HP HP-UX AAA Administrator's Guide

HP-UX AAA Server A.07.01 Administrator’s Guide

HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3

HP Part Number: T1428-90068 Published: September 2008 Edition: Edition 9

Confidential computer software. Valid license required from HP for possession, use or copying. Consistent with FAR 12.211 and

12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are

licensed to the U.S. Government under vendor’s standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set

forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as

constituting additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

UNIX is a registered trademark of The Open Group.

Java™ is a US trademark of Sun Microsystems.

Microsoft®, Windows ®, and Windows NT ® are U.S. registered trademarks of Microsoft Corporation.

Oracle ® is a registered US trademark of Oracle Corporation, Redwood City, California.

OpenLDAP ® is a registered trademark of the OpenLDAP Foundation

Netscape Navigator ™ is a registered trademark of Time Warner, Inc.

About This Document ..................................................................................................................23

Intended Audience.............................................................................................................23

New and Changed Information in This Edition.................................................................23

Document Organization.....................................................................................................24

Publishing History..............................................................................................................24

Typographic Conventions..................................................................................................25

HP-UX Release Name and Release Identifier.....................................................................26

Related Information............................................................................................................26

HP Encourages Your Comments........................................................................................26

I Introduction...............................................................................................................................27

1 Overview: The HP-UX AAA Server .......................................................................................30

RADIUS Topology ........................................................................................................31

Establishing a RADIUS Session.....................................................................................32

Product Structure..........................................................................................................34

HP-UX AAA Server Daemon, Libraries, and Utilities ............................................34

HP-UX AAA Server Manager Program ..................................................................34

Documentation.........................................................................................................34

HP-UX AAA Server Architecture .................................................................................35

Configuration Files ..................................................................................................36

AATV Plug-Ins ........................................................................................................36

The Software Engine: Finite State Machine ............................................................36

HP-UX AAA Server Commands, Utilities and Daemons.............................................37

Handling an Access Request.........................................................................................37

Authentication to Verify the Client and User .........................................................38

Authorization to Control Sessions and Access to Services .....................................40

Authorization Steps ...........................................................................................41

Session Logs For Accounting .......................................................................................44

IPv6 Support for External Services................................................................................44

2 Upgrading to Version A.07.01..............................................................................................45

The HP-UX AAA Server Upgrade Process...................................................................45

Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01..................45

Upgrading from Version A.06.00.x to Version A.07.01.................................................46

Upgrading from Version A.05.x to Version A.07.01......................................................48

Merging the Dictionary File..........................................................................................48

Merging the radius.fsm File.....................................................................................48

Merging the vendors File............................................................................................48

3 Installing and Securing the HP-UX AAA Server.......................................................................49

Acquiring the HP-UX AAA Server Software................................................................49

Installing and Uninstalling the HP-UX AAA Server....................................................49

To Install the HP-UX AAA Server...........................................................................49

Table of Contents 3

To Uninstall the HP-UX AAA Server Software.......................................................50

HP-UX AAA Server File Locations ..............................................................................51

Securing the HP-UX AAA Server..................................................................................55

Changing the Default HP-UX AAA Server Settings ...............................................55

Changing the Default Tomcat User Name and Password..................................55

Changing the Default RMI Objects Secret..........................................................55

Changing the Default test_user Settings............................................................56

Changing the Default localhost Proxy Settings..................................................56

Environment Specific Security Procedures .............................................................56

Using Secure Socket Layer (SSL) for Secured Remote Server Manager

Administration...................................................................................................56

Creating a Tomcat Identity Specifically for the HP-UX AAA Server ................58

Running the HP-UX AAA Server on Hosts with System Hardening

Software..............................................................................................................59

Running the HP-UX AAA Server as a Non-Root User......................................59

Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot....60

4 Enabling the HP-UX AAA Server for GUI-based Administration................................................62

Accessing the Server Manager......................................................................................62

Starting and Stopping the RMI Objects...................................................................62

Starting and Stopping Tomcat.................................................................................62

Testing the Installation .................................................................................................63

To Test the Installation.............................................................................................63

Starting AAA Servers Using Server Manager...............................................................64

AAA Server Start Options........................................................................................65

Server Manager’s Reload Feature............................................................................66

Starting AAA Servers From the Command Line..........................................................67

Configuring the HP-UX AAA Server to Start Automatically Upon SystemReboot

..................................................................................................................................69

Stopping or Restarting HP-UX AAA Servers...............................................................69

Using Server Manager..............................................................................................70

From the Command Line.........................................................................................70

Adding an HP-UX AAA Server to Your Network........................................................70

II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI ................................72

5 The HP-UX AAA Server Manager Interface.............................................................................76

Commonly Used Icons in the GUI................................................................................77

6 Managing HP-UX AAA Servers.............................................................................................78

Using the Server Connections Screen............................................................................78

Adding a New Server ...................................................................................................78

Modifying Connection Attributes.................................................................................79

Deleting a Server Connection........................................................................................80

Managing Multiple Servers...........................................................................................81

Loading and Saving Your Configuration......................................................................82

4 Table of Contents

7 Configuring RADIUS Clients Using the Access Devices Screen.................................................84

Navigating the Access Devices Screen..........................................................................84

Adding a RADIUS Client..............................................................................................84

Modifying a RADIUS Client’s Properties......................................................................87

Deleting a RADIUS Client.............................................................................................88

8 Configuring Realms.............................................................................................................89

Using the Local Realms Screen.....................................................................................89

Adding a Realm.............................................................................................................89

Modifying Realms.........................................................................................................92

Special Entries...............................................................................................................92

Deleting a Realm...........................................................................................................93

Configuring Realms for Authentication using an External Server...............................94

Configuring Realms for Database Access via SQL..................................................94

Configuring Realms for LDAP ................................................................................96

Modifying a Directory Configuration................................................................98

Deleting a Directory Configuration....................................................................98

Tuning the AAA Server to LDAP Server Connection........................................99

Configuring Realms for Oracle................................................................................99

Configuring the HP-UX AAA Server Using Server Manager..........................100

To Configure and Run the db_srv Daemon .............................................101

Scripts to Start and Stop the HP-UX AAA Server Oracle Daemon.............103

Configuring a SecurID Realm................................................................................103

9 Configuring Proxies...........................................................................................................105

Navigating the Proxy Screen.......................................................................................105

Changing the Default localhost Proxy Settings...........................................................106

Creating or Modifying a Proxy...................................................................................106

