The information in this document is subject to change without notice.Hewlett-Packard makes
no warranty of any kind with regard to this manual, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not
be held liable for errors contained herein or direct, indirect, special, incidental or
consequential damages in connection with the furnishing, performance, or use of this
material.
Warranty. A copy of the specific warranty terms applicable to your Hewlett- Packard product
and replacement parts can be obtained from your local Sales and Service Office.
Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject
to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and
Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c)
(1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR
52.227-19 for other agencies.
HEWLETT-PACKARD COMPANY
3000 Hanover Street
Palo Alto, California 94304 U.S.A.
Use of this manual and flexible disk(s) or tape cartridge(s) supplied for this pack is restricted
to this product only.
Trademark Notices. UNIX is a registered trademark of The Open Group. Internet Explorer
is a registered trademark of Microsoft Corporation. Netscape Navigator is a registered
trademark of Time Warner, Inc. MC/ServiceGuard® is a registered trademark of
Hewlett-Packard Company. ProLDAP™ is a trademark of Interlink Networks, Inc.
OpenLDAP is a registered trademark of the OpenLDAP Foundation
2004 Interlink Networks, Inc. All Rights Reserved. This document is copyrighted by
Interlink Networks Incorporated (Interlink Networks). The information contained within this
document is subject to change without notice. Interlink Networks does not guarantee the
accuracy of the information.
Interlink Networks, Inc.
5405 Data Court, Suite 300
Ann Arbor, MI 48108
www.interlinknetworks.com
This document provides an overview of the HP-UX AAA Server and explains how to install
and start the product. The document also provides steps to basic configuration tasks for
beginning users. Refer to the HP-UX AAA Server Administrator’s Guide for complete HP-UX
AAA Server documentation.
The document printing date and part number indicate the document’s current edition. The
printing date and part number will change when a new edition is printed. Minor changes may
be made at reprint without changing the printing date. The document part number will
change when extensive changes are made.
Document updates may be issued between editions to correct errors or document product
changes. To ensure that you receive the updated or new editions, you should subscribe to the
appropriate product support service. See your HP sales representative for details.
The latest version of this document can be found at http://docs.hp.com on the Internet and
Security Solutions page.
Intended Audience
This Getting Started Guide is designed for first-time and beginning users of the HP-UX AAA
Server. The objective of this guide is to allow you to quickly familiarize yourself with the basic
functions of the product. Users should be familiar with the HP-UX operating system before
using this guide.
New and Changed Documentation in This Edition
•Removed the various requirements, including installing and operating requirements, for
each specific 6.1.x version of the HP-UX AAA Server. Refer to the HP-UX AAA Server
Release Notes for the requirements of each version of the product.
v
Publishing History
The following table shows the printing history of this document. The first entry in the table
corresponds to this document, while previous releases are listed in descending order.
•Chapter 1, Introduction to AAA Server, contains an overview of product features and
basic information about using the server.
•Chapter 2, Installing and Starting the HP-UX AAA Server, leads you through server
installation, testing the installation, and starting the Server Manager GUI.
•Chapter 3, Basic Configuration Tasks, contains procedures that lead you through basic
configuration and testing tasks.
Typographical Conventions
monospaceIdentifies files, daemons, or any other item that may appear on screen
italicsIdentifies titles of books, chapters, or sections
Document Advisories Different types of notes appear in the text to call your attention to
information of special importance. They are enclosed in ruling lines with a header that
indicates the type of note and its urgency.
vi
NOTEEmphasizes or supplements parts of the text. You can disregard the
information in a note and still complete a task.
IMPORTANT Notes that provide information that are essential to completing a task.
CAUTION Describes an action that must be avoided or followed to prevent a loss of data.
Related Documents
In addition to this Getting Started Guide, HP released the following documents to support the
HP-UX AAA Server A.06.01.x:
•HP-UX AAA Server A.06.01 Administrator’s Guide
•HP-UX AAA Server A.06.01.02 Release Notes
•HP-UX AAA Server A.06.01.02.04 Release Notes
•HP-UX AAA Server A.06.01.02.06 Release Notes
•HP-UX AAA Server A.06.01.02.07 Release Notes
•HP-UX AAA Server A.06.01.05 Release Notes
The Administrator’s Guide and the Getting Started Guide are installed with the product at
/opt/aaa/share/doc/. You can also find these documents in the Server Manager’s Help
menu. The most recently released documentation for the HP-UX AAA Server is always
available at http://www.docs.hp.com on the Internet and Security Solutions page.
HP Encourages Your Comments
HP encourages your comments concerning this document. We are truly committed to
providing documentation that meets your needs.
