HP-UX AAA Server A.08.02.10 Administrator's Guide HP-UX 11i v3 (T1428-90093, November 2013)

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

381

382

383

384

385

386

387

388

389

390

IMPORTANT: Configuration files have a maximum input line length of 255 characters. No

checking is done to ensure that a configuration statement has not exceeded this limit.

Syntax of a Client Entry

Name:authport:acctport:dynport Shared-Secret Type=vendor:{NAS|PROXY}options Version Prefix

An IPv4 example of a client that is a NAS:

192.0.2.0 secret type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1

An IPv4 example of a client that is a proxy:

192.0.2.0:3400 secret type=Ascend+USR:PROXY+RAD_RFC+ACCT_RFC v1

An IPv6 example of a client that is a NAS:

fedc:ba98:7654:3210 secret

type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1

An IPv6 example of a client that is a proxy:

[fedc:ba98:7654:3210]:3400

secret type=Ascend+USR:PROXY+RAD_RFC+ACCT_RFC v1

NOTE: In case of a Proxy, if the Name field is an IPv6 literal address then you must separate the

address from the port by enclosing the address in square brackets.

A DNS name example of a client that is a NAS:

danish secret type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1

A DNS name example of a client that is a proxy:

danish:3400 secret type=Ascend+USR:PROXY+RAD_RFC+ACCT_RFC v1

Prefixed Users and authfile

In the clients file, it is possible to specify a prefix for a client. When an Access-Request is

matched to a client, the AAA server will search for the users profile in the prefix.users file.

Likewise, if the user profile indicates the Realm authentication type, the server will search for an

entry that matches the users realm in the prefix.authfile file.

Wildcard Support for IPv4 and IPv6

To allow access from any IP address or from any IP address of a particular subnet, specify a

wildcard pattern in the etc/opt/aaa/clients file. Wildcard IP addresses are specified by

using the high order components followed by the asterisk wildcard. Following are some examples

of valid IPv4 wildcard patterns:

192.*

192.0.*

192.0.2.*

Following are some examples of invalid IPv4 wildcard patterns:

*.0

192.0*

To allow access from any IPv6 address or from a group of IPv6 addresses, specify an IPv6 wildcard

pattern. The allowed IPv6 wildcard patterns are constructed by appending an ‘*’ to a partial IPv6

address or by specifying a single ‘*’. Following are some examples of valid IPv6 wildcard patterns:

fedc:ba98:7654:3210:fe*

fedc:ba98:7654:3210*

The special IPv6 syntax of compressing zeroes using "::" is not allowed in IPv6 Wildcard patterns.

Following example is incorrect:

388 Configuration Files