HP-UX AAA Server A.08.02.10 Administrator's Guide HP-UX 11i v3 (T1428-90093, November 2013)

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

381

382

383

384

385

386

387

388

389

390

Traditional IP (IPv4) address: ourhostname=192.0.2.0

IPv6 Address: ourhostname=fedc:ba98:7654:3210:fedc:ba98:7654:3210

CAUTION: If you configure an IPv6 address in the ourhostname variable, then traditional IP

(IPv4) hosts will not be able to send or receive messages. Similarly, if you configure an IPv4 address

here, then IPv6 hosts will not be able to send or receive messages. If you configure a DNS name,

then the first address returned by the DNS server is used.

The packet_log Variable

This variable controls checks to match a current request with an original request, which can occur

when logging certain attributes in a request log (NAS-Identifier, NAS-Port, User-Name, and so on).

This check can cause an abort and core-dump if the +abort option is given. This check is useful

for tracking situations where a remote RADIUS server is responding with incorrect values. In addition,

it can also be used to investigate if an AATV is corrupting the current request. Following is the

syntax for the packet_log variable:

packet_log=default

packet_log=clear (or none)

packet_log=+abort

packet_log=+both (or +comp)

packet_log=+current (or +cur)

packet_log=+original (or +orig)

packet_log=-abort

packet_log=-both (or -comp)

packet_log=-current (or -cur)

packet_log=-original (or -orig)

The value of defserver connection means to report only from the original request. The value of

+abort means to abort and core-dump if there is a mismatch.

The radius_log_fmt Variable

This variable overrides the logfile format string used.

The reply_check Variable

This variable specifies which attributes to check on a reply from a forwarded request to ensure that

they are the same as the forwarded request. Besides specifying which attributes to check, you can

specify the action to take when a mismatch occurs. Listed below are the actions you can choose

to take:

• Ignore the reply

• Ignore the mismatch

• Abort and core dump

Useful attributes to check are NAS-Identifier, Acct-Session-Id, Class, User-Name. For example:

reply_check=first

reply_check=all

reply_check=+abort

reply_check=+dump

reply_check=+ignore

reply_check=+verbose

reply_check=clear

reply_check=none

reply_check=Attribute

The value of first (default) means to check only the first match. The value of all means to check

all the attributes for matches. The value of +abort means to abort and coredump if a check fails.

The value of +dump means to dump the offending packet (in hexadecimal). You can specify a

specific attribute to check with the syntax reply_check=Attribute.

386 Configuration Files