Please send comments to: netinfo_feedback@cup.hp.com
Please include document title, manufacturing part number, and any comment, error found, or
suggestion for improvement you have concerning this document. Also, please include what we
did right so we can incorporate it into other documents.
vii
viii
1Introduction to AAA Server
This chapter contains an overview of product features and basic information about using the
HP-UX AAA Server.
Chapter 11
Introduction to AAA Server
RADIUS Overview
RADIUS Overview
The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and
implemented to manage access to network services. It defines a standard for information
exchange between a Network Access Server (NAS) and an authentication, authorization, and
accounting (AAA) server for performing authentication, authorization, and accounting
operations. A RADIUS AAA server can manage user profiles for authentication (verifying user
name and password), configuration information that specifies the type of service to deliver,
and policies to enforce that may restrict user access.
RADIUS Topology
The RADIUS protocol follows client-server architecture. The client sends user information to
the RADIUS AAA server (in an Access-Request message) and after receiving a reply from the
server acts according to the returned information. The RADIUS AAA server receives user
requests for access from the client, attempts to authenticate the user, and returns the
configuration information and polices to the client. The RADIUS AAA server may be
configured to authenticate an Access-Request locally or to act as a proxy client and forward a
request to another AAA server. After forwarding a request, it handles the message exchanges
between the NAS and the remote server. A single server can be configured to handle some
requests locally and to forward proxy requests to remote servers.
In Figure 1-1 on page 3 an example ISP uses four AAA servers to handle user requests. Each
user organization represents a logical grouping of users (defined as a realm). Each user
organization dials in to one of the ISP’s servers through an assigned NAS, some of which are
shared by the same groups or realm. To provide appropriate service to a customer, the server
accesses user and policy information from a repository, which may be integrated with the
server, may be an external application, or a database that interfaces with the server. For the
HP-UX AAA RADIUS and policy server the repository information may be stored in flat text
files or in an external database, such as an Oracle® database or LDAP directory server.
Chapter 12
Figure 1-1Generic AAA Network Topology
A forwarding server sends
proxied Access-Requests
to a remote server
AAA servers and NASs Users dial-in
exchange requests/repliesto a NAS
AAA1.ISP.net
location: Ann Arbor
NAS1
Introduction to AAA Server
RADIUS Overview
A User
Organization
B User
Organization
C User
Organization
D User
Organization
E User
Organization
F User
Organization
Repository
AAA4.ISP.net
location: Detroit
Repository
Repository
Repository
AAA2.ISP.net
location: Flint
AAA3.ISP.net
location: Kalamazoo
NAS2
NAS3
NAS4
Establishing a RADIUS Session
The handling of a user request is series of message exchanges that attempts to provide the
user with a network service by establishing a session for the user. This transaction can be
described as a series of actions that exchange data packets containing information related to
the request. Figure 1-2, Client-Server RADIUS Transaction, illustrates the details of the
Chapter 13
Introduction to AAA Server
RADIUS Overview
transaction between a RADIUS AAA server and a client (a NAS in this example). When the
user’s workstation connects to the client, the client sends an Access-Request RADIUS data
packet to the AAA server.
Figure 1-2Client-Server RADIUS Transaction
User
User Connects
Client
(NAS)
Access-Request
AAA Server
Access-Reject
User Disconnects
Or
Access-Accept
Accounting-Request (Start)
Session Starts
Accounting-Response
Accounting-Request (Stop)
Session Ends
Accounting-Response
User Disconnected
When the server receives the request, it validates the sending client. If the client is permitted
to send requests to the server, the server will then take information from the Access-Request
and attempt to match the request to a user profile. The profile will contain a list of
requirements that must be met to successfully authenticate the user. Authentication usually
includes verification of a password, but can also specify other information, such as the port
number of the client or the service type that has been requested, that must be verified.
If all conditions are met, the server will send an Access-Accept packet to the client; otherwise,
the server will send an Access-Reject. An Access-Accept data packet often includes
authorization information that specifies what services the user can access and other session
information, such as a timeout value that will indicate when the user should be disconnected
from the system.
When the client receives an Access-Accept packet, it will generate an Accounting-Request to
start the session and send the request to the server. The Accounting-Request data packet
describes the type of service being delivered and the user that will use the service. The server
will respond with an Accounting-Response to acknowledge that the request was successfully
received and recorded. The user’s session will end when the client generates an
Chapter 14
Introduction to AAA Server
RADIUS Overview
Accounting-Request—triggered by the user, by the client, or an interruption in service—to
stop the session. Again, the server will acknowledge the Accounting-Request with an
Accounting-Response.
Supported Authentication Methods
The following list describes the authentication methods the HP-UX AAA Server supports:
Password Authentication Protocol (PAP)
Not a strong authentication method to establish a connection; passwords are sent in clear text
between the user and client. When used with RADIUS for authentication, the messages
exchanged between the client and server to establish a PPP connection corresponds to
Figure 1-2. This authentication method is most appropriately used where a plaintext
password must be available to simulate a login at a remote host. In such use, this method
provides a similar level of security to the usual user login at the remote host.
A stronger authentication protocol to establish a connection. When used with RADIUS for
authentication, the messages exchanged between the client and server to establish a PPP
connection is similar to Figure 1-2. One difference, however, is that a challenge occurs
between the user and NAS before the NAS sends an Access-Request. The user must respond
by encrypting the challenge (usually a random number) and returning the result. Authorized
users are equipped with special devices, like smart cards or software, which can calculate the
correct response. The NAS will then forward the challenge and the response in the
Access-Request, which the AAA server will use to authenticate the user.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
An implementation of the CHAP protocol that Microsoft created to authenticate remote
Windows workstations. In most respects, MS-CHAP is identical to CHAP, but there are some
differences. MS-CHAP is based on the encryption and hashing algorithms used by Windows
networks, and the MS-CHAP response to a challenge is in a format optimized for
compatibility with Windows operating systems.
Extensible Authentication Protocol (EAP)
Like CHAP, EAP is a more secure authentication protocol to establish a PPP connection than
PAP and offers more flexibility to handle authentication requests with different encryption
algorithms. It allows authentication by encapsulating various types of authentication
exchanges, such as MD5. These EAP messages can be encapsulated in the packets of other
protocols, such as RADIUS, for compatibility with a wide range of authentication
Chapter 15
Introduction to AAA Server
RADIUS Overview
mechanisms. This flexibility also allows EAP to be implemented in a way (LEAP, for example)
that is more suitable for wireless and mobile environments than other authentication
protocols. EAP allows authentication to take place directly between the user and server
without the intervention by the access device that occurs with CHAP.
The following is a list of the EAP supported authentication methods you can use with the
HP-UX AAA Server A.06.01:
•Transport Layer Security (TLS): Uses TLS (also known as SSL) to authenticate the
client using its digital certificate. Note: some wireless supplicants require specific
extensions to support certificates for EAP. TLS features include: Dynamic Key Exchange;
Mutual Authentication; Digital Certificate/Token Card-based Authentication; and,
Encrypted Tunnelling.
•Tunneled TLS (TTLS): Can carry additional EAP or legacy authentication methods like
PAP, MS-CHAP, and CHAP. Integrates with the widest variety of password storage
formats and existing password-based authentication systems. Wireless supplicants
available for a large number of clients. TTLS features include: Dynamic Key Exchange;
Mutual Authentication; Password-based Authentication; and, Encrypted Tunnelling.
•Protected EAP (PEAP): Functionally very similar to TTLS, but does not encapsulate
legacy authentication methods. PEAP features include: Dynamic Key Exchange; Mutual
Authentication; and, Encrypted Tunnelling.
•Message Digest 5 (MD5): Passwords are hashed using the MD5 algorithm. Can be
deployed for protecting access to LAN switches where the authentication traffic will not
be transmitted over airwaves. Can also be safely deployed for wireless authentication
inside EAP tunnel methods. The main feature in MD5 is Password-based Authentication.
•Lightweight EAP (LEAP): For Legacy Cisco equipment only. LEAP features include:
Dynamic Key Exchange; Mutual Authentication; and, Password-based Authentication.
•Generic Token Card (GTC): Carries user specific token cards for authentication. The
main feature in GTC is Digital Certificate/Token Card-based Authentication.
•EAP MS-CHAP: Passwords are hashed using a Microsoft algorithm. Can be deployed for
protecting access to LAN switches where the authentication traffic will not be transmitted
over airwaves. Can also be safely deployed for wireless authentication inside EAP tunnel
methods. EAP-MSCHAP features include Mutual Authentication and Password-based
Authentication.
RADIUS Data Packets
The Access-Request and other RADIUS data packets contain a header and a set of
attribute-value (A-V) pairs, which are used by the server during the AAA transaction. The
RADIUS RFC 2865 defines how vendors can extend the protocol. Encapsulation is the RFC
Chapter 16
Introduction to AAA Server
RADIUS Overview
defined way of extending RADIUS. Conflicts can occur when the RFC is not followed. In those
cases, the server can map the attributes to unique internal values for processing. For a full
description of RADIUS attribute-value pairs, see the Administrator’s Guide.
Shared Secret
Encrypting the transmission of the User-Password in a request is accomplished by a shared
secret. The shared secret is used to sign RADIUS data packets to ensure they are coming from
a trusted source. The shared secret is also used to encrypt user passwords with certain
authentication methods such as PAP. The HP-UX AAA Server uses the clients configuration
file to associate a secret to each client (or server) that is authorized to make use of its services.
Chapter 17
Introduction to AAA Server
Product Structure
Product Structure
The HP-UX AAA Server, based on a client/server architecture, consists of the following
components which may be installed independently:
•HP-UX AAA Server daemon, libraries, and utilities
•The AAA Server Manager is the user interface that performs administration and
configuration tasks from a client’s browser for one or more AAA servers.
•AAA Server module for Oracle authentication
•Documentation
The exchange of configuration information between a remote AAA server and the AAA Server
Manager program is validated by a shared secret. This secret is unique to the Server Manager
and a remote AAA server. It should not be the same secret used by a AAA server and the peers
that it communicates with. The exchange of information between a browser and the client
program is not validated or encrypted by default, although you can configure HTTPS to secure
this communication. Refer to the HP-UX AAA Server Administrator’s Guide for more
information about configuring Server Manager to run over HTTPS.
NOTETo secure the communication between the Server Manager and the HP-UX
AAA Server, install the Server Manager and the HP-UX AAA Server software
inside a secure network.
AAA Servers
AAA server installations include the AAA server, which performs the authentication,
authorization, and accounting functions to process requests, and RMI objects. The RMI
objects establish a connection and facilitate communication between the AAA server and the
HP-UX Tomcat-based Serverlet Engine.
AAA Server Manager Program
The AAA Server Manager utilizes the HP-UX Tomcat-based Serverlet Engine to provide a
configuration interface between a web browser and one or more AAA servers. Server Manager
is used for starting, stopping, configuring, and modifying the servers. In addition, the program
can retrieve logged server sessions and accounting information for an administrator.
Chapter 18
Introduction to AAA Server
Product Structure
The 802.1x Advisor
The 802.1x Advisor is an HTML tutorial/help system in the Server Manager GUI that walks
you through the tasks and Server Manager screens for securing WLANs with the HP-UX AAA
Server. The 802.1x Advisor provides information only—it does not edit configuration files.
Follow the 802.1x Advisor and use Server Manager to create and deploy basic AAA
configurations for securing WLANs. Refer to the HP-UX AAA Server Administrator’s Guide
for complete HP-UX AAA Server documentation. The following figure shows the 802.1x
Advisor.
Figure 1-3The 802.1x Advisor For Securing WLANs
Chapter 19
Introduction to AAA Server
Product Structure
Accessing the Server Manager
The Server Manager provides access to the AAA server management functions and
configuration files. From a remote client workstation, administrators can access the AAA
Server Manager interface through a Web browser. An administrator can create a AAA
configuration for authenticating users and implementing authorization policies. In addition to
creating, modifying, and deleting entries in many of the server’s configuration files, an
administrator may start and stop the AAA server, access the server’s status and system time,
retrieve information from accounting and session logs, and terminate sessions. You can access
the functions that perform these operations by selecting an item from the Navigation Tree
located in the left frame of the HTML page.
Figure 1-4The Server Manager User Interface
Chapter 110
Introduction to AAA Server
Product Structure
Some advanced features of the HP-UX AAA Server cannot be configured through the Server
Manager interface. For example, if you want to define session management parameters,
policies, or vendor-specific attributes, you must manually edit the configuration files. Refer to
the HP-UX AAA Server Administrator’s Guide for more information.
IMPORTANT Refer to the HP-UX AAA Server Release Notes for the supported browsers for
each version of the product.
NOTEThe browser preferences or Internet options should be set to always compare
loaded pages to cached pages.
Chapter 111
Introduction to AAA Server
AAA Server Architecture
AAA Server Architecture
The HP-UX AAA Server Architecture consists of three primary components:
•Configuration files. By editing these flat text files, with either the Server Manager user
interface or with a text editor, you can provide the information necessary for the server to
perform authentication, authorization, and accounting requests for configured users.
•AATV plug-ins perform discrete actions; such as initiating an authentication request,
replying to an authentication request, or logging an accounting record.
•The software engine, which includes the Finite State Machine (FSM) and some associated
routines. At server startup, the finite state machine reads instructions from a state
table—by default the /etc/opt/aaa/radius.fsm text file. The state table outlines what
AATV actions to call and what order to call them in.
When the server is initialized, it performs a few distinct operations. It loads and initializes
the AATV plug-ins, so that actions can be executed when called by the finite state machine. It
also reads the configuration files to initialize the data required for the actions to execute
according to the application’s requirements.
Configuration Files
The HP-UX AAA Server reads data from the following configuration files installed at
/etc/opt/aaa/ by default:
Table 1-1HP-UX AAA Server Configuration Files
FileDescription
clientsInformation about all RADIUS clients—name,
address, shared secret, type, etc.—that allows the
server to recognize and communicate with the
clients.
authfileAuthentication typeparameters for defined realms.
usersInformation about user IDs, passwords, and
check/deny/reply items.
Chapter 112
Loading...
+ 44 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.