HP-UX AAA Server A.08.02.10 Administrator's Guide HP-UX 11i v3 (T1428-90093, November 2013)

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

181

182

183

184

185

186

187

188

189

190

Table 47 The aaa.config Configuration Block Parameters for Fast Re-authentication (continued)

DescriptionParameter

If the value is zero, no new fast reauth identities are added

to the cache, but the existing non-expired entries are used.

This value is intended to phase out fast reauth support

following a HUP.

If not explicitly configured, the default value is 500,000.

Sample aaa.config Configuration for Fast Re-authentication

#################################################################

### Add the following in /etc/opt/aaa/aaa.config

#################################################################

aatv.SIMAKA

{

#Configure other global parameters, if required

Maximum-Fast-Reauth-Cache-Size 4096

}

Guidelines to Write EAP-SIM and EAP-AKA Fast Re-Authentication Database AATVs

This section describes the EAP-SIM and EAP-AKA requirements that the Fast Re-authentication

Database AATVs must meet in addition to the basic AATV requirements. For information on AATV

writing, compiling, installing, and debugging, see Chapter 28 (page 329).

You can configure EAP-SIM and EAP-AKA to support the fast re-authentication procedure by saving

the last full authentication, including attributes, such as Master Key and Counter. The saved

full authentication is used for the subsequent fast re-authentication. You can save the full

authentication attributes in internal tables included in the HP-UX AAA Server, or in an external

database using SQL Access, and retrieve the same, when required. If you save the attributes in

an external database, the database record must include the following attributes:

• Real-Username

• Real-Realm

• Fast-Reauth-Username

• FullAuth-Master-Key

• Fast-Reauth-Counter

• Fast-Reauth-Expiration-Time

These attributes are described as follows:

The AATV, which retrieves the mapping information can check whether the retrieved information

has expired. If the mapping retrieval AATV checks for expiration, the retrieved

Fast-Reauth-Expiration-Time attribute need not be placed on the authreq. If the mapping

retrieval AATV does not check for expiration, the Fast-Reauth-Expiration-Time attribute

must be placed on the authreq, in which case the EAP-SIM or the EAP-AKA AATV, which handles

the result of the lookup, checks for expiration.

There are two AATVs involved in fast re-authentication handling. One AATV performs the update

and the other performs the lookup. This section describes the following AATVs:

• “Fast Re-Authentication Database Update AATV” (page 183)

• “Fast Re-Authentication Database Lookup AATV” (page 184)

182 Configuring EAP-SIM and EAP-AKA Authentication Methods