Forwarding Authentication Requests From a Proxy Server..................................109

Forwarding Authentication Requests to a Remote Server.....................................110

Changing RADIUS Port Numbers..............................................................................111

Forwarding Requests to Alternate RADIUS Ports.................................................111

Forwarding Accounting Requests...............................................................................111

Proxying Authentication and Accounting Messages to the Same Server...................112

Proxying Accounting Requests to a Central Server....................................................113

Deleting a Proxy..........................................................................................................113

10 Configuring Users............................................................................................................115

Navigating the Users Screen.......................................................................................115

Changing the Default test_user Settings.....................................................................115

Adding a User Profile .................................................................................................116

Tabs on the Add Users Screen................................................................................118

Specifying Attributes Using the Free Attributes Pane......................................118

Adding Users for SecurID Authentication..................................................................119

Modifying User Profiles..............................................................................................119

Deleting a User Profile.................................................................................................120

Table of Contents 5

To Delete a User Profile From the Default users File..........................................120

To Delete a User Profile in a Local Realms File......................................................121

11 Modifying Server Properties..............................................................................................122

Navigating the Server Properties Screen.....................................................................122

DHCP Relay Properties...............................................................................................122

DNS Updates Properties.............................................................................................123

Message Handling Properties.....................................................................................124

SNMP Properties.........................................................................................................125

Enable SNMP Support...........................................................................................125

Tunneling Properties...................................................................................................125

Tunneling Reply Items (Optional).........................................................................126

Certificate Properties...................................................................................................126

File Size Properties......................................................................................................127

Maximum Logfile Size...........................................................................................127

Miscellaneous Properties.............................................................................................127

Permit Microsoft Client Authenticate As Computer.............................................127

Local Users File Properties..........................................................................................128

ProLDAP Properties....................................................................................................128

12 Logging and Monitoring ..................................................................................................129

Overview.....................................................................................................................129

Server Log Files ..........................................................................................................129

Using Server Manager to Retrieve Logfile Information.........................................129

Search Parameters.............................................................................................130

Message Types .................................................................................................131

Using Server Manager to Retrieve Statistics .........................................................131

Accounting Log Files ..................................................................................................132

Using Server Manager to Retrieve Accounting Logfiles........................................133

Format of Accounting Records in the Default Merit Style....................................134

Time-Based Values............................................................................................134

Client A-V Pairs................................................................................................135

User Entry A-V Pairs.........................................................................................135

Session Tracking................................................................................................135

Writing Livingston CDR Accounting Records.......................................................136

Livingston CDR Session Record Format..........................................................137

Changing the Accounting Log Filename...............................................................137

Changing the Accounting Log Rollover Interval...................................................138

Rolling Over the Log File and Accounting Stream................................................138

III Advanced Configuration Information........................................................................................139

13 Securing LAN Access With EAP........................................................................................142

Overview.....................................................................................................................142

The Secure LAN Advisor.......................................................................................142

Preparing Your LAN ...................................................................................................143

Determining the EAP Authentication Method to Use................................................144

6 Table of Contents

Securing WLANs with the HP-UX AAA Server.........................................................146

Digital Certificate Administration...............................................................................147

Using the “Self-Signed” Digital Certificates..........................................................147

Installing Your Own Digital Certificates and Keys................................................148

Installing Server Certificates and Keys.............................................................149

Installing Client Certificates and Keys.............................................................149

Defining Certificate Locations on the HP-UX AAA Server..............................149

14 Managing Sessions.........................................................................................................152

Session Logs.................................................................................................................152

Displaying Session Attributes................................................................................152

Stopping a Session..................................................................................................153

Session Limits..............................................................................................................153

Setting Limits on a User-by-User Basis..................................................................154

Setting Timeout Values.....................................................................................154

Establishing a Filter...........................................................................................154

Limiting Access Points (NAS-Port, NAS-ID, Calling-Station ID, and

others)...............................................................................................................154

Denying Access (Called-Station-ID and others)...............................................155

Limiting Simultaneous Sessions.......................................................................155

Setting Limits for Users on a Global Basis.............................................................156

Setting Limits for All User Profiles Grouped by Realms.................................156

15 Assigning IP Addresses....................................................................................................157

Assigning Static IP Addresses.....................................................................................157

To Assign a Static IP (IPv4) Address to a Profile in Flat Files................................157

To Assign a Static IPv6 Address to a Profile in Flat Files......................................158

To Assign Static Traditional IP (IPv4) Addresses to a User Profile in an LDAP

LDIF File.................................................................................................................160

To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF File.............161

Assigning Dynamic IP Addresses Using DHCP.........................................................161

16 OATH Standards-Based OTP Authentication.......................................................................162

OTP and OATH Overview..........................................................................................162

HP-UX AAA Server and OATH Support....................................................................163

Components Required to Configure OTP Authentication..........................................164

Configuring OTP Authentication on the HP-UX AAA Server ..................................165

OTP Authentication Configuration Flowchart......................................................165

Basic or Typical Configuration...............................................................................167

Advanced Configuration........................................................................................168

Advanced OTP Authentication Configuration Concepts.................................169

Attributes for Configuring OTP Authentication.........................................172

Advanced Deployment Scenarios.....................................................................177

Validating OTP Alone..................................................................................178

Configuring Two-Factor Authentication.....................................................180

OTP or Password Validation at External RADIUS Server...........................187

Table of Contents 7

Predefined Mapping and Conversion Functions...................................................194

Sample Configuration Files....................................................................................194

The sqlaccess.config Sample File.............................................................194

Sample Policy Files...........................................................................................197

The oath-request-ingress.grp Sample File......................................197

The oath-reply-egress.grp Sample File............................................198

The oath-proxy-egress.grp Sample File............................................199

IV Integrating the HP-UX AAA Server With External Services..........................................................200

17 LDAP Authentication.........................................................................................................204

LDAP Server Compatibility ........................................................................................204

Related LDAP Documentation ...................................................................................204

Authentication with LDAP .........................................................................................204

Configuring the LDAP Server ...............................................................................204

The HP-UX AAA Server LDAP Schema...........................................................205

To Configure Netscape Directory Server v6.....................................................206

To Configure iPlanet Directory Server v5.........................................................206

To Configure OpenLDAP 2.0.x.........................................................................206

18 SQL Access.....................................................................................................................207

SQL Access Overview.................................................................................................207

SQL Access Concepts.............................................................................................208

RADIUS Attribute to SQL Statement Mapping................................................209

Mapping Functions...........................................................................................210

Conversion Functions.......................................................................................210

SQL Action Processing and Result Handling...................................................211

Implementing SQL Access..........................................................................................211

Sample Implementation Files.................................................................................211

sqlaccess.config Sample File....................................................................212

dbsetup.sql Sample File...............................................................................214

Finite State Machine Sample.............................................................................215

Pre-requisites for SQL Access................................................................................215

Database Server and Schema............................................................................215

Database Security........................................................................................216

High Availability.........................................................................................216

Database Client.................................................................................................216

Shared Library Path Configuration.............................................................216

Database Client Connector Libraries................................................................217

SQL Access Implementation Details......................................................................217

sqlaccess.config File Configuration........................................................................218

Database Connection Definition.......................................................................219

SQL Actions......................................................................................................221

Mapping Syntax................................................................................................222

RAD Mapping.............................................................................................223

DBC Mapping..............................................................................................224

8 Table of Contents

DBP Mapping..............................................................................................225

Mapping Functions......................................................................................227

Conversion Functions..................................................................................229

SQL Statement..................................................................................................229

SQL Result Mapping.........................................................................................230

Result Handling for Retrieval Requests......................................................231

Global Definitions.............................................................................................232

Advanced SQL Mapping Configuration................................................................232

Developing Custom Functions.........................................................................233

Null SQL Statements.........................................................................................233

Null Source and Target Mapping.....................................................................234

Time Synchronization.......................................................................................234

Finite State Table Configuration in the FSM.....................................................235

Stored Procedures.............................................................................................236

Administering Users and Tokens Stored in an SQL Database....................................237

Managing Users.....................................................................................................238

Adding Users to an SQL Database...................................................................238

Modifying User Credentials.............................................................................240

Managing Users Using OTP to Authenticate.........................................................241

Importing Tokens into the Database.................................................................241

Assigning Tokens to Users................................................................................242

Assigning a Specific Token to a User...........................................................242

Allocating Any Available Tokens to a User.................................................243

Enrolling Tokens (Procedure for Users)...........................................................243

Synchronizing Tokens (Procedure for Users)...................................................245

Terminating Tokens..........................................................................................246

Viewing User and Token Statistics.........................................................................246

Valid Token Status Values......................................................................................246

Invoking the User Database Administration Manager Interface from Server

Manager.................................................................................................................247

19 Oracle Authentication (Supported Using SQL Access).........................................................248

Related AATV Plug-In Modules And Processes ........................................................248

The db_srv Package ...............................................................................................249

Oracle Compatibility .............................................................................................250

The Oracle Database Structure ...................................................................................250

The Oracle Information Model ..............................................................................250

Table Spaces .....................................................................................................251

User Schema .....................................................................................................251

Tables ................................................................................................................251

Configuring the Oracle Database ..........................................................................251

To Create the AUTH_NET_USERS Table ........................................................251

To Manage User Records in the AUTH_NET_USERS Table ...........................251

Table Structure .......................................................................................................253

Table of Contents 9

Modifying the Table Structure ....................................................................................254

Supported Attributes ..................................................................................................254

20 Simple Network Management Protocol (SNMP) Support.....................................................256

Setting Up SNMP to Monitor the HP-UX AAA Server...............................................256

21 VPN Tunneling................................................................................................................258

Establishing a Tunnel for a User..................................................................................258

22 Using DHCP...................................................................................................................260

Required DHCP Server Features.................................................................................260

Recommended DHCP Server Features..................................................................260

Defining DHCP Address Pools for Specific Users......................................................260

To Associate an Address Pool with a User Profile in AAA Server Flat Files.........260

To Associate an Address Pool with a User Profile in an LDAP LDIF File.............261

Associating Address Pools with Realms and Other Conditions.................................261

23 Using SecurID.................................................................................................................262

Authentication Of Users .............................................................................................262

Configuring SecurID Authentication .........................................................................263

Configuring the AAA Server for RSA SecurID Authentication ...........................263

Configuring the ACE/Server .................................................................................263

Synchronizing the AAA Server with the ACE/Server ..........................................265

Related Documentation ..............................................................................................266

V Customizing the HP-UX AAA Server..........................................................................................267

24 Customizing the HP-UX AAA Server Using the Finite State Machine......................................270

States ...........................................................................................................................270

Using Xstring to call Policy ...................................................................................273

Using Xstring to Call an Alternate authfile ...........................................................273

Event Names ...............................................................................................................273

Predefined Event Names .......................................................................................274

Creating New Names ............................................................................................276

Actions ........................................................................................................................276

FSM Tables.............................................................................................................278

Custom State Tables ....................................................................................................279

Tracking Versions ..................................................................................................279

Examples ...............................................................................................................279

Preprocessing Module .....................................................................................279

Interim Logging .....................................................................................................280

Custom Logging Format .......................................................................................280

Proxy Accounting Messages..................................................................................281

25 Customizing the HP-UX AAA Server Using Policies..............................................................283

Policy Overview..........................................................................................................283

Defining a Policy in a Decision File.............................................................................284

Action Commands.................................................................................................285

The delete Command....................................................................................286

10 Table of Contents

The insert Command....................................................................................287

The modify Command....................................................................................289

The exit Command.........................................................................................290

The log Command...........................................................................................290

The if Command.............................................................................................291

Attribute Specifications..........................................................................................293

Attribute Names...............................................................................................294

Vendor Names..................................................................................................294

Attribute Instance Specifications......................................................................294

No Instance Specification............................................................................294

Numeric Instance Specification...................................................................294

Keyword Instance Specification..................................................................295

Attribute Functions...........................................................................................295

The count Attribute Function....................................................................296

The length Attribute Function..................................................................296

The substr Attribute Function..................................................................296

The tolower Attribute Function................................................................300

The toupper Attribute Function................................................................300

Value Types............................................................................................................301

Supported Operators..............................................................................................302

Operator Precedence and Association..............................................................302

Type Compatibility................................................................................................303

Invoking a Policy.........................................................................................................304

Invoking Policies Through Predefined Policy Hooks............................................304

Request Ingress Policy......................................................................................304

User Policy........................................................................................................305

Invoking Policy from User Profiles.............................................................306

Reply Egress Policy...........................................................................................306

Proxy Egress Policy...........................................................................................307

Proxy Ingress Policy..........................................................................................308

Useful Attributes for Policy Conditions.................................................................309

Modifying the FSM for Specific Customizations ..................................................310

Sample Policy Implementations..................................................................................311

Dynamic Access Control........................................................................................311

Step 1 – Modifying the Default FSM for DAC..................................................311

Step 2 – Defining the DAC Policies...................................................................312

DNIS Routing.........................................................................................................313

Step 1 – Modifying the Default FSM for DNIS Routing...................................313

Step 2 – Defining the DNIS Routing Policies....................................................313

26 Customizing the HP-UX AAA Server Using the SDK.............................................................315

SDK Overview.............................................................................................................315

Migrating Plug-ins Created Using Previous Versions of the SDK..............................317

Prerequisites for Using the SDK..................................................................................317

Table of Contents 11

SDK Directory Structure..............................................................................................317

SDK Concepts..............................................................................................................317

Overview of AATVs...............................................................................................317

AATV Components................................................................................................318

The init Function...........................................................................................318

The action Function..........................................................................................318

The timer or callback Function.........................................................................319

The cleanup Function.......................................................................................319

Creating Plug-ins.........................................................................................................319

Using AATVs to Create a Plug-in..........................................................................320

Compiling and Loading a Plug-in.........................................................................321

Testing and Debugging a Plug-in..........................................................................322

Using the GNU Project Debugger....................................................................322

Using gdb to Debug Your Software Module...............................................322

VI Troubleshooting.....................................................................................................................324

27 Troubleshooting Overview................................................................................................327

AAA Environment Components.................................................................................327

HP-UX AAA Server Operation...................................................................................328

Probable Causes for Failure.........................................................................................330

Configuration Problems.........................................................................................330

External Service Problems......................................................................................330

Protocol Limitations...............................................................................................331

RADIUS Client and Supplicant Considerations....................................................331

28 Troubleshooting Procedures..............................................................................................332

Troubleshooting Flowchart.........................................................................................332

Troubleshooting Flowchart Process.......................................................................334

Troubleshooting the Server Manager Administration Utility.....................................335

Common Problems With the Server Manager.......................................................336

Troubleshooting Server Manager Launch Problems........................................337

Troubleshooting Remote Management Problems............................................338

Troubleshooting the HP-UX AAA Server...................................................................339

Troubleshooting HP-UX AAA Server Startup Problems.......................................339

Common Problems with HP-UX AAA Server Startup.....................................339

Troubleshooting Bind Errors at HP-UX AAA Server Startup.....................342

Troubleshooting an Unresponsive HP-UX AAA Server........................................343

Troubleshooting Common Configuration Problems........................................344

Troubleshooting External Services...................................................................346

Identifying External Service Failures using Logfile Error Messages..........347

Identifying Unrecorded External Datastore Failures..................................351

Identifying Proxy Server Failures................................................................351

Identifying Unrecorded DHCP Failures.....................................................352

Troubleshooting Access-Rejects from the HP-UX AAA Server.............................352

Common Authentication Failure Problems......................................................352

12 Table of Contents

EAP Problems........................................................................................................360

Troubleshooting Provisioning Errors.....................................................................363

29 Troubleshooting Resources................................................................................................364

HP-UX AAA Server Troubleshooting Utilities............................................................364

The radcheck Utility: For Checking the Server Status........................................364

The radpwtst Utility: For Testing Authentication...............................................365

The raddbginc Utility: For Setting Debug Output Levels..................................365

The radsignal Utility: For Rolling Over the Debug Output to New Files.........365

The HP-UX AAA Server Logfile and Debug File........................................................366

The HP-UX AAA Server Logfile............................................................................366

The HP-UX AAA Server Debug File......................................................................366

30 Reporting Problems.........................................................................................................368

Server Set Up Information...........................................................................................368

Server Manager Related Information..........................................................................369

External Components..................................................................................................369

External Databases.................................................................................................369

SNMP Servers.........................................................................................................369

DHCP Servers.........................................................................................................369

OpenSSL.................................................................................................................369

EAP Related Information............................................................................................369

Clients.....................................................................................................................370

Access Points..........................................................................................................370

VII Reference.............................................................................................................................371

31 Configuration Files ..........................................................................................................374

HUP Processing...........................................................................................................374

The aaa.config File.................................................................................................375

Variables in the aaa.config File.........................................................................375

The strict_duplicate_check Variable.....................................................375

The aatv.ProLDAP Property..........................................................................376

The log_threshold_limit and suppression_interval Variables......376

The list_copy_limit Variable....................................................................377

The localUsersFile.FilterType Property.............................................377

The default_users_file_cis_search Property.....................................377

The log_forwarding Variable.......................................................................377

The log_generated_request Variable.......................................................378

The ourhostname Variable.............................................................................378

The packet_log Variable...............................................................................378

The radius_log_fmt Variable.......................................................................379

The reply_check Variable.............................................................................379

OTP Authentication Related Configuration Items................................................379

The clients File........................................................................................................380

Prefixed Users and authfile...............................................................................380

Wildcard Support for IPv4 and IPv6......................................................................381

Table of Contents 13

The users File ............................................................................................................381

Syntax of a User Entry ...........................................................................................382

Syntax of IPv6 Attributes.......................................................................................382

NAS-IPv6-Address...........................................................................................382

Framed-Interface-Id..........................................................................................382

Framed-IPv6-Prefix...........................................................................................383

Framed-IPv6-Route...........................................................................................384

Framed-IPv6-Pool.............................................................................................384

With Tunneling ......................................................................................................384

The dictionary File .................................................................................................385

Attribute Entries ....................................................................................................386

Pruning Expressions ..............................................................................................387

Value Entries ..........................................................................................................388

The las.conf File .....................................................................................................389

LAS Session Timing Parameters ...........................................................................389

Token Pool Configuration .....................................................................................390

Realm Configuration .............................................................................................391

The vendors File .......................................................................................................392

Syntax of a vendors File.......................................................................................392

The log.config File .................................................................................................393

Syntax of a Stream Entry........................................................................................393

Default Entry .........................................................................................................395

End Entry ...............................................................................................................395

Logging Multiple Streams .....................................................................................395

Values Logged by Default.................................................................................395

Examples................................................................................................................396

Livingston Call Detail Record (CDR) Format...................................................396

Multiple Logging Streams ...............................................................................396

Logging Based on attributes.............................................................................397

Accounting Log Based on Attribute Value.......................................................398

Changing the Accounting Log Rollover Interval.............................................399

32 Attribute-Value Pairs.........................................................................................................400

Specifying Attribute-Value Pairs.................................................................................400

Attribute-Value Formats........................................................................................400

Examples................................................................................................................401

Tagged Attributes ..................................................................................................401

Attributes in User Profiles...........................................................................................401

Configuration Attributes........................................................................................402

Local Authorization Service (LAS) Configuration...........................................403

Simultaneous-Use Attribute........................................................................404

Attributes Concerning OTP Authentication...............................................404

Check (and Deny) Items..............................................................................................404

14 Table of Contents

Attributes Concerning the NAS.............................................................................404

Policy Attributes.....................................................................................................405

Other Attributes.....................................................................................................406

Reply Items..................................................................................................................406

General Attributes..................................................................................................408

Attributes Concerning Login Users.......................................................................409

Attributes for Framed Users..................................................................................410

Tunneling Attributes..............................................................................................411

Other Attributes.....................................................................................................414

Attributes in Accounting Records...............................................................................415

Additional Session Information.............................................................................415

33 MIB Objects...................................................................................................................419

MIB Objects..................................................................................................................419

A Supported IETF RFCs..............................................................................................................424

B Supported Authentication Methods...........................................................................................426

C RADIUS Data Packets.............................................................................................................428

Data Packet Format...........................................................................................................428

Attribute-Value Pair Format .......................................................................................428

D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK........................................430

Header Files and Data Structures in the SDK...................................................................430

APIs in the HP-UX AAA Server SDK...............................................................................430

A-V Pair APIs..............................................................................................................431

sdk_avp_t *sdk_avp_allocate()..............................................................................431

void sdk_avp_free()................................................................................................431

int sdk_get_avp_info()...........................................................................................431

int sdk_set_avp()....................................................................................................432

int sdk_set_vend_avp()..........................................................................................432

Authreq APIs...............................................................................................................433

sdk_avp_t *sdk_find_avp()....................................................................................433

sdk_avp_t *sdk_find_vend_avp()..........................................................................434

int sdk_del_avp()....................................................................................................435

int sdk_insert_avp()...............................................................................................435

int sdk_get_authreq_info().....................................................................................436

Logging APIs...............................................................................................................438

int sdk_logit().........................................................................................................438

int sdk_log_debug()...............................................................................................439

Asynchronous Event and I/O APIs.............................................................................440

int sdk_pollfd_register().........................................................................................440

int sdk_pollfd_unregister()....................................................................................440

int sdk_schedule_event()........................................................................................441

Secondary APIs............................................................................................................441

sdk_authreq_t *sdk_get_authreq_by_id()..............................................................441

char *sdk_get_config_dir().....................................................................................442

Table of Contents 15

int sdk_set_authreq()..............................................................................................442

int sdk_get_client_info().........................................................................................442

int sdk_decrypt_passwd()......................................................................................443

int sdk_encrypt_passwd()......................................................................................444

E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server......................................445

Expressions ......................................................................................................................445

Specifying Attributes in Group Entries ...........................................................................446

Dynamic Access Control ............................................................................................446

Internal Values ............................................................................................................447

Using Indirection .............................................................................................................447

Example Group Entries ....................................................................................................448

DNIS.grp for DNIS Routing........................................................................................448

DAC.grp for Dynamic Access Control.......................................................................449

Glossary of Terms......................................................................................................................452

Index........................................................................................................................................458

16 Table of Contents

List of Figures

1-1 Typical AAA Network Topology................................................................................32

1-2 Client-Server RADIUS Transaction.............................................................................33

1-3 Authentication Process................................................................................................36

1-4 Default Action Sequence.............................................................................................38

1-5 Authentication Steps...................................................................................................39

1-6 Authorization Steps....................................................................................................41

4-1 Return Value After Successfully Starting a AAA Server............................................65

4-2 Server Manager’s Start Options Screen.......................................................................65

4-3 Algorithm for Determining Which FSM to Load........................................................69

5-1 The HP-UX AAA Server Manager User Interface......................................................76

6-1 Server Manager’s Connected Server Screen................................................................78

6-2 The Add Connection Screen........................................................................................79

6-3 The Modify Connection Screen...................................................................................80

6-4 The Delete Server Connections Screen........................................................................81

6-5 Server Manager’s Server Status Frame........................................................................81

6-6 Server Manager’s Load Configuration Screen............................................................83

6-7 Server Manager’s Save Configuration Screen.............................................................83

7-1 Server Manager’s Access Device Screen.....................................................................84

7-2 Server Manager’s Access Device Attributes Screen....................................................85

7-3 The Delete Access Device Screen................................................................................88

8-1 Server Manager’s Local Realms Screen.......................................................................89

8-2 Server Manager’s Local Realm Attributes Screen.......................................................90

8-3 The Delete Local Realm Screen...................................................................................94

8-4 User Storage Parameters for Database Access via SQL..............................................95

8-5 New Oracle Server Screen.........................................................................................100

9-1 Proxy Configuration..................................................................................................105

9-2 Server Manager’s Proxy Screen.................................................................................106

9-3 Server Manager’s Proxy Attributes Screen................................................................107

9-4 The Delete Proxy Screen............................................................................................114

10-1 Server Manager’s Users Screen.................................................................................115

10-2 The Add Users Screen...............................................................................................117

10-3 The Modify Users Screen..........................................................................................120

10-4 The Delete Users Screen............................................................................................121

11-1 Server Manager’s Server Properties Screen...............................................................122

12-1 Server Manager’s Logfile Screen...............................................................................130

12-2 Server Manager’s Statistics Screen............................................................................132

12-3 AAA Server Statistics Example.................................................................................132

12-4 Accounting Logfile Search Screen in Server Manager .............................................133

12-5 Detailed Accounting Record for a Selected User......................................................134

13-1 The Secure LAN Advisor For Securing WLANs......................................................143

13-2 Server Manager’s Certificate Properties Screen........................................................150

14-1 Sessions Search Filter Screen.....................................................................................152

14-2 Example Return for a Sessions Search ......................................................................153

14-3 Example of a Session’s Attributes..............................................................................153

15-1 The Users Screen.......................................................................................................157

15-2 The Framed User Attributes Form............................................................................158

15-3 The Users Screen.......................................................................................................159

15-4 The Framed User Attributes Form............................................................................160

16-1 OATH Standards-Based OTP Authentication Flow and the HP-UX AAA Server....163

16-2 OTP Authentication Configuration Flowchart.........................................................167

16-3 Usage of Bit Masks to set OTP Authentication Actions............................................170

18-1 SQL Access Components...........................................................................................208

18-2 RADIUS Attribute to SQL Statement Mapping........................................................210

18-3 The User Database Administration Manager ..........................................................238

18-4 The Add User Screen.................................................................................................239

18-5 The Token Validate Screen........................................................................................242

18-6 The Enroll Token Screen............................................................................................244

18-7 The Synchronize Token Screen..................................................................................245

18-8 The User Statistics Screen..........................................................................................246

19-1 Authentication Process with Oracle..........................................................................249

19-2 Oracle Database Table Format...................................................................................253

23-1 SecurID Add Client Screen........................................................................................264

23-2 SecurID Edit Client Screen........................................................................................265

24-1 Default FSM State Transitions...................................................................................271

25-1 Flow of the Request Ingress Policy............................................................................305

25-2 Flow of the User Policy..............................................................................................306

25-3 Flow of the Reply Egress Policy................................................................................307

25-4 Flow of the Proxy Egress Policy................................................................................308

25-5 Flow of the Proxy Ingress Policy...............................................................................309

26-1 SDK Plug-in Example................................................................................................316

27-1 AAA Environment Components...............................................................................328

27-2 HP-UX AAA Server Operation.................................................................................329

28-1 Troubleshooting Flowchart.......................................................................................333

C-1 RADIUS Request/Reply Message Format.................................................................428

C-2 Attribute-Value Pair Format......................................................................................429

18 List of Figures

List of Tables

1 HP-UX AAA Server Administrator’s Guide Printing History...................................25

2 HP-UX 11i Releases.....................................................................................................26

1-1 Commands, Utilities, and Daemons...........................................................................37

1-2 How Requests are Altered Using the proxy-egress and proxy-ingress Policies........42

3-1 File Locations Upon Installation.................................................................................51

3-2 Files Generated During Operation..............................................................................54

3-3 Ports Associated with RMI Objects that must be Configured....................................59

4-1 Server Start Options....................................................................................................66

4-2 radiusd Options..........................................................................................................67

4-3 New Server Connection Screen Fields........................................................................70

6-1 Fields in the Connection Attributes Form...................................................................79

6-2 Icons in Server Manager’s Server Status Frame..........................................................82

7-1 Add Access Device Configuration Form Options......................................................86

8-1 Fields in the Local Realm Attributes Form.................................................................90

8-2 Special Entries.............................................................................................................93

8-3 Values for Configuring Realms for LDAP..................................................................96

8-4 Options......................................................................................................................103

9-1 Proxy Configuration Options....................................................................................108

9-2 Options for Forwarding Requests.............................................................................110

9-3 Accounting Logging Options....................................................................................112

10-1 General Attributes in the Add User Screen...............................................................117

11-1 DHCP Relay Properties.............................................................................................123

11-2 DNS Update Properties.............................................................................................124

11-3 Message Handling Properties...................................................................................124

11-4 Certificate Path Properties.........................................................................................126

11-5 ProLDAP Properties..................................................................................................128

12-1 Filter Parameters for Searching Logfiles...................................................................130

12-2 Statistic Search Parameters .......................................................................................132

12-3 Accounting Logfile Search Parameters ....................................................................133

12-4 Reasons Why The Record Was Generated................................................................135

13-1 LAN Configuration Items.........................................................................................144

13-2 Supported EAP Methods and Their Features...........................................................146

16-1 Bit Masks to Configure OTP Authentication Tasks..................................................169

16-2 Common OTP Authentication Actions.....................................................................171

16-3 Attributes for Configuring OTP Authentication.......................................................172

16-4 System-Wide OTP Configuration Items....................................................................175

16-5 SQL actions and Stored Procedures that Support OTP Authentication...................195

17-1 The HP-UX AAA Server LDAP Schema...................................................................205

18-1 The sqlaccess.config Sample File.....................................................................212

18-2 Database Access Parameters.....................................................................................220

18-3 Input Mapping Data Types and Syntax....................................................................222

18-4 Output Mapping Data Types and Syntax.................................................................223

18-5 RAD Mapping Parameters........................................................................................223

18-6 DBC Mapping Parameters.........................................................................................225

18-7 DBP Mapping Parameters.........................................................................................226

18-8 Pre-defined Mapping Functions...............................................................................228

18-9 Pre-defined Conversion Functions............................................................................229

18-10 Fields in the Add Users Form...................................................................................239

18-11 Fields in the Enroll Token Device Form....................................................................244

18-12 Fields in the Synchronize Token Form......................................................................246

18-13 Valid Token Status Values.........................................................................................247

19-1 Files Related to db_srv..............................................................................................250

19-2 AUTH_NET_USERS Table........................................................................................254

24-1 Predefined Event Names...........................................................................................274

24-2 Available Actions.......................................................................................................277

24-3 Predefined FSM Tables..............................................................................................278

25-1 Examples Illustrating the Use of the delete Command.........................................286

25-2 Behavior of the insert Command in Various Scenarios........................................288

25-3 Examples Illustrating the Use of the insert Command.........................................288

25-4 Examples Illustrating the Use of the modify Command.........................................289

25-5 A-V Pair Expression Operators.................................................................................302

25-6 Compatible Attribute Types......................................................................................304

25-7 Attributes Typically Used in Policy Group Conditions and Replies........................309

25-8 Interlink-specific Attributes Used by DAC...............................................................311

28-1 Common Problems with the Server Manager...........................................................336

28-2 Common Problems with HP-UX AAA Server Startup.............................................339

28-3 Common Configuration Problems............................................................................344

28-4 External Service Failure Problems............................................................................347

28-5 Common Authentication Failure Problems..............................................................353

28-6 EAP Problems............................................................................................................361

29-1 Debugging Levels in the HP-UX AAA Server..........................................................367

31-1 Default LAS Session Timing Parameters..................................................................390

31-2 Information Recorded by LOG_V2_o.......................................................................395

32-1 Reply Item Attributes................................................................................................406

32-2 Session Termination Causes......................................................................................416

33-1 MIB Objects and Definitions.....................................................................................419

A-1 Supported IETF RFCs................................................................................................424

A-2 Additional IETF RFCs Supported by HP-UX AAA Server.......................................424

A-3 AAA RFCs Supported by HP-UX AAA Server.........................................................425

C-1 RADIUS Request/Reply Message Format Description ............................................428

C-2 Attribute Value Pair Format Description .................................................................429

D-1 Actions Performed as a Result of the loc_avp A-V Pair.............................................436

D-2 Information Types.....................................................................................................437

D-3 HP-UX AAA Server Debug Levels............................................................................439

D-4 Possible Values of the infotype Parameter..................................................................443

20 List of Tables

E-1 A-V Pair Expression Operators.................................................................................445

E-2 A-V Pair Expression Examples..................................................................................446

List of Examples

18-1 Define the Oracle Database Connection Parameters................................................221

18-2 Define the MySQL Database Connection Parameters...............................................221

18-3 User and Password Input and Output Mappings.....................................................227

18-4 SQL Statement to Delete a Row................................................................................230

18-5 SQL Statement with Result Mapping - OCI..............................................................232

18-6 SQL Action with Null Source and Target Mappings................................................234

18-7 Timestamp Synchronization.....................................................................................235

18-8 FSM with Accounting Log via SQL Access...............................................................236

18-9 Remove Session Stored Procedure Definition...........................................................237

25-1 An example of a policy file that restricts Session-Timeout to one hour for guests,

removes unwanted attributes, and provides administrative privileges to

administrators...........................................................................................................285

25-2 Examples Illustrating the Use of the if Command..................................................293

25-3 Examples Illustrating the Use of the offset Keyword...........................................298

25-4 Examples Illustrating the Use of the before Keyword...........................................299

25-5 Examples Illustrating the Use of the after Keyword.............................................300

25-6 Examples Illustrating Precedence Rules...................................................................303

26-1 Example of a Pre-Paid Billing Application Using a Plug-in Created Using the HP-UX

AAA Server SDK.......................................................................................................316

31-1 Examples of NAS-IPv6-Address Attribute Syntax...................................................382

31-2 Examples of Framed-Interface-Id Attribute Syntax..................................................383

31-3 Examples of Framed-IPv6-Prefix Attribute Syntax...................................................383

31-4 Examples of Login-IPv6-Host Attribute Syntax.......................................................384

31-5 Example of a Framed-IPv6-Route Attribute Syntax.................................................384

31-6 Example of a Framed-IPv6-Pool Attribute Syntax....................................................384

22 List of Examples

About This Document

This document provides an overview of the HP-UX AAA Server and describes how to configure, administer, and troubleshoot the product. This document does not cover installing the product.

The document printing date and part number on the cover indicate the document’s current edition. The printing date and part number changes when a new edition is printed. Minor changes can be made at reprint without changing the printing date. The document part number will change when extensive changes are made.

Document updates may be issued between editions to correct errors or document product changes. To ensure that you receive the updated or new editions, subscribe to the appropriate product support service. Contact your HP sales representative for details.

The latest version of this document is available at:

http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29.

Intended Audience

This document is intended for HP-UX AAA Server administrators who understand the HP-UX operating system.

New and Changed Information in This Edition

The following additions and changes have been made for this edition:

• Includes a new chapter called “OATH Standards-Based OTP Authentication” that

describes OATH standards-based authentication and procedures for configuring OATH standards-based OTP and two-factor authentication.

• Includes a new section called “Administering Users and Tokens Stored in an SQL

Database” that describes how to use the User Database Administration tool to

manage users and tokens stored in an SQL database.

• Includes a new chapter called “Customizing the HP-UX AAA Server Using Policies”

that describes the advanced policy syntax for decision files.

• Includes a new chapter called “Customizing the HP-UX AAA Server Using the

SDK” that describes how to use the SDK to customize the HP-UX AAA Server.

Additionally, Appendix D (page 430) describes the new header files and APIs included in the SDK

Other minor changes have been made through the document, as required.

Intended Audience 23

Document Organization

The HP-UX AAA Server A.07.01 Administrator's Guide is organized as follows:

• Part I — Introduction provides general information about the HP-UX AAA Server

product and the RADIUS protocol. It also describes how to secure your HP-UX AAA Server installation.

• Part II — Configuring the HP-UX AAA Server Manager Using the Server Manager

GUI describes how to use the Server Manager to administer your AAA

environment.

• Part III— Advanced Configuration Information provides information on advanced

topics, such as securing LAN access using EAP, session management, assigning IP addresses, and configuring OTP and two-factor authentication.

• Part IV — Integrating the HP-UX AAA Server With External Services describes

how tointegrate the HP-UX AAA Server with external services such as Lightweight Directory Access Protocol (LDAP), SQL Access, Oracle, Dynamic Host Configuration Protocol (DHCP), Simple Network Management Protocol (SNMP), and Virtual Private Network (VPN).

• Part V — Customizing the HP-UX AAA Server describes how to customize the

HP-UX AAA Server to meet various deployment scenarios.

• Part VI — Troubleshooting provides guidelines and error messages to help

troubleshoot issues with the HP-UX AAA Server.

• Part V— Reference provides information to supplement the task-based information

in the previous parts of the document. Use the information in this section to learn more about non-task-based topics such as configuration files, and attribute-value pairs.

• Appendix A (page 424) lists all the RFCs that are supported by the HP-UX AAA

Server.

• Appendix B (page 426) lists and describes all the authentication methods that are

supported by the HP-UX AAA Server.

• Appendix C (page 428) provides information about the RADIUS data packet format.

• Appendix D (page 430) lists and describes all the header files, data structures, and

APIs included in the HP-UX AAA Server SDK.

• Appendix E (page 445) discusses the syntax of decision files that are supported by

previous versions of the HP-UX AAA Server.

Publishing History

The following table shows the printing history of this document. The first entry in the table corresponds to the current edition, and previous editions are listed in reverse chronological order.

Table 1 HP-UX AAA Server Administrator’s Guide Printing History

Document Part Number

Document Release Date (month/year)

Typographic Conventions

This document uses the following typographical conventions: audit(5) An HP-UX manpage. In this example, audit is the name and 5 is the

section in the HP-UX Reference. On the web and on the Instant Information CD, it may be a link to the manpage itself. From the HP-UX command line, you can enter “man audit” or “man 5

audit” to view the manpage. See man( 1).

Book Title The title of a book. On the web and on the Instant Information CD,

it may be a link to the book itself.

KeyCap The name of a keyboard key. Note that Return and Enter both refer

to the same key.

Emphasis Text that is emphasized.

Emphasis Text that is strongly emphasized. Term The defined use of an important word or phrase.

ComputerOut

UserInput

Command

Variable

[ ] The contents are optional in formats and command descriptions. If

Text displayed by the computer. Commands and other text that you type. A command name or qualified command phrase. The name of a variable that you may replace in a command or

function or information in a display that represents several possible values.

the contents are a list separated by |, you can choose one of the items.

Supported OSSupports Software Version

HP-UX 11i v1, 11i v2, 11i v3A.07.0103/08T1428-90066

HP-UX 11i v1, 11i v2, 11i v3A.07.0009/07T1428–90064

HP-UX 11i v1, 11i v2A.07.0009/065991-6434

HP-UX 11i v1, 11i v2A.06.0211/05T1428-90061

HP-UX 11.00, 11i v1, 11i v2A.06.01.x01/04T1428-90050

HP-UX 11.00, 11i v1A.06.01.x10/03T1428-90042

HP-UX 11.00, 11i v1A.06.00.0804/03T1428-90025

HP-UX 11.00, 11i v1A.06.00.0702/03T1428-90014

HP-UX 11.00, 11i v1A.05.01.0106/02T1428-90001

Typographic Conventions 25

{ } The contents are required in formats and command descriptions. If

the contents are a list separated by |, you can choose one of the items. ... The preceding element can be repeated an arbitrary number of times. | Separates items in a list of choices.

HP-UX Release Name and Release Identifier

Each HP-UX 11i release has an associated release name and release identifier. The uname(1) command with the -r option returns the release identifier. The following table lists the releases available for HP-UX 11i.

Table 2 HP-UX 11i Releases

Related Information

In addition to this document, additional information about the HP-UX AAA server can be found in the Internet and Security Solutions collection under AAA Server (RADIUS) at:

http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29

Release NameRelease Identifier

HP-UX 11i v1B.11.11

HP-UX 11i v2B.11.23

HP-UX 11i v3B.11.31

HP Encourages Your Comments

HP encourages your comments concerning this document. We are committed to providing documentation that meets your needs.

Send your comments to: netinfo_feedback@cup.hp.com

Include thedocument title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.

Part I Introduction

This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:

• Chapter 1: “Overview: The HP-UX AAA Server ” (page 30)

• Chapter 2: “Upgrading to Version A.07.01” (page 45)

• Chapter 3: “Installing and Securing the HP-UX AAA Server” (page 49)

• Chapter 4: “Enabling the HP-UX AAA Server for GUI-based Administration” (page 62)

Table of Contents

1 Overview: The HP-UX AAA Server .............................................................................................30

RADIUS Topology .............................................................................................................31

Establishing a RADIUS Session..........................................................................................32

Product Structure................................................................................................................34

HP-UX AAA Server Daemon, Libraries, and Utilities .................................................34

HP-UX AAA Server Manager Program .......................................................................34

Documentation..............................................................................................................34

HP-UX AAA Server Architecture ......................................................................................35

Configuration Files .......................................................................................................36

AATV Plug-Ins .............................................................................................................36

The Software Engine: Finite State Machine ..................................................................36

HP-UX AAA Server Commands, Utilities and Daemons..................................................37

Handling an Access Request..............................................................................................37

Authentication to Verify the Client and User ...............................................................38

Authorization to Control Sessions and Access to Services ..........................................40

Authorization Steps ................................................................................................41

Session Logs For Accounting .............................................................................................44

IPv6 Support for External Services.....................................................................................44

2 Upgrading to Version A.07.01...................................................................................................45

The HP-UX AAA Server Upgrade Process.........................................................................45

Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01........................45

Upgrading from Version A.06.00.x to Version A.07.01.......................................................46

Upgrading from Version A.05.x to Version A.07.01...........................................................48

Merging the Dictionary File................................................................................................48

Merging the radius.fsm File...........................................................................................48

Merging the vendors File.................................................................................................48

3 Installing and Securing the HP-UX AAA Server.............................................................................49

Acquiring the HP-UX AAA Server Software.....................................................................49

Installing and Uninstalling the HP-UX AAA Server..........................................................49

To Install the HP-UX AAA Server.................................................................................49

To Uninstall the HP-UX AAA Server Software.............................................................50

HP-UX AAA Server File Locations ....................................................................................51

Securing the HP-UX AAA Server.......................................................................................55

Changing the Default HP-UX AAA Server Settings ....................................................55

Changing the Default Tomcat User Name and Password.......................................55

Changing the Default RMI Objects Secret...............................................................55

Changing the Default test_user Settings..................................................................56

Changing the Default localhost Proxy Settings.......................................................56

Environment Specific Security Procedures ..................................................................56

28 Table of Contents

Using Secure Socket Layer (SSL) for Secured Remote Server Manager

Administration.........................................................................................................56

Creating a Tomcat Identity Specifically for the HP-UX AAA Server .....................58

Running the HP-UX AAA Server on Hosts with System Hardening Software......59

Running the HP-UX AAA Server as a Non-Root User............................................59

Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot.........60

4 Enabling the HP-UX AAA Server for GUI-based Administration......................................................62

Accessing the Server Manager............................................................................................62

Starting and Stopping the RMI Objects.........................................................................62

Starting and Stopping Tomcat.......................................................................................62

Testing the Installation .......................................................................................................63

To Test the Installation...................................................................................................63

Starting AAA Servers Using Server Manager....................................................................64

AAA Server Start Options.............................................................................................65

Server Manager’s Reload Feature..................................................................................66

Starting AAA Servers From the Command Line...............................................................67

Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot

.......................................................................................................................................69

Stopping or Restarting HP-UX AAA Servers.....................................................................69

Using Server Manager...................................................................................................70

From the Command Line..............................................................................................70

Adding an HP-UX AAA Server to Your Network.............................................................70

Table of Contents 29

1 Overview: The HP-UX AAA Server

The Remote Authentication Dial In User Service (RADIUS) protocol defines a standard for information exchange between a network device or software application and an authentication, authorization, and accounting (AAA) server to manage and track user access to network services.

A RADIUS AAA server provides authentication (verifying user credentials), authorization (supplyingprovisioning information for the user), and accounting (storage of usage information into accounting logs) services to devices and software applications (AAA clients) that support the IETF RADIUS standards.

The AAA or RADIUS client is the access device or application that acts as an enforcement point to control access to a resource. The user device itself or application requesting access to the resource is referred to as the supplicant.

30 Overview: The HP-UX AAA Server

+ 431 hidden pages