentication