26-1Example of a Pre-Paid Billing Application Using a Plug-in Created Using the HP-UX
AAA Server SDK.......................................................................................................316
31-1Examples of NAS-IPv6-Address Attribute Syntax...................................................382
31-2Examples of Framed-Interface-Id Attribute Syntax..................................................383
31-3Examples of Framed-IPv6-Prefix Attribute Syntax...................................................383
31-4Examples of Login-IPv6-Host Attribute Syntax.......................................................384
31-5Example of a Framed-IPv6-Route Attribute Syntax.................................................384
31-6Example of a Framed-IPv6-Pool Attribute Syntax....................................................384
22List of Examples
About This Document
This document provides an overview of the HP-UX AAA Server and describes how to
configure, administer, and troubleshoot the product. This document does not cover
installing the product.
The document printing date and part number on the cover indicate the document’s
current edition. The printing date and part number changes when a new edition is
printed. Minor changes can be made at reprint without changing the printing date.
The document part number will change when extensive changes are made.
Document updates may be issued between editions to correct errors or document
product changes. To ensure that you receive the updated or new editions, subscribe to
the appropriate product support service. Contact your HP sales representative for
details.
The latest version of this document is available at:
This document is intended for HP-UX AAA Server administrators who understand
the HP-UX operating system.
New and Changed Information in This Edition
The following additions and changes have been made for this edition:
•Includes a new chapter called “OATH Standards-Based OTP Authentication” that
describes OATH standards-based authentication and procedures for configuring
OATH standards-based OTP and two-factor authentication.
•Includes a new section called “Administering Users and Tokens Stored in an SQL
Database” that describes how to use the User Database Administration tool to
manage users and tokens stored in an SQL database.
•Includes a new chapter called “Customizing the HP-UX AAA Server Using Policies”
that describes the advanced policy syntax for decision files.
•Includes a new chapter called “Customizing the HP-UX AAA Server Using the
SDK” that describes how to use the SDK to customize the HP-UX AAA Server.
Additionally, Appendix D (page 430) describes the new header files and APIs
included in the SDK
Other minor changes have been made through the document, as required.
Intended Audience23
Document Organization
The HP-UX AAA Server A.07.01 Administrator's Guide is organized as follows:
•Part I — Introduction provides general information about the HP-UX AAA Server
product and the RADIUS protocol. It also describes how to secure your HP-UX
AAA Server installation.
•Part II — Configuring the HP-UX AAA Server Manager Using the Server Manager
GUI describes how to use the Server Manager to administer your AAA
environment.
•Part III— Advanced Configuration Information provides information on advanced
topics, such as securing LAN access using EAP, session management, assigning
IP addresses, and configuring OTP and two-factor authentication.
•Part IV — Integrating the HP-UX AAA Server With External Services describes
how tointegrate the HP-UX AAA Server with external services such as Lightweight
Directory Access Protocol (LDAP), SQL Access, Oracle, Dynamic Host
Configuration Protocol (DHCP), Simple Network Management Protocol (SNMP),
and Virtual Private Network (VPN).
•Part V — Customizing the HP-UX AAA Server describes how to customize the
HP-UX AAA Server to meet various deployment scenarios.
•Part VI — Troubleshooting provides guidelines and error messages to help
troubleshoot issues with the HP-UX AAA Server.
•Part V— Reference provides information to supplement the task-based information
in the previous parts of the document. Use the information in this section to learn
more about non-task-based topics such as configuration files, and attribute-value
pairs.
•Appendix A (page 424) lists all the RFCs that are supported by the HP-UX AAA
Server.
•Appendix B (page 426) lists and describes all the authentication methods that are
supported by the HP-UX AAA Server.
•Appendix C (page 428) provides information about the RADIUS data packet format.
•Appendix D (page 430) lists and describes all the header files, data structures, and
APIs included in the HP-UX AAA Server SDK.
•Appendix E (page 445) discusses the syntax of decision files that are supported by
previous versions of the HP-UX AAA Server.
Publishing History
The following table shows the printing history of this document. The first entry in the
table corresponds to the current edition, and previous editions are listed in reverse
chronological order.
24
Table 1 HP-UX AAA Server Administrator’s Guide Printing History
Document Part Number
Document Release
Date (month/year)
Typographic Conventions
This document uses the following typographical conventions:
audit(5)An HP-UX manpage. In this example, audit is the name and 5 is the
section in the HP-UX Reference. On the web and on the Instant
Information CD, it may be a link to the manpage itself. From the
HP-UX command line, you can enter “man audit” or “man 5
audit” to view the manpage. See man( 1).
Book TitleThe title of a book. On the web and on the Instant Information CD,
it may be a link to the book itself.
KeyCapThe name of a keyboard key. Note that Return and Enter both refer
to the same key.
EmphasisText that is emphasized.
EmphasisText that is strongly emphasized.
TermThe defined use of an important word or phrase.
ComputerOut
UserInput
Command
Variable
[ ]The contents are optional in formats and command descriptions. If
Text displayed by the computer.
Commands and other text that you type.
A command name or qualified command phrase.
The name of a variable that you may replace in a command or
function or information in a display that represents several possible
values.
the contents are a list separated by |, you can choose one of the items.
{ }The contents are required in formats and command descriptions. If
the contents are a list separated by |, you can choose one of the items.
...The preceding element can be repeated an arbitrary number of times.
|Separates items in a list of choices.
HP-UX Release Name and Release Identifier
Each HP-UX 11i release has an associated release name and release identifier. The
uname(1) command with the -r option returns the release identifier. The following
table lists the releases available for HP-UX 11i.
Table 2 HP-UX 11i Releases
Related Information
In addition to this document, additional information about the HP-UX AAA server
can be found in the Internet and Security Solutions collection under AAA Server (RADIUS)
at:
Stopping or Restarting HP-UX AAA Servers.....................................................................69
Using Server Manager...................................................................................................70
From the Command Line..............................................................................................70
Adding an HP-UX AAA Server to Your Network.............................................................70
Table of Contents29
1 Overview: The HP-UX AAA Server
The Remote Authentication Dial In User Service (RADIUS) protocol defines a standard
for information exchange between a network device or software application and an
authentication, authorization, and accounting (AAA) server to manage and track user
access to network services.
A RADIUS AAA server provides authentication (verifying user credentials),
authorization (supplyingprovisioning information for the user), and accounting (storage
of usage information into accounting logs) services to devices and software applications
(AAA clients) that support the IETF RADIUS standards.
The AAA or RADIUS client is the access device or application that acts as an enforcement
point to control access to a resource. The user device itself or application requesting
access to the resource is referred to as the supplicant.
30Overview: The HP-UX AAA Server
RADIUS Topology
The RADIUS protocol follows the client-server architecture. The client sends user
information to the AAA server using Access-Request or accounting-Request messages.
The AAA server processes the request locally, or, if acting as a proxy server, forwards
(proxies) the request to a secondary RADIUS Server.
When processing a RADIUS request locally, the AAA server can utilize additional
external services (LDAP, external database access, DHCP, and so on.) to service the
request.
The processing of RADIUS requests is usually configured on a per-realm basis. A realm
is a group of users sharing a common component in the Network Access Identifier
(NAI) attribute in the RADIUS request (for example,"example.org" is the realm
component for "username@example.org").
In Figure 1-1 (page 32), a sample Internet Service Provider (ISP) uses four AAA servers
to handle user requests. User organizations are grouped into realms. Each user connects
to one of the ISP's servers through a local Network Access Server (NAS). The NAS
sends a RADIUS Access-Request containing the user's credentials to one of the AAA
servers. In turn, theAAA server accesses userand policy information from the repository
specified for the user's realm. The repository can be in flat text files associated with the
AAA Server, an external database or LDAP Server, or an HP-UX Unix user repository.
When authenticating users stored in replicated LDAP directory servers or databases,
the server can be configured to perform load balancing and failover to achieve greater
scalability and availability.
RADIUS Topology31
Figure 1-1 Typical AAA Network Topology
Establishing a RADIUS Session
A RADIUSsession tracks the life of a user session through a series of message exchanges.
RADIUS sessions are used to limit simultaneous access to a resource for users who
share the same credential, and to manage the allocation and release of IP addresses
acquired on behalf of the user by the AAA server. Figure 1-2 (page 33) illustrates the
transaction between a RADIUS AAA server and a client:
32Overview: The HP-UX AAA Server
Figure 1-2 Client-Server RADIUS Transaction
When the user's device connects to the client, the client sends a RADIUS Access-Request
to the AAA server. When the server receives the request, it validates the sending client.
If the client is permitted to send requests to the server, the server then takes information
from the Access-Request and attempts to match the request to a user profile. If all
conditions are met, the server sends an Access-Accept packet to the client; otherwise,
the server sends an Access-Reject packet. An Access-Accept data packet often includes
authorization information that specifies the services the user can access and other
session information, such as a timeout value that indicates when the user must be
disconnected from the system.
When the client receives an Access-Accept packet, it generates an Accounting-Request
to start the session and send the request to the server. The Accounting-Request data
packet describes the type of service being delivered and the user of the service. The
server then responds with an Accounting-Response to acknowledge that the request
was successfully received and recorded. The user's session ends when the client
generates an Accounting-Request that is triggered by the user, the client, or an
interruption in service-to stop the session. The server acknowledges the
Accounting-Request with an Accounting-Response.
Establishing a RADIUS Session33
Product Structure
The HP-UX AAA Server is based on the client-server architecture. The HP-UX AAA
Server consists of the following components:
•HP-UX AAA Server daemon, libraries, and utilities
•The AAA Server Manager program that performs administration and configuration
tasks from a web browser for one or more AAA servers
•Documentation (Administrator’s Guide, READMEs, and the Secure LAN Advisor
help system)
NOTE:To secure the communication between the Server Manager and HP-UX AAA
Server, install the Server Manager and the HP-UX AAA Server in a secure network.
HP-UX AAA Server Daemon, Libraries, and Utilities
The server daemon, libraries, and utilities perform the authentication, authorization,
and accounting functions while processing requests. The HP-UX AAA Server also
includes the AAA RMI objects. The RMI objects provide communication between the
HP-UX AAA Server and the HP-UX Tomcat-based Servlet Engine which hosts the
HP-UX AAA Server Manager.
HP-UX AAA Server Manager Program
The HP-UX AAA Server Manager utilizes the HP-UX Tomcat-based Servlet Engine to
provide a configuration interface between a web browser and one or more HP-UX
AAA Servers. The Server Manager is used for configuring and managing the servers.
In addition, the Server Manager can retrieve logged server sessions and accounting
information for an administrator. By specifying a set of HP-UX AAA Servers, the Server
Manager can be used to manage a group of HP-UX AAA Servers with a common
configuration.
Documentation
The following documentation is accessible through the Server Manager:
•Context-sensitive help on the Server Manager's buttons and options
•A Secure LAN Advisor help system to guide you through securing your Wireless
Local Area Networks (WLANs) with the HP-UX AAA Server. The Secure LAN
Advisor provides information only; it does not edit configuration files
•The HP-UX AAA Server Administrator's Guide in .pdf format. Use this document
for step-by-step instructions on configuring the HP-UX AAA Server.
34Overview: The HP-UX AAA Server
IMPORTANT:For the most recent product documentation, see http://
www.docs.hp.com.
HP-UX AAA Server Architecture
The HP-UX AAA Server architecture consists of the following components:
•Configuration files. Files to provide the information necessary for the server to
perform authentication, authorization, and accounting requests for your system.
In most cases, these files can be modified by using the Server Manager.
•AATV plug-ins. Dynamically loaded libraries that perform discrete actions, such
as initiating an authentication request, replying to an authentication request, or
logging an accounting record.
•The radiusd software engine, which includes the Finite State Machine (FSM) and
associated routines. At server startup, the FSM reads instructions from the state
table in the /etc/opt/aaa/radius.fsm configuration file. The state table
outlines what AATV actions to call and what order to call them in.
When the server is initialized, it loads and initializes the AATV plug-ins. It also reads
the configuration files to initialize the data required for the actions to execute according
to the application's requirements.
Figure 1-3 illustrates the general process of server initialization and response to an
authentication request.
HP-UX AAA Server Architecture35
Figure 1-3 Authentication Process
Configuration Files
For detailed information on the server configuration files, Chapter 31: “Configuration
Files ” (page 374).
AATV Plug-Ins
An AATV plug-in defines the actions that perform a variety of functions, including
authenticating requests, authorization, and logging. Built-in actions support
authentication of users using information from several different repositories, and
accounting requests using several different polices and storage formats.
For more information on these built-in actions, see “Actions ” (page 276)
The Software Engine: Finite State Machine
The Finite State Machine (FSM) controls the step-by-step process that the server follows
to process and respond to an authentication request. You can configure the FSM to
customize your server configuration without programming software modules. For
36Overview: The HP-UX AAA Server
more information on the Finite State Machine, see Chapter 24: “Customizingthe HP-UX
AAA Server Using the Finite State Machine” (page 270).
HP-UX AAA Server Commands, Utilities and Daemons
Table 1-1 provides an overview of the HP-UX AAA Server commands, utilities, and
daemons.
Table 1-1 Commands, Utilities, and Daemons
DescriptionCommand
radcheck
raddbginc
radsignal
radiusd
radpwtst
db_srv
Sends RADIUS status and protocol requests to a AAA server and displays the
replies. Receiving the reply confirms that the HP-UX AAA Server is operational.
The radcheck utility can be invoked on any host by any user. However the
HP-UX AAA Server returns more information to registered clients.
Sets debug logging level for the HP-UX AAA Server running correctly. Turn
debugging on and off, or set the levelof outputwhile theAAA Server is running.
Rolls over the server log file and accounting stream while the AAA Server is
running.
RADIUS server daemon. Services user authentication and accounting requests
from RADIUS clients. Authentication and accounting requests are transmitted
to the radiusd daemon in theform of UDP packets that conform to the RADIUS
protocol. Theradiusd daemon can be startedfrom the Server Manager, command
line, or at boot time using the /etc/rc.config.d/radiusd.conf file.
RADIUS client utility that can process commands to send requests to and check
responses from a RADIUS server.
Deprecated. Performs Oracle database access operations for authentication on
behalf of one or more remote HP-UX AAA Servers.
Handling an Access Request
When the HP-UX AAA server receives a RADIUS message, it calls the FSM and defines
a starting event according to the type of message. This event is stored in the
Interlink-Proxy-Action attribute. In the default FSM, the first action for all
requests is request-ingress POLICY. If this POLICY is executed successfully, the next
action is determined by the event stored in Interlink-Proxy-Action. By default,
for an Access-Request this action is iaaaUsers. Figure 1-4 (page 38) shows how the
FSM actions interact to process the Access-Request for authentication and authorization.
HP-UX AAA Server Commands, Utilities and Daemons37
Figure 1-4 Default Action Sequence
Authentication to Verify the Client and User
The authentication of an access request has a number of distinctive steps, as shown in
Figure 1-5 (page 39). The rounded rectangles represent configuration files that the
HP-UX AAA Server uses and the ovals represent one or more authentication types.
38Overview: The HP-UX AAA Server
Figure 1-5 Authentication Steps
Authentication Steps
Following lists the authentication steps followed by the HP-UX AAA Server:
1.After the HP-UX AAA server receives an Access-Request, it attempts to match the
client making the request to an entry in the clients file. The server attempts to
authenticate a request only if a match can be made.
Handling an Access Request39
2.The iaaaUsers action checks the local users file. In this step, the User-Name
attribute value from the Access-Request is used to find an entry for the user in the
/etc/opt/aaa/users file.
•If User-Name matches an entry, the server retrieves that profile and then
authentication moves to step 5.
•If User-Name does not match an entry, authentication moves to step 3.
3.If the iaaaUsers action does not find a matching user profile in the users file,
the FSMcalls the iaaaRealm action. The iaaaRealm action parses the User-Name
attribute value for a realm name, and searches authfile to determine the data
store where the user profiles for the parsed realm are located. A default entry can
be used to handle any realms that are not explicitly configured in authfile.
NOTE:If no realm is specified in the NAI, the server assigns the value NULL for
the realm. You can configure NULL realm behavior in the same manner as named
realms.
4.The iaaaRealmaction calls another action that attempts to retrieve a matching
user profile from the data store for the realm, as indicated by authfile:
•A realm-specific AAA users file;
•An external data store, such as LDAP or a database;
•A Unix user profile service via the getpwent() system call.
If the realm is defined as a proxy, the RADIUS request is forwarded to the target
RADIUS server defined for this realm.
5.The user is authenticated according to the protocol established by the
Access-Request. If a password-based protocol(PAP,CHAP, MSCHAP) is specified,
the user's password is verified. If an EAP method is used, mutual authentication
is carried out according to the EAP type (PEAP, TLS, TTLS, or LEAP).
If User-Name matches no entry, either in a local text file or an external data source, the
authentication fails.
Authorization to Control Sessions and Access to Services
The HP-UX AAA server can authorize users using one of the following methods:
•Provisioning on a user-by-user basis with check items and by adding reply items
to an Access-Accept message (simple policy)
•Through Local Authorization Server (LAS) functions based on realms
•Through stored policy decisions based on other logical groups that can add check
and reply items to the request
Like authentication, the authorization of an access request has a number of distinctive
steps, as shown in Figure 1-6 (page 41). The rounded rectangles represent configuration
files and the ovals represent one or more actions called by the FSM.
40Overview: The HP-UX AAA Server
Figure 1-6 Authorization Steps
Authorization Steps
1.The server receives the Access-Request.
2.The server evaluates the request-ingress policy. This is the first step in the FSM,
before the request is despatched for processing. The request ingress policy can be
used to alter the request in one of the following ways:
•A-V pairs may be added, changed, or removed.
•The request classification may be altered.
•The request may be rejected immediately.
•The request may be dropped entirely, and no reply is sent.
If the request-ingress policy is evaluated successfully, the HP-UX AAA Server
continues with the authorization process.
3.If a request is being proxied, then the HP-UX AAA Server evaluates the
proxy-egress and proxy-ingress policies. The HP-UX AAA Server applies the
proxy-egress policy before the RADIUS proxy request message is created and sent.
The proxy-ingress policy is applied after the proxy response is received. Table 1-2
discusses how these policies are used to alter requests.
Handling an Access Request41
Table 1-2 How Requests are Altered Using the proxy-egress and proxy-ingress
Policies
Use of the proxy-ingress PolicyUse of the proxy-egress Policy
A-V pairs can be added, modified, or removed.A-V pairs can be added, modified, or removed.
The reply type may be altered.The request may be rejected immediately.
The request may be dropped entirely and no
reply is sent.
The request may be dropped entirely and no
reply is sent.
The request may be rejected immediately.The proxy target host may be changed.
4.Check Items. After authentication each check item in the user profile is processed
or matched against the request's corresponding Attribute-Value (A-V) pairs.
•If all the check and deny items associated with User-Name are satisfied, the
CHK_DNY action returns an ACK value to the FSM.
•If any check or deny item, including the user's password, is not matched
correctly, the authentication module returns a NAK value to the FSM. The
request fails, and an Access-Reject message is returned to the client.
5.User Policy. All requests are subjected to user policy after authentication. The user
policy is applied only after successful authentication. A user policy can be specified
in a Policy-Pointer attribute on the request as either a check item or a reply item.
If the Policy-Pointer attribute is found in the check items, then the HP-UX AAA
Server does not look for one in the reply items. The value of the Policy-Pointer
attribute should specify the URL for the decision file to be evaluated. If a request
contains a Policy-Pointer attribute, as either a check item or a reply item, the
specified policy is applied. If the request does not contain a Policy-Pointer, then
no user policy is applied. In this case the POLICY action returns an ACK event to
the FSM.
Some policies that can be implemented include:
•Dialed Number Identification Service (DNIS)-routing requests according to
the number called from or called;
•Grouping users by NAS addresses or ports;
•Control session duration, concurrent usage, or delivered services by logical
groupings defined by the contents of specified A-V pairs;
•Control access according to any time-based criteria.
6.Local Authorization Server (LAS). The LAS refers to the routines and code in the
server that handles authorization. LAS and POSTLAS actions are part of the LAS.
Session control with LAS is based on realms. Local Session tracking must be
explicitly enabled for a realm via the Server Manager or the /etc/opt/aaa/las.conf file. If the realm is not listed, LAS does not enforce any session control
for users from that realm. When the LAS handles an Access-Request for a user in
42Overview: The HP-UX AAA Server
a local realm configured in the las.conf file, the LAS module performs the
following actions:
•Checks the user profile for a Simultaneous-Session attribute-value pair, which
determines the maximum number of active sessions the user can have. Default
value is 1.
•Authorizes or denies service based on Service-Class.
The POSTLAS action performs Simultaneous Access Token (SAT) control, which
is used to implement realm-based simultaneous session control.
NOTE:HP recommends not to enable local session tracking for any realms
utilizing session management via SQL Access.
7.Reply items refer to the generation of an Access-Accept or Access-Reject message
by the ReplyPrep action. By adding reply items to a user's profile or through
policy decisions, ReplyPrep can provide a NAS with provisioning information
in an Access-Accept data packet. Depending on the capabilities of the NAS, the
reply items can be used to control a user's session. For example, the following user
entry limits the length of the session and the hosts that can be accessed:
Users can authenticate as guest@example.org using password public to
connect for one hour (3600 seconds) to the library hosts that the filter library
allows.
The ReplyPrep action also checks for a Service-Type value, equates the value
with user entries, and then appends reply items to the request accordingly. The
attribute values for these items specify the default values to use when configuring
the connection specified by Service-Type. The special user entries are not used for
authentication; the reply items for one of these entries are appended to a request
from any user requesting the corresponding service type. If duplicate A-V pairs
exist, pruning is applied to determine the A-V pair that must be included in the
Access-Accept or Access-Reject message.
8.The HP-UX AAA Server evaluates the reply-egress policy just before the RADIUS
reply message is created and sent. The reply-egress policy can be used to alter the
request in one of the following ways:
•A-V pairs may be added, modified, or removed
•The reply type may be modified
•The request may be dropped entirely and no reply is sent.
Handling an Access Request43
Session Logs For Accounting
During operation, the HP-UX AAA Server processes information received in an
Accounting-Request from the client. By default, session logging information is written
to a file following a predefined format, such as Merit or Livingston. You can modify
how and where the server generates the logs by editing the log.config file. You can
also schedule logging by editing the FSM. In addition, modifying the FSM and
configuring SQL Access enables you to use a database to store session log information.
For more information, see Chapter 18: “SQL Access” (page 207).
IPv6 Support for External Services
The HP-UX AAA Server can be configured to use IPv6 addresses and support IPv6
attributes for most of the protocols and services it supports. The HP-UX AAA Server
currently supports only IPv4 for the following services:
•Dynamic user IP address assignment using DHCP
•Access to Oracle servers via the Oracle authentication module
•Access to RSA SecurID servers
IMPORTANT:The HP-UX AAA Server supports the use of RADIUS IPv6 attributes
with HP-UX 11i v1 (and subsequent releases). RADIUS communication over IPv6
transports is supported with HP-UX 11i v2 (and subsequent releases).
44Overview: The HP-UX AAA Server
2 Upgrading to Version A.07.01
This chapter explains how to upgrade to the HP-UX AAA Server A.07.01 from previous
versions.
The HP-UX AAA Server Upgrade Process
The following process describes the HP-UX AAA Server A.07.01 product installation
on a system where a previous version of the HP-UX AAA server is currently installed:
1.The contents of the existing configuration in /etc/opt/aaa/ are copied to /etc/
opt/aaa.old/. If any files with the same names exist in /etc/opt/aaa.old/,
they will be overwritten.
2.The old product binaries are removed and new product binaries are installed.
3.Old unmodified configuration files are replaced with the new default configuration
files in /etc/opt/aaa/.
4.Backup of the default A.07.01 files are installed in /opt/aaa/newconfig/etc/
opt/aaa/ for your reference.
5.Generally, no additional migration is necessary, except as specified in the following
sections:
•“Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01.”
•“Upgrading from Version A.06.00.x to Version A.07.01” (page 46)
•“Upgrading from Version A.05.x to Version A.07.01” (page 48)
NOTE:Contact your HP Supportrepresentative if you are upgrading from version
A.05.x and require assistance.
Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01
No migration is required. If you have modified /etc/opt/aaa/dictionary, and
want to use SQL Access, OTP authentication, or use pre-defined policy hooks in the
FSM, merge the dictionary file. For information on merging the dictionary file, see
“Merging the Dictionary File” (page 48).
If you have modified the radius.fsm file, and you want to use OTP authentication
or usepre-defined policy hooks in the FSM, merge the radius.fsm file. For information
on merging the radius.fsm file, see “Merging the radius.fsm File” (page 48).
If you have configured realms with LDAP as the back end, and you want to enable CIS
search, then you must specify the Filter-Type in the realm configuration in the
authfile as follows:
Additions have been made to the vendors file in this version of the HP-UX AAA
Server. If you have modified the vendors file, you must merge the vendors file. For
information on merging the vendors file, see“Merging the vendors File” (page 48).
Upgrading from Version A.06.00.x to Version A.07.01
To upgrade the configuration files, complete the following steps:
1.Backup your existing HP-UX AAA server configuration.
2.Install the HP-UX AAA Server A.07.01 without removing your existing HP-UX
AAA Server software.
3.Copy the following files from /etc/opt/aaa.old/ to /etc/opt/aaa/. You
do not need to modify these files when migrating to A.07.01:
•The clients file
•The las.conf file
•The iaaaAgent.conf file
•The db_srv.opt file
•The engine.config file
•The DAC.grp file and additional policy files
•New or modified certificate files (to be copied from /etc/opt/aaa.old/
security/ to /etc/opt/aaa/security/)
4.Update the following A.07.01 files in /etc/opt/aaa/ to include any modifications
you made for your legacy configuration. Perform this step to include your legacy
configuration in the new A.07.01 file format. Refer to the copy of your legacy files
in /etc/opt/aaa.old/ and update the corresponding A.07.01 files listed below:
•The vendors file
•The log.config file
•The radius.fsm file
•The dictionary file
•The aaa.config file
46Upgrading to Version A.07.01
5.Copy your legacy users files from /etc/opt/aaa.old/ to /etc/opt/aaa/
(including the default users file and all files with the .users extension). Update the
users files as follows:
•Remove all DEFAULT, dumbuser, pppuser, and slipuser entries. The
Authentication-Type=File strings from the remaining user entries. Thefollowing is a sample sed command you can modify to remove these entries:
$ sed -e ’s/Authentication-Type[ ]*=[ ]*Realm[ ,,]*//g’-e
’s/Authentication-Type[ ]*=[ ]*File[ ,,]*//g’ <users or
*.users file name>
6.Use Server Manager to re-configure all of your legacy realm and outbound proxy
entries on A.07.01. Refer to your legacy authfile at /etc/opt/aaa.old/authfile:
•Use Server Manager’s Proxies link to re-configure entries in /etc/opt/
aaa.old/authfile with the following syntax:
realm.com RADIUS <Realm_host_name>
•Use Server Manager’s Local Realms link to re-configure the realm entries as
they appear in /etc/opt/aaa.old/authfile.
7.If you are using a Netscape Directory server, update the RADIUS schema file for
the directory server. Copy /opt/aaa/examples/proldap/55iaaa-radius.ldif to the Netscape Directory server. Stop and restart slapd
after copying the schema file to the Netscape server.
Upgrading from Version A.06.00.x to Version A.07.0147
8.If you are using an OpenLDAP server, update the RADIUS schema file for the
directory server. Copy /opt/aaa/examples/proldap/iaaa-radius.ldif
to the OpenLDAP server. Stop and restart slapd after copying the schema file to
the OpenLDAP server.
Upgrading from Version A.05.x to Version A.07.01
Contact your HP Support representative if you are upgrading from Version A.05.x to
Version A.07.01 or if you need assistance with your migration.
Merging the Dictionary File
To merge the legacy dictionary file changes to the new A.07.01 dictionary file,
complete the following steps:
1.Copy the new dictionary file from /opt/aaa/newconfig/etc/opt/aaa/ to
/etc/opt/aaa/.
2.Update the /etc/opt/aaa/dictionary file to include any modification you
made for your legacy dictionary file.
Refer to the copy of your legacy dictionary file in /etc/opt/aaa.old/.
Merging the radius.fsm File
To merge the legacy radius.fsm file changes to the new A.07.01 radius.fsm file,
complete the following steps:
1.Copy the new radius.fsm file from /opt/aaa/newconfig/etc/opt/aaa/
to /etc/opt/aaa/.
2.Update the /etc/opt/aaa/radius.fsm file to include any modification you
made for your legacy radius.fsm file.
Refer to the copy of your legacy radius.fsm file in /etc/opt/aaa.old/
Merging the vendors File
To merge the legacy vendors file changes to the new A.07.01 vendors file, complete
the following steps:
1.Copy the new vendors file from /opt/aaa/newconfig/etc/opt/aaa/ to
/etc/opt/aaa/.
2.Update the /etc/opt/aaa/vendors file to include any modification you made
for your legacy vendors file.
48Upgrading to Version A.07.01
3 Installing and Securing the HP-UX AAA Server
This chapter explains how to acquire, install, and secure the HP-UX AAA Server
product. Always refer to the HP-UX AAA Server Release Notes for important
information specific to each version of the product, including requirements and
dependencies.
Acquiring the HP-UX AAA Server Software
You can get the most recent version of the HP-UX AAA Server product at the HP
Software Depot: http://www.hp.com/go/softwaredepot.
IMPORTANT:Be sure to review the HP-UX AAA Server Release Notes before
installation. The Release Notes list the requirements for each release, including:
installation, patch, and browser requirements.
IMPORTANT:Be sure you have the correct versions of the product dependencies
installed -- refer to the HP-UX AAA Server Release Notes.
3.Verify that the patch dependencies are installed. Skip this step if you are installing
the HP-UX AAA Server on an HP–UX 11i v2 or HP-UX 11i v3 operating system.
# swlist -l product | grep aC
Review the patch requirements in the product Release Notes if the following value
is not returned:
HP aC++ -AA runtime libraries (aCC A.03.37)
Acquiring the HP-UX AAA Server Software49
NOTE:Check the Release Notes for the HP-UX AAA Server version you are
installing to verify patch requirements.
4.Download the AAA Server depot file from http://www.software.hp.com
and move it to /tmp
5.Verify that you have downloaded the file correctly:
NOTE:These RADIUS values are the server’s defaults and are specified in the
RADIUS RFC 2865.
To Uninstall the HP-UX AAA Server Software
Complete the following steps to uninstall the HP-UX AAA Server:
1.From the navigation tree, click Administration.
2.Verify the AAA server you want to stop is selected in the Server Status Frame.
3.Click Stop to stop the server.
4.From the command line, stop the RMI objects and Tomcat. See “Starting and
Stopping the RMI Objects” (page 62) and “Starting and Stopping Tomcat” (page 62)
for more information.
NOTE:Enter the following command if you have not done it already:
# export JAVA_HOME=/opt/java1.4
5.Check if db_srv is running:
$ ps -ef |grep db_srv
6.If db_srv is running, stop it with the /opt/aaa/bin/stop_db_srv.sh script.
50Installing and Securing the HP-UX AAA Server
7.Remove all files residing in the /var/opt/aaa/ and
/opt/hpws/tomcat/webapps/aaa/aaalog/ subdirectories.
8.Logout anyone using HP-UX AAA Server administrator login “aaa”.
9.As root user, enter swremove HPUX-AAAServer or swremove at the command
prompt to invoke the standard HP-UX GUI to select HPUX-AAAServer bundle
for removal. Refer the swremove manpage for more information on this command.
HP-UX AAA Server File Locations
Although HP-UX AAA Server can be run as root user, HP recommends running it as
a non-root user.
A user and group, both named aaa, is created during installation. The HP-UX AAA
Server can be run as non-root user, using the default aaa user created during installation,
or any other user who is part of the aaa group.
IMPORTANT:Do not remove the default login aaa and group aaa created during
installation, even if you prefer not to use them.
Table 3-1 File Locations Upon Installation
FileDirectory
/opt/aaa/aatv
/opt/aaa/bin
Server modules and plug-ins
Server daemons and utilities:
• db_srv: Oracle client daemon for the ORACLE
authentication module
• las.test.sh: script to create simulated sessions for
testing
• radcheck: AAA Server test utility (like the ping
command)
• raddbginc: controls server debug output
• radsignal: controlsserverdebug output androlls over
the server log file and accounting stream
• radiusd: AAA Server executable
• radpwtst: AAA test client utility
• start_db_srv.sh: script to start the Oracle client
daemon
• stop_db_srv.sh: script to stop the Oracle client
daemon
HP-UX AAA Server File Locations51
Table 3-1 File Locations Upon Installation (continued)
FileDirectory
/opt/aaa/examples/config
/opt/aaa/examples/sqlaccess/mysql-1
Finite state machine, sample policy files:
• *.fsm: Sample FSM tables
• sqlaccess-acct.fsm: Sample FSM required to
implement accounting without session management
using SQL Access
• sqlaccess-acct-sess.fsm: Sample FSM required
to implementaccounting with session management using
SQL Access
Table 3-2 lists the files generated during operation and located in /var/opt/aaa/ by
default:
Table 3-2 Files Generated During Operation
/acct/session.yyyy-mm-dd.log
/data/session.las
54Installing and Securing the HP-UX AAA Server
FileDirectory
Default session accounting logs, Merit style
Currently active sessions log file
Table 3-2 Files Generated During Operation (continued)
FileDirectory
/ipc/*.sm
/logs/logfile
/logs/logfile.yyyymmdd
/radacct/*
/run/radius.pid
Shared memory files related to the interface used for some
authentication types.
IMPORTANT:You must not alter or delete the shared
memory (*.sm) files. The server does not operate correctly
if the files are changed or removed from the ipc directory.
The server log file
Compressed daily or weekly log files
For session accounting logs in Livingston call detail records
directory styleformat (notgenerated by default configuration)
Contains the process id (pid) for the server.
Securing the HP-UX AAA Server
Performing the steps in this section increases the security of your HP-UX AAA Server
installation. HP recommends all customers perform the steps in“Changing the Default
HP-UX AAA Server Settings ” (page 55). Perform the steps in “Environment Specific
Security Procedures ” (page 56) depending on your environment.
Changing the Default HP-UX AAA Server Settings
The following information explains how to increase the security of your HP-UX AAA
Server by changing some of the default settings. HP recommends that all customers
change the default values.
Changing the Default Tomcat User Name and Password
All Tomcat servers come with the same default user name and password. You must
change the user name and password to unique values.
Complete the following steps to change the Tomcat user name and password:
1.Open /opt/hpws/tomcat/conf/tomcat-users.xml.
2.Look for entries with the roles=“tomcat” string. These entries are valid Tomcat
user names and passwords.
3.Modify the file to include only the user name and password you want to use. Use
the following format:
<user username="new user name" password="new password"
roles="tomcat"/>
Changing the Default RMI Objects Secret
HP recommends changing the default RMI Objects secret.
Complete the following steps to change the default RMI objects secret:
4.Open the /opt/aaa/remotecontrol/rmiserver.properties file.
5.Look for the following entry:
rmi.config.secret = "secret"
6.Change the “secret” portion to the same value configured in Step 3.
IMPORTANT:The rmi.config.secret in /opt/aaa/remotecontrol/
rmiserver.properties and in /opt/hpws/tomcat/webapps/aaa/
WEB-INF/gui.properties must be identical.
Changing the Default test_user Settings
HP recommends changing the default test_users password. This password can be
changed only after starting the Server Manager. More information on how to change
the default test_users passwordis provided in “Changing the Default test_user Settings”
(page 115)
Changing the Default localhost Proxy Settings
HP recommends changing the default localhost proxy settings. This setting can be
changed only after starting the Server Manager. More information on how to change
the default localhost proxy settings is provided in “Changing the Default localhost
Proxy Settings” (page 106).
Environment Specific Security Procedures
Depending on your environment needs, you can perform any of the following steps
for additional security:
Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration
Use the following steps to configure SSL (HTTPS):
56Installing and Securing the HP-UX AAA Server
1.Generate a certificate for Tomcat to establish the SSL connection. Use the following
steps to create a self-signed certificate with the Java command line keytool utility:
4.Enter a password for the key store when prompted.
5.Enter the certificate information (company, contact name, etc.), when
prompted. This information must be accurate because it is displayed to users
who attempt to administer Server Manager.
6.Enter a password for the key when prompted. Use the same password you
used for the key store
2.Uncomment the following underlined comments in /opt/hpws/tomcat/conf/
server.xml:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true"
useURIValidationHack="false"
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS" />
</Connector>
-->
3.Add the keystorePass attribute to the uncommented field in /opt/hpws/
tomcat/conf/server.xml to establish the key store and key password onTomcat. Add the keystorePass attribute as shown in the following:
IMPORTANT:Replace <password> with the password used to generate the
keystore in Step 1.
4.Stop and start Tomcat:
•Stop -/opt/hpws/tomcat/bin/shutdown.sh
•Start - /opt/hpws/tomcat/bin/startup.sh
5.Point your web browser to:
https://<hostname>:8443/aaa
Securing the HP-UX AAA Server57
Creating a Tomcat Identity Specifically for the HP-UX AAA Server
If several applications use Tomcat, you can configure Tomcat to have a user name and
password specifically for the AAA Server. All other applications using Tomcat will
have a different user name and password.
Complete the following steps to create a Tomcat identity specifically for your HP-UX
AAA Server:
1.Search for the following line in/opt/hpws/tomcat/conf/server.xml:
2.Open the /opt/hpws/tomcat/conf/aaa-users.xml file.
3.Replace adminaaa with the new user name and password
4.Enter the following command:
$ export JAVA_HOME=/opt/java1.4
5.Stop Tomcat if it is running:
$ /opt/hpws/tomcat/bin/shutdown.sh
6.Restart Tomcat:
$ /opt/hpws/tomcat/bin/startup.sh
7.Stop the RMI objects if they are running:
$ /opt/aaa/remotecontrol/rmistop.sh
8.Set the shared library path to the OCI client or ODBC driver in the /opt/aaa/
remotecontrol/rmistart.sh script if you are implementing the SQL Access
feature. See the following README files for more information:
•/opt/aaa/examples/sqlaccess/oracle-1/README: for Oracle - OCI
•/opt/aaa/examples/sqlaccess/mysql-1/README: for MySQL -ODBC
See Chapter 18: “SQL Access” (page 207) for more information on the SQL Access
feature.
9.Start the RMI objects:
/opt/aaa/remotecontrol/rmistart.sh
10. Point your web browser to:
http://<hostname>:8081/aaa
11. Login with the new AAA Server-specific user name and password
58Installing and Securing the HP-UX AAA Server
Running the HP-UX AAA Server on Hosts with System Hardening Software
If you are setting up the HP-UX AAA Server on a system that is being hardened using
lock-down software such as Bastille, you must ensure thatthe portsused by the HP-UX
AAA Server are kept open. The following ports must be kept open if you are running
the HP-UX AAA Server:
•Port 1812 (Radius authentication port)
•Port 1813 (Radius accounting port)
•Port 8081 (port used by the Server Manager. Needed only if this host is going to
run the Server Manager)
•Port 2099 (port used by the RMI server. Needed only if the HP-UX AAA Server
on this host needs to be remotely managed from another host.)
•RMI Server ports listed in Table 3-3. By default, these ports change each time the
RMI objects are started.
NOTE:These ports are default ports. However, you can configure these services to
use other ports.
If the HP-UX AAA Server on the host needs to be remotely managed from another
host, then some additional ports need to be opened. By default, these ports are chosen
randomly and keep changing every time the RMI server is restarted. To make it more
convenient to open, these ports can be configured in /opt/aaa/remotecontrol/rmiserver.properties. Table 3-3 lists the ports that need to be configured and
opened for the corresponding remote management functionality required.
Table 3-3 Ports Associated with RMI Objects that must be Configured
• adm.server.port
• conf.server.port
• file.server.port
• stat.server.port
• acct.server.port
• log.server.port
• sess.server.port
Running the HP-UX AAA Server as a Non-Root User
Some organizations require network server processes to run as the non-root user.
Complete the following steps to run the AAA server as a non-root user:
1.Login to the system as the root user.
2.Add the user name www to the aaa group.
3.Use the following command to start the RMI objects as the aaa user:
FunctionalityPort
If you are using the administrative functions
If you are modifying, loading, or saving the
configuration
If you are using maintenance features such as
accounting, logging, reporting, getting statistics, or
session management
Securing the HP-UX AAA Server59
$ su - aaa -c /opt/aaa/remotecontrol/rmistart.sh
4.Use the following command to start Tomcat as the www user:
$ su - www -c "export JAVA_HOME=/opt/java1.4; /opt/hpws/tomcat/bin/startup.sh"
5.Point your web browser to:
http://<hostname>:8081/aaa
NOTE:Any log files created when the HP-UX AAA server was running as the root
user will not be accessible after performing this procedure. To view these logfiles,
change the ownership to match the UID of when the log files were created. For more
information, see the chown manpage for more information.
Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot
Complete the following steps to set up the HP-UX AAA Server to start as non-root user
after reboot:
1.Set the RADIUSD variable to 1 in the /etc/rc.config.d/radiusd.conf file.
2.Open the /sbin/init.d/radiusd.rc file and look for the following entry:
echo "$DAEMONNM started with <$retval>"
if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];
then
/usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1
fi
5.Change the then statement to start the RMI objects as the aaa user after reboot:
Change:
if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];
then
/usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh
>/dev/null 2>&1
fi
To:
if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]];
then
/usr/bin/nohup /usr/bin/su - aaa -c
60Installing and Securing the HP-UX AAA Server
/opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1
fi
6.Look for the following entry:
# stop the daemon!!!
if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]];
then
/opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1
fi
7.Change the then statement to stop the RMI objects as the aaa user during
shutdown:
Change:
if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]];
then
/opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1
fi
To:
if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]];
then
/usr/bin/su - aaa -c /opt/aaa/remotecontrol/rmistop.sh
>/dev/null 2>&1
fi
8.If you are implementing the SQL Access feature, add the following environment
variable settings in the user’s .profiles file in the home directory:
(For ODBC only)
export ODBCINI=path/odbc.ini
(For OCI and ODBC)
export SHLIB_PATH=${SHLIB_PATH}:Path for odbc/oci client libraries
Securing the HP-UX AAA Server61
4 Enabling the HP-UX AAA Server for GUI-based
Administration
This chapter explains how to enable your HP-UX AAA server software to begin
administration.
Accessing the Server Manager
To start the HP-UX AAAServer and the Server Manager graphic user interface,complete
the following steps:
1.Enter the following command:
# export JAVA_HOME=/opt/java1.4
2.Start the Remote Method Invocation (RMI) objects to allow the AAA server software
to communicate with Server Manager. Use the following command:
# /opt/aaa/remotecontrol/rmistart.sh
3.Start the HP-UX Tomcat-based Servlet Engine. Use the following command:
# /opt/hpws/tomcat/bin/startup.sh
4.Enable the Java Runtime Environment (JRE) and Javascript for the browser, so
that the browser can run the Server Manager applets and execute Javascripts.
5.Point your web browser to the following URL to manage the HP-UX AAA Server
with the Server Manager interface:
http://<IP-Address or FQDN>:8081/aaa
6.To access the Server Manager, enter your user name and password.
NOTE:The default Server Manager username is tomcat. The default Server
Manager password is tomcat.
Starting and Stopping the RMI Objects
To start and stop the RMI objects, use the following commands:
•To start: /opt/aaa/remotecontrol/rmistart.sh
•To stop: /opt/aaa/remotecontrol/rmistop.sh
•Status: netstat -a | grep 7790
Starting and Stopping Tomcat
To start and stop Tomcat, use the following commands:
•To start: /opt/hpws/tomcat/bin/startup.sh
•To stop: /opt/hpws/tomcat/bin/shutdown.sh
•Status: netstat -a | grep 8081
62Enabling the HP-UX AAA Server for GUI-based Administration
Testing the Installation
To test the server installation quickly, perform the following procedure using Server
Manager:
•Add a loopback connection to a AAA server
•Start the AAA server
•Check the status for a response
To Test the Installation
Complete the following steps to test the server installation:
1.Connect to Server Manager and start the AAA server. See “Accessing the Server
Manager” (page 62).
2.From the navigation tree, click the Server Connections link and then click the
Connect to Server link.
3.In the Add Connection screen that opens, enter the values for you server as shown
in the following format:
NameThe identifying string of a remote server.
Domain Name or IP AddressThe IP address (traditional IPv4 address in
dotted-quad notation, or IPv6 address in
IPv6 literal format notation), or valid
Domain Name System (DNS) host name of
the AAA server that the connection maps
to.
5.Verify the server is listed and selected in the Server Status frame.
6.From the navigation tree, click Administration.
7.Click Start.
8.Verify the server has started. A green “GO” icon in the Server Status frame indicates
the server is running.
9.Verify the server is selected in the Server Status frame and then select the Status
option.
10. Check Server Manager’s Message Frame for the status reply. The following reply
at the bottom of the Message Frame indicates the server is running correctly:
“<server name> (port#)” is responding
Testing the Installation63
11. Verify that your HP-UX AAA Server is installed and operating correctly by using
the testinguser (named test_user) created during installation. After test_user
is authenticated and the AAA server sends an Access-Accept, the client sends an
Accounting-Request to start the session. After the session is terminated, the client
sends an Accounting-Request stop message to stop the session logging and the
AAA server writes the session information to a file.
This command simulates an Access-Request from port 1 of a NAS with an IP
address of 192.0.2.0. When prompted for a password, enter: password. The
command must return the following output:
This command simulates an Accounting-Request stop message, terminating
the users’s session. The command must return the following output:
Accounting Response received
d.View the session logs for test_user’s start and stop accounting messages
by selecting Accounting in Server Manager’s navigation tree and clicking
Display.
IMPORTANT:HP recommends removing test_user or changing it’s default
password before deploying the HP-UX AAA Server in a production environment. See
“Securing the HP-UX AAA Server” (page 55) for more information.
Starting AAA Servers Using Server Manager
To start AAA servers using Server Manager, complete the following steps:
1.From the navigation tree, click Administration.
2.Select the servers you want to start in the Server Status frame.
64Enabling the HP-UX AAA Server for GUI-based Administration
NOTE:Server commands will only be executed on servers selected in the Server
Status frame.
3.Click Start.
Figure 4-1 shows the return value in Server Manager’s message frame when a server
is successfully started.
Figure 4-1 Return Value After Successfully Starting a AAA Server
AAA Server Start Options
Select the Start button’s correspondingicon to display the Start Options screen
shown in Figure 4-2. Table 4-1 describes the start options you can use.
Figure 4-2 Server Manager’s Start Options Screen
Starting AAA Servers Using Server Manager65
Table 4-1 Server Start Options
DescriptionOption
Port number to listen to authentication requestsAuthentication
Port number to listen to accounting requests.Accounting
Authentication Relay
Accounting Relay
Debug Level
Reset Session Table
Port number to relay authentication requests. This option is useful when
proxying requests to a AAA server that is not listening on the default port.
Port number to relay accounting requests. This option is useful when
proxying requests to a AAA server that is not listening on the default port.
Specifies the debug level. Higher levels write more information to the
radius.debug file. Increasing thisvalue can cause performance todecline.
Empties the logfile and debug file when the server is started.Reset Logfile
Empties stored session table at server startup.
IMPORTANT:This option is only intended for experimental use or testing
and not for a live production server. If you reset a production server, the
server loses track of the sessions that are still active.
NOTE:All options specified when the server is started are written to the server’s
logfile.
IMPORTANT:Modified start options will not take effect until the server is stopped
(by selecting the stop button) and then restarted.
Server Manager’s Reload Feature
The Reload button signals the HP-UX AAA Server to reload specific configuration
information while the server is running. The result of the command will be displayed
in the Message frame. The HP-UX AAA server will reload the following files after you
select Reload:
•users
•clients
•authfile
•aaa.config
•engine.config (all values except the certificate properties, which require you
to stop and restart the server to be refreshed)
•las.conf
•EAP.authfile
•aaa.config.license
•sqlaccess.config
66Enabling the HP-UX AAA Server for GUI-based Administration
•request-ingress.grp
•reply-egress.grp
•proxy-egress.grp
•proxy-ingress.grp
In order for other configuration changes to take effect, you must stop and restart the
server.
IMPORTANT:Save the configuration before reloading the configuration information.
Starting AAA Servers From the Command Line
The radiusd daemon is a process that services user authentication and accounting
requests from RADIUS clients. Authentication and accounting requests come to the
radiusd daemon in the form of UDP packets conforming to the RADIUS protocol.
You can start the radiusd daemon from the Server Manager GUI, command line, or
through an inetd service.
Sets current working directory. This optioncan beuseful for determining
the location of system generated files, such as core files.
Enables token caching.
Specifies the directory where the configuration files are located. If
omitted, the default directory is /etc/opt/aaa.
Specifies thedirectory where the AATV libraries are located. If omitted,
the default directory is /opt/aaa/aatv.
Specifies the directory where the log and debug files are located. If
omitted, the default directory is /var/opt/aaa/logs.
Specifies the directory where the files generated for shared memory
operation are located. If omitted, the default directory is /var/opt/aaa/ipc.
Specifies the directory wherethe server's process id file (radiusd.pid)
is located. If omitted, the default directory is /var/opt/aaa/run.
Starting AAA Servers From the Command Line67
Table 4-2 radiusd Options (continued)
DescriptionOption
-dd Data-directory
-dm Accounting-directory
-p Authentication-port
-q Accounting-port
-f FSM
-l Log-format
-n
Specifies the directory where the active session file (session.las) is
located. If omitted, the default directory is /var/opt/aaa/data.
Specifies the directory where Merit style accounting log files (session
logs) are located. If omitted, the default directory is /var/opt/aaa/acct.
Specifies the UDP port number to listen to auth requests. If omitted, the
local host services will be queried for the RADIUS port (see services(4)).
If unable to obtain the port from host services, the RADIUS standard
default of 1812 will be used.
Specifies the UDP port number to listen for acct requests. If omitted,
the local host services will be queried to obtain the radacct port (see
services(4)). If unable to obtain the port from host services, the RADIUS
standard default of 1813 will be used.
Allows the user to specify an alternate Finite State Machine (FSM) table
file instead of the default radius.fsmfile. Thedefault FSM file (/etc/
strftime(3) format for naming logfiles. The -l option specifies the
logfile name format withtimestamp precision and dictates whena logfile
must start logging. For example, the following specifies the logging to
start every hour:
$ ./radiusd -l logfile.%Y%m%d%H
Resets the session table. If omitted, the default is to restore the session
table from a previous run.
-pp Authentication-proxy
-qq Accounting-proxy
-h
-t Timeout
-v
-x
68Enabling the HP-UX AAA Server for GUI-based Administration
Specifies the UDP port number to forward (proxy) authentication
requests.
Specifies theUDP port number to forward (proxy)accounting requests.
Selects logfile, syslog, or stderr logging.-g Logtype
Displays help message
Single process (non-spawning) mode-s
Inactivity timeoutvalue (minutes) whenthe radiusddaemon is started
through inetd.
Displays AAA server version.
Empties the logfile and the debug file if -x option is used.-z
Adds to debug flag value.
NOTE:The radiusd daemon determines what action must be taken when receiving
requests based upon an FSM that it loads into memory when the server is started. The
FSM can be configured, but it is static after server startup. The server uses the algorithm
shown in Figure 4-3 to determine which FSM must be loaded into memory:
Figure 4-3 Algorithm for Determining Which FSM to Load
IMPORTANT:When started by the inetd service, radiusd times out if it does not
receive a message in 15 minutes. With the -t Timeout option, you can override this
value. If the value is set to 0, it waits indefinitely without timing out.
Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot
You can configure the HP-UX AAA Server (radiusd) and RMI objects to start
automatically after a system reboot.
•Set the RADIUSD variable in/etc/rc.config.d/radiusd.conf to 1. The default
setting is 0.
CAUTION:Modifying the content in the /sbin/init.d/radiusd.rc file other
than radiusd options can disallow booting of the system.
NOTE:You can also start the Server Manager interface after reboot. In the /etc/
rc.config.d/hpws_tomcatconf file, set HPWS_TOMCAT_START to 1, and set
JAVA_HOME to/opt/java1.4.
Stopping or Restarting HP-UX AAA Servers
You must stop or restart AAA servers to update configuration changes.
Stopping or Restarting HP-UX AAA Servers69
CAUTION:Do not stop a live server in production as it interrupts services to users.
Using Server Manager
1.From the navigation tree, click Administration.
2.Select the servers you want to stop in the Server Status frame.
NOTE:Server commands will only be executed on servers selected in the Server
Status frame.
3.Click Stop.
A message prompt enables you to confirm whether you wish to stop the server. If the
server cannot be stopped, the administrator is notified of the problem in the message
frame.
From the Command Line
Enter the following command at the prompt to stop radiusd:
Multiple servers can be configured and run using the AAA Server Manager graphic
interface. You must establish at least one connection before you begin configuration.
Only one connection can be local to the Server Manager program.
You can install a server to any machine that meets the system requirements and that
can establish a UDP connection to the machine hosting the Server Manager.
To add an HP-UX AAA Server to your network, complete the following steps:
1.From the navigation tree, click the Server Connections link and then click the
Connect to AAA Server link.
2.On the Create New Server Connection screen that appears, enter values as shown
in Table 4-3.
Table 4-3 New Server Connection Screen Fields
Value to EnterField
An identifying string for a server running the AAA softwareName
70Enabling the HP-UX AAA Server for GUI-based Administration
Table 4-3 New Server Connection Screen Fields (continued)
Value to EnterField
Domain or IP Address
Full DNS name or IP address (traditional IPv4 or IPv6 address) of
an HP-UX AAA server
If the client program successfully connects to the server, the name you specified
must appear in the Status Frame displayed in the lowerleft corner of the programs
interface.
Adding an HP-UX AAA Server to Your Network71
Part II Configuring the HP-UX AAA Server Manager Using
the Server Manager GUI
This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:
•Chapter 5: “The HP-UX AAA Server Manager Interface” (page 76)
Livingston CDR Session Record Format................................................................137
Changing the Accounting Log Filename.....................................................................137
Changing the Accounting Log Rollover Interval........................................................138
Rolling Over the Log File and Accounting Stream.....................................................138
Table of Contents75
5 The HP-UX AAA Server Manager Interface
HP-UX AAA Server Manager (Server Manager) is a browser-based application. It uses
the HP-UX Tomcat-based Servlet Engine to provide a configuration interface between
a web browser and one or more AAA servers. The Server Manager is used to start,
stop, configure, and modify the servers. In addition, Server Manager can retrieve
information about logged server sessions and accounting information for an
administrator.
Figure 5-1 shows the various parts of the Server Manager interface.
The Server Manager user interface consists of the following three sections:
•The navigation tree- Click on links in the navigation tree to open the corresponding
section in the Main Screen.
•The Main Screen- Configure the HP-UX AAA Server on this screen.
•HP-UX AAA Server Status Frame-View the status of your servers on this screen.
Figure 5-1 The HP-UX AAA Server Manager User Interface
76The HP-UX AAA Server Manager Interface
Commonly Used Icons in the GUI
•Clickto add new servers, realms, or users.
•Clickto delete the corresponding entry.
•Clickto display a context-sensitive Help screen.
•Clickto edit the corresponding entry.
•indicates that the configuration file cannot be modified using the Server
Manager. Edit the configuration file manually using a command line editor.
Commonly Used Icons in the GUI77
6 Managing HP-UX AAA Servers
Your server configuration can be synchronized and controlled across one or more server
installations. These server installations can be on the same machine as the Server
Manager program, or on different machines. Server Manager identifies each AAA
installation as a server connection and maps a hostname to the IP address (both
traditional IPv4, and IPv6 address formats are supported) or DNS name of a remote
machine where a AAA server is installed.
NOTE:Before defining a connection, ensure that the HP-UX Tomcat-based Servlet
Engine is running on the machine.
You cannot configure servers until a server connection is established. All configuration
modifications are saved locally and are not associated with any server. A connection
named localhost is configured as a server connection by default during installation.
Using the Server Connections Screen
The Server Connections screen shown in Figure 6-1 allows you to add a new server
connection, and modify or delete an existing connection.
Figure 6-1 Server Manager’s Connected Server Screen
Adding a New Server
To add a new server, complete the following steps:
78Managing HP-UX AAA Servers
1.Clickto display the Add Server screen.
The Add Connection screen appears as shown in Figure 6-2.
Figure 6-2 The Add Connection Screen
2.In the Server Attributes form, enter your server’s attributes according to the format
shown in Table 6-1
Table 6-1 Fields in the Connection Attributes Form
AttributesField Name
The identifying string of a remote serverName
Domain Name or IP
Address
The client IP address or DNSname. Both traditional IP (IPv4), and IPv6
address formats are supported. The HP-UX AAA server can resolve
the DNS name format entries to both IPv4 and IPv6 addresses.
Enter an IPv4 address in dotted-quad notation. Enter an IPv6 address
in IPv6 Literal format notation. For example:
Click Cancel to return to the Managed Servers screen without creating a new server
connection.
IMPORTANT:When adding a connection to a new remote server, you must start
the RMI objects on that host to allow Server Manager to administer the server. You
can start the RMI objects from the command line with the following command:
$ /opt/aaa/remotecontrol/rmistart.sh
Modifying Connection Attributes
In the Server Connections screen, select theicon correspondingto the server whose
attributes you wish to modify. The Modify Connection screen appears as shown in
Figure 6-3.
Modifying Connection Attributes79
Figure 6-3 The Modify Connection Screen
HP-UX AAA Server Properties section of the form includes a list of pathnames that
cannot be modified. These pathnames must match the installation directories of the
remote server.
IMPORTANT:When setting an option to a given directory, the directory must exist
and be editable on the machine. You must specify the logfile directory to access session
logs through the maintenance functions listed in the navigation tree menu.
Deleting a Server Connection
To delete a server connection, complete the following steps:
80Managing HP-UX AAA Servers
1.In the Server Connections screen, click theicon corresponding to the server
connection that you want to delete.
The Delete Server Connections screen appears as shown in Figure 6-4. This screen
allows you to preview the properties of the server connection before you confirm
deletion.
Figure 6-4 The Delete Server Connections Screen
2.Click Delete to remove the server connection. Click Cancel to return to the Server
Connections screen without removing the server connection.
Managing Multiple Servers
The Server Status frame, located in the lower left corner of the Server Manager's
interface, provides a list of server connections as shown in Figure 6-5.
Figure 6-5 Server Manager’s Server Status Frame
When your network includes multiple AAA servers, click the check box that precedes
each listed connection to specify whether a command applies to the corresponding
server.
Managing Multiple Servers81
When a server command, such as Start, is submitted, it will only be sent to checked
servers. When you retrieve server logging, statistics, active sessions, or account
information, only information from the checked servers will be displayed.
Table 6-2 displays the icons that can appear in Server Manager’s Server Status frame
and describes them briefly.
Table 6-2 Icons in Server Manager’s Server Status Frame
DefinitionIcon
Running - Indicates the server is connected and running.
Stopped - Indicates that the server is connected but is not currently
running.
Failure - Indicates a communication error between the Server Manager
and the AAA server.
Loading and Saving Your Configuration
AAA configuration files consist of one or more entries. When accessing these files
through the Server Manager interface, the initial screen lists each existing entry and
provides controls to open HTML forms. You can add or modify the AAA server’s
configuration files by entering values in these forms. You must then submit these values
to the program. The fields in the HTML forms include text boxes, drop-down lists, and
other form controls. Fields with bold labels require values for a complete configuration.
Server Manager stores changes you make to the server configuration, but does not
immediately save them on a remote server. When you select the Load Configuration
link from the navigation tree, the interface (shown in Figure 6-6) displays a prompt.
You can edit the server configuration settings using this prompt. Information for the
access device, proxies, local realms, users, and server properties in the loaded
configuration will replace the existing information for all server configuration items.
82Managing HP-UX AAA Servers
Figure 6-6 Server Manager’s Load Configuration Screen
After you have made changes to the server configuration items, you can save the
modified configuration on any server that has an active connection with the Server
Manager program. When you click Save Configuration, the Server Manager interface
displays a prompt (shown in Figure 6-7). Using this prompt, you can select the servers
on which the settings must be saved.
CAUTION:Clicking Save saves the entire server configuration settings (accessdevice,
proxies, local realms, users, and server properties) on the specified servers.
Figure 6-7 Server Manager’s Save Configuration Screen
NOTE:If you do not wish to save changes that have been made, you can revert to
the previous settings by loading the original configuration.
A running server does not recognize configuration modifications. After the changes
have been saved on a server, you have to restart the server.
NOTE:More than one administrator cannot edit the same functional area (access
device, proxies, local realms, users, server properties) of a server configuration at the
same time. After you access the configuration screens for a functional area, the Server
Manager does not allow others to access that functional area until you have moved to
a different item.
Loading and Saving Your Configuration83
7 Configuring RADIUS Clients Using the Access Devices
Screen
The server configuration must include all the clients (NASs, access points and other
network devices) that can communicate with the AAA server. If an access device is not
included in the configuration, the server will not handle requests from, or send requests
to the client. The Access Devices screen allows you to add a new client, and modify,
or delete an existing client in the server configuration.
Navigating the Access Devices Screen
The Access Devices screen shown in Figure 7-1 allows you to configure a new RADIUS
client, modify, or delete an existing RADIUS client.
Figure 7-1 Server Manager’s Access Device Screen
Adding a RADIUS Client
To add a RADIUS client through the Access Devices screen, complete the following
steps:
84Configuring RADIUS Clients Using the Access Devices Screen
1.In the Access Devices screen, clickcorresponding to the New Access Device
list.
The Add Access Device Screen appears as shown in Figure 7-2.
Figure 7-2 Server Manager’s Access Device Attributes Screen
2.In the Access Device Attributes form, enter information according to the information
in Table 7-1.
Adding a RADIUS Client85
Table 7-1 Add Access Device Configuration Form Options
FunctionOption
Name
Enter the network location of the network device. This may be an IPv4address
(in dotted-quad notation), an IPv6 address (in colon-separated notation), or
a valid DNS host name. When specifying Name as a DNS host name, you
must use the name returned by thehostname command.
Notes:
• Ensure that your DNS is configured correctly (with both forward and
reverse entries) for your AAA server. The AAA server determines the
name of the machine that it is running on. If this name does not match
with your local DNS servers database, you cannot configure the access
device correctly.
• You can use wildcards to provideaccess for alltraditional IP (IPv4) clients
in a particular subnet. Examples of valid IPv4 wildcard patterns are:
*
192.*
192.0.*
192.0.2.*
• You can use wildcards to provide access for all IPv6 clients in a particular
subnet. The allowed IPv6 wildcard patterns are constructed byappending
an ‘*’ to a partial IPv6 address or by specifying a single ‘*’. Examples of
valid IPv6 wildcard patterns are:
The special IPv6 syntax of compressing zeroes using "::" is not allowed in
IPv6 Wildcard patterns. For example: ‘fedc::ba98:fe*’ is not allowed.
Shared Secret
Secret
86Configuring RADIUS Clients Using the Access Devices Screen
Enter the shared secret, or the encryption key between the client and the
server. The shared secret must be less than 255 characters. A request from a
client forwhich the server does nothave a shared secret is silently discarded.
Confirm the secret by typing it again.Confirm Shared
Table 7-1 Add Access Device Configuration Form Options (continued)
FunctionOption
Vendor
Options
Enter the vendor-specific attributes that must be returned to the access device
in a reply. In most applications, you can select the hardware vendor of the
device or Generic if the device is notlisted. You can make multiple selections
by holding down the control key as you select vendor names.
The server prunes vendor-specific attributes for a given vendor if that
vendor’s name is not properly defined in the vendors file, and its attributes
are not properly defined in the dictionary file.
NOTE:The Generic vendor prunes all vendor-specific attributes before a
message is returned to a NAS. This attribute can be used to help prevent
problems that occur if an unencapsulated vendor attribute is not correctly
mapped in the vendors file.
IMPORTANT:Todefine a wireless access pointusing the MS-CHAP protocol,
you must select Microsoft as one of the vendor selections.
Select any of the check boxesto specify additional message-handling options.
Following are the options:
RAD_RFCVerifies that the Access-Request conforms with the RADIUS
RFC. Nonconforming messages are dropped.
ACCT_RFCVerifies that the Accounting-Request conforms with the
Accounting RFC. Nonconforming messages are dropped.
DebugDumps packets into the server’s debug output file.
No CheckHelps enhance server performance. When this option is
checked theHP-UX AAA Server does not check all attributes
to determine if the request is a duplicate. Check this option
if you know that the client sends standard messages that can
easily be detected as duplicates.
No EncapsDoes not encapsulate vendor response (if the client requires
unencapsulated A-V pairs)
Old ChapFor clients that perform pre-RFC CHAP.
3.Click Createto submit the newRADIUS client to the ServerManager.Click Cancel
to return to the Access Device screen without making any changes to your server
configuration.
Modifying a RADIUS Client’s Properties
To modify the properties of an existing RADIUS client, complete the following steps:
1.In the Access Device screen, clickcorrespondingto the client whose properties
you want to edit.
The Modify Access Device screen appears similar to the one shown in Figure 7-2.
2.Edit the fields in the Access Device Attributes form. See Table 7-1 for more
information on how to fill the form.
Modifying a RADIUS Client’s Properties87
3.Click Modify to save changes.
Click Cancel to return to the Access Devices screen without saving any changes.
Deleting a RADIUS Client
To delete a RADIUS client, complete the following steps:
1.In the Access Device screen, click theicon corresponding to the RADIUS
client you want to delete.
The Delete Access Device screen appears as shown in Figure 7-3. This screen allows
you to preview the access device entry before you confirm deletion.
Figure 7-3 The Delete Access Device Screen
2.Click Delete to delete the RADIUS client. Click Cancel to return to the Access
Devices screen without deleting the RADIUS client.
88Configuring RADIUS Clients Using the Access Devices Screen
8 Configuring Realms
A realm is a group of users who share a common characteristic, such as being customers
of the same Internet Service Provider (ISP). All users of a given realm are handled in
the same way, either proxied to a remote server or locally authenticated using a specified
method according to the authentication type assigned to the realm.
Using the Local Realms Screen
The Local Realms screen (shown in Figure 7-1) allows you to configure realms for the
HP-UX AAARADIUS server by adding a new realm, modifying, or deleting an existing
realm in the server’s authfile.
Figure 8-1 Server Manager’s Local Realms Screen
Adding a Realm
To add a realm entry, complete the following steps:
1.From the navigation tree, click Local Realms.
The Local Realms screen appears as shown in Figure 8-1.
2.To add a new realm, click theicon.
The Add Local Realm screen appears as shown in Figure 8-2.
Using the Local Realms Screen89
Figure 8-2 Server Manager’s Local Realm Attributes Screen
3.Complete the form on the Local Realm Attributes screen according to the
information given in Table 8-1.
Table 8-1 Fields in the Local Realm Attributes Form
Name
90Configuring Realms
FunctionOption
Name of the realm that must be mapped. This name does not have to be a
DNS host name. However HP recommends that the realm name match a
domain name.The user willthen be able to recognize the user@realmsyntax
that resembles their email address.
Table 8-1 Fields in the Local Realm Attributes Form (continued)
FunctionOption
Identifies the authentication method used for the realm:User
Authentication
Storage
• Enable EAP: Select this option if user authentication by an EAP challenge
is required. Select one or more EAP types.At least one authentication
method must be selected. For PEAP (EAP-GTC), you must configure the
NULL realm.
The PEAP version ‘0’ only checkbox is displayed if you select
PEAP(EAP-GTC), PEAP(EAP-MSCHAP), or PEAP(EAP-MD5). Select this
checkbox if your supplicant uses the PEAP version 0 protocol.
If Enable EAP and Enable RADIUS Standard are selected, authentication is
carried out based on the Authentication-Type configuration attribute set in
the RADIUS request.
To indicate the location where the AAA server must retrieve user profiles:User Profile
• users: Choose this option to store user information locally in AAA Server
flat files. Choosing this option allows you to administer user information
with Server Manager. Server Manager can administer user information
stored locally in the AAA Server flat files only.
• Database Access via SQL, LDAP, Oracle, or SecurID/ACE Server: Choose
this option if the user profile information is stored in an external database.
See the individual chapters for more information.
• OS SecurityDatabase: HP-UX operating system HP-UXoperating systems
use a number of repositories or “databases” to store information about
hosts, users, passwords, etc. User password lookup is performed through
the name-service switch configured in /etc/nsswitch.conf. See the
nsswitch.conf man page for more information.
• No Store: EAP-TLS Certificates: Choose this option if you are using TLS
and do not want to store user information. If you are using TLS, you are
not required to store user information because the TLS certificates provide
the user information needed for authentication.
• No Store: Allow All Users: Choose this option to allow all requests from a
realm.
• No Store: Deny All Users: Choose this option to deny all requests from a
realm.
User Storage
Parameters
Alias
Identifies the location, access, and policy parameters for the selected User
Profile Storage.
Optional. A paranthesized list of one or more aliases, delimited by commas.
Each realm alias is equivalent to the realm name. An alias is provided for user
convenience or other purposes, such as to save typing when logging on to
your network. Aliases are allowed on wild card entries and are interpreted
as meaning *.alias.
Adding a Realm91
Table 8-1 Fields in the Local Realm Attributes Form (continued)
FunctionOption
Filter ID
Session Tracking
4.To add a new realm, click Create to submit the new realm to the Server Manager.
To return to the Realms screen without making any changes to your server
configuration, click Cancel.
Modifying Realms
To modify the properties of an existing realm, complete the following steps:
1.From the navigation tree, click Local Realms.
The Local Realms screen appears as shown in Figure 8-1.
2.Click theicon corresponding to the realm whose properties you want to
modify.
The Modify Local Realm screen appears similar to the screen shown in Figure 8-2.
3.Modify the properties on the Local Realm Attributes screen according to the
information given in Table 8-1.
4.To submit changes to the realm entry to the Server Manager, click Modify.
To return to the Realms screen without making any changes to your server
configuration, click Cancel.
Optional. Allows the specification of a packet filtername tobe associatedwith
authentication through this realm name. It overrides any explicit filter name
specified in a user profile.
Optional. Determines if session tracking is enabled for a realm. When you
enable session tracking, accounting records are generated for a realm and
active sessions can be searched using the Session option on the navigation
tree.
NOTE:indicates that the configuration file cannot be modified using the Server
Manager. Edit the file manually using a command line editor.
Special Entries
There are a few special entries that you can use while configuring realms. Table 8-2
shows the various special entries you can use.
92Configuring Realms
Table 8-2 Special Entries
When to UseSpecial Entries
Wildcard Entries
DEFAULT Realm
NULL Realm
Deleting a Realm
Complete the following steps to delete a realm:
When specifying the primary realm for an entry, you can use a wild
card syntax such as *.realm. This syntax provides a shorthand for
associating several related realms with a single authentication type.
For example, a company may have several branches,
eastern.company.com, western.company.com, and
central.company.com. The wild card entry for that company would
define *.company.com as the realm. This notation would include all
three realms. HP recommends that any such wild card entry be listed
after more specific entries. This order allows the preceding, specific
entries to override the wild card entry.
The DEFAULT realm acts as a matching realm entry for all realms.
By default, the DEFAULT realm is configured to authenticate against
the default set of users. Disable the DEFAULT realm by choosing the
No Store - Deny All Users option in the User Profile Storage
drop-down list.
The Null realm authenticates users that do not identify their realm
when requesting access (for example, the AAA server receives an
access request from user, instead of user@organization.com). By
default, the NULL realmis disabled with the No Store: Deny All Users
setting.
Deleting a Realm93
1.In the Local Realms screen, click theicon corresponding to the realm you
want to delete.
The Delete Local Realm screen appears as shown in Figure 8-3. This screen allows
you to preview the realm attributes before you confirm deletion.
Figure 8-3 The Delete Local Realm Screen
2.Click Delete to delete the realm. Click Cancel to return to the Local Realms screen
without deleting the realm.
Configuring Realms for Authentication using an External Server
This section discusses how to configure realms for authentication using Database via
SQL Access, Lightweight Directory Access Protocol (LDAP), Oracle authentication
module, and SecureID/ACE server.
Configuring Realms for Database Access via SQL
A realm can be configured for Database Access via SQL only after setting up the HP-UX
AAA Server to connect to the database and configuring the connection parameters and
94Configuring Realms
SQL actions in sqlaccess.config. See Chapter 18: “SQL Access” (page 207) for
details on setting up the HP-UX AAA Server for SQL Access.
Perform the following steps to configure the realm for Database Access via SQL.
1.From the navigation tree, click Local Realms.
2.On the Local Realms screen, click New Local Realm to open the Local Realm
Attributes screen.
3.In the Name field, enter the name of the realm for which the user profiles are stored
in a database and accessed using the SQL Access feature.
The name does not have to be a DNS host name. However, HP recommends that
you set the realm name to correspond with the domain name. This enables the
user@realm syntax to resemble the e-mail address for all theusers in the domain.
4.In the User Profile Storage field, select Database Access via SQL.
The user storage parameters for Database Access via SQL are displayed as shown
in.
Figure 8-4 User Storage Parameters for Database Access via SQL
5.In the User Storage Parameters Field, select one of the following options:
•RADIUS Attribute: Specify the RADIUS attribute in the
<vendorID>:<attribute> format. This RADIUS attribute must contain
the SQL action used for authentication. If vendorID is not specified, 0 that
corresponds to standard RADIUS attribute will be used.
NOTE:The <vendorID> component must be a value that is defined in the
vendors file and the <attribute> component must be a value that is defined
in the dictionary file.
•SQL Action Id: Select the SQL action from the drop-down list.
IMPORTANT:Ensure that the appropriate SQL action is selected from the
drop-down list. Selecting an incorrect SQL action can result in an authentication
failure or unintentional changes to the database records.
6.Complete any remaining optional fields as necessary for your configuration.
7.Click Create. If the realm is successfully created, the Local Realms screen will list
the new realm.
Configuring Realms for Authentication using an External Server95
8.From the navigation tree, click Save Configuration
If you have multiple remote servers, you will be prompted to select and confirm
the servers where the realm configuration will be applied.
Configuring Realms for LDAP
This sectiondiscusses how to configure realms for Lightweight Directory Access Protocol
(LDAP). These realms can be configured only after setting up the LDAP server. See
Chapter 17: “LDAP Authentication” (page 204) for information on setting up an LDAP
server.
To configure each realm using LDAP, you must specify the directory server, search
base, and other parameters necessary to find profiles for the users in the realm.
Complete the following steps to configure realms for LDAP:
1.From the navigation tree, click Local Realms.
2.On the Local Realms screen, click New Local Realm to open the Local Realm
Attributes screen.
3.In the Name field, enter the name of the realm to map to the defined LDAP location.
This name does not have to be a DNS host name. However HP recommends that
the realm name corresponds with the domain name. This way, the user recognizes
the user@realm syntax which resembles their e-mail address.
4.In the User Authentication Field, select the authentication methods to authenticate
users for the realm. If you are using TTLS-PAP, TTLS-MSCHAP, or TTLS-CHAP,
select Enable RADIUS Standard. For all other methods, select Enable EAP and
choose at least one EAP method from the drop-down list.
5.In the User Profile Storage field, select LDAP.
The user storage parameters for LDAP appear when you select LDAP from the
User Profile Storage drop-down list. These parameters identify a section of the
directory tree on one or more LDAP servers where the HP-UX AAA software will
attempt to retrieve user profiles.
6.In the User Storage Parameters Field, select New LDAP Directory or the name of
an existing LDAP Directory.
7.In the LDAP screen that appears, configure the LDAP directory using the
information described in Table 8-3.
Table 8-3 Values for Configuring Realms for LDAP
Directory Name
96Configuring Realms
DescriptionValue
Start of a directory configuration. Give a name to the directory,
which can be an arbitrary string. If the name contains spaces or tabs,
the string must be enclosed in single or double quotes.
Table 8-3 Values for Configuring Realms for LDAP (continued)
DescriptionValue
Host
Port (Optional)
Use SSL
Administrator
Password
Search Base
Name of the host on which the LDAP directory server runs. The
value must be a fully qualified DNS name, although an IP address
also works. Both traditional IP (IPv4) and IPv6 address formats are
supported. The HP-UX AAA Server can resolve DNS name format
entries to IPv4 and IPv6 addresses.
Enter an IPv4 addressin dotted-quad notation. Enter anIPv6 address
in IPv6 Literal format notation. For example:
Port number on which the directory server is running. Default value
is 389.
Enables ordisables SSL connections between the HP-UX AAA Server
and the LDAP directory. If you are enabling SSL, you must specify
the server's CA certificate path or fully qualified file name in the
Server Properties -> ProLDAP Properties window.
Special user ID used when an authenticated search is allowed on
the LDAP directory server. This administrator does not need to be
a real administrator of the LDAP directory server, but must have
read access to all the users (and their passwords). Intended to be
authenticated by the AAA server.
Password for Administratorto bind (authenticate) itself to the LDAP
directory server.
Pointer into the directory where the search for users in a realm starts.
Specifying a search base improves server performance by limiting
the scope of search operations on user information for a particular
realm. A search base contains a list of A-V pairs that trace a path
from a location in the directory's schema to the top of the directory.
For example, a search base of o=hp, c=US represents a search for
one of the users on the following tree:
The A-V pairs used depend on the schema of your particular
directory server.
NOTE:Itis moreefficient to start your search lower in the directory
structure rather than higher. HP recommends that you eliminate
spaces between Search Base components (i.e., instead of
ou=abc,o=cde, c=us, use ou=abc,o=cde,c=us).
Configuring Realms for Authentication using an External Server97
Table 8-3 Values for Configuring Realms for LDAP (continued)
DescriptionValue
Filter
Authentication Type• AUTO performs a search as the configured Administrator
Filter flag allows authentication to be based either on the LDAP uid
attribute, which normally is CIS, or on the AAA Server User-Id
attribute, which is normally BIN. User-Id is a AAA Server-specific
RADIUS attribute. This optional flag defaults to uid.
IMPORTANT:With multiple LDAP directory servers, the Filter
used for lookups must be consistent across all directories specified
for a particular realm. Potential filters are uid, User-Id or some other
key that uniquely identifies a subject to be authenticated on the
system. Currently, the LDAP module does not enforce the use of
consistent filters, but using inconsistent filters may produce
unpredictable authentication failures.
(searches anonymously if no administrator is configured),
anticipating the password is in the result. It binds as the user if
the password is not available. This mode makes the AAA server
flexible in accommodating LDAP directories. If directories are
configured to return passwords with search,AUTO is equivalent
to SEARCH.
• BIND binds as the user for authentication.
• SEARCH performsa search as the configured Administrator and
expects the user's password in the search result.
8.In the LDAP screen, click Save.
9.Repeat steps 6 and 7 for each redundant directory you wish to use for failover.
10. Complete any remaining optional fields as necessary for your configuration.
11. Click Create.
12. From the navigation tree, click Save Configuration
If you have multiple remote servers you will be prompted to select and confirm
which servers you wish to add the entry to.
Modifying a Directory Configuration
Complete the following steps to modify a directory configuration:
1.On the Local Realms screen, select the name of the directory definition you wish
to modify.
2.Change the values if needed.
3.Click Modify.
Deleting a Directory Configuration
Complete the following steps to delete a directory configuration:
98Configuring Realms
1.On the Local Realms screen, select the name of the directory definition you wish
to delete.
2.Click Delete.
Tuning the AAA Server to LDAP Server Connection
The AAA server to LDAP server connection can be modified by adding the following
entry to /etc/opt/aaa/aaa.config and then stopping and starting the server:
•Retry-Interval sets the number of seconds for the AAA server to wait before trying
to reconnect to a LDAP directory server when a realm has failover directory servers
configured. Default value is 60 seconds.
•Retry-Wait sets the number of seconds that the AAA server will wait before
attempting to connect to the same failover LDAP server. When all failover directory
servers configured for a realm are down, the AAA server will try to reconnect to
one every time an access request is received. In that situation, this parameter
guarantees that the software does not spend too much time in trying to reconnect
those directory servers. Default value is 1 second.
•Timeout sets the number of seconds that an LDAP connection will remain open
when the AAA server has not been able to successfully perform any successful
LDAP operation. This parameter allows better handling of the situation where the
LDAP directory times out client connections.
•TCP-Timeout sets the number of seconds that the AAA server will wait for an
LDAP server when trying to establish the Transmission Control Protocol (TCP)
connection.
•Debug determines whether OpenLDAP debug messages should be written to the
AAA server radius.debug file. