HP-UX AAA Server A.08.02.10 Administrator's Guide HP-UX 11i v3 (T1428-90093, November 2013)

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

151

152

153

154

155

156

157

158

159

160

work_phone

mobile_phone

Sample Policy Files

This section describes the sample policy files that are used for configuring OTP authentication. This

section addresses the following topics:

• “The oath-request-ingress.grp Sample File.”

• “The oath-reply-egress.grp Sample File” (page 159)

• “The oath-proxy-egress.grp Sample File” (page 160)

The oath-request-ingress.grp Sample File

The oath-request-ingress.grp file is the primary sample reference implementation file for

configuring OTP authentication. You can configure OTP authentication-related actions by setting

the bitmask in the Otp-ActionId attribute, and configuring the OTP-specific attributes listed in

“Attributes for Configuring OTP Authentication” (page 138).

To configure OTP authentication on a realm level, insert the OTP-ActionId value and the realm

name as follows:

if (( count (User-Name) > 0 ) && (substr (User-Name after "@") = "<realm>"))

{

# Add Otp-ActionId attribute if it is not present in the authreq

if (count (Otp-ActionId) = 0)

{

insert Otp-ActionId = <decimal representation of bit mask value>

}

exit "ACK"

}

For more information on the OTP authentication actions and the bit masks to be set, see “Advanced

OTP Authentication Configuration Concepts” (page 135).

The oath-reply-egress.grp Sample File

The oath-reply-egress.grp sample file is the reference implementation policy file that enables

you to increment the sequence counter that is required to complete OATH standards-based One

Time Password (OTP) authentication. It also helps to update user authentication count and the token

status.

The following condition checks the value of the Interlink-Proxy-Action attribute, and does

not update the counters and token status if the value is anything other than ACK or NAK. For

example, in the case of ACCT_START, ACCT_STOP, and ACC_CHAL events, the sequence counter

is not updated:

if ( (count(Interlink-Proxy-Action) > 0) && ( (Interlink-Proxy-Action = "ACCT")

|| (Interlink-Proxy-Action = "LAS_ACCT") ) )

{

exit "ACK"

}

If authentication is successful for the OTP configured realm, the following sample sets the SQL

action to update the sequence counter and success authentication count. If authentication fails, it

sets the SQL action to update the failed authentication count and failed lock counter to update the

token status.

Replace <realm> with the realm name that is configured in the request-ingress.grp.oath

file as follows:

Configuring OTP Authentication on the HP-UX AAA Server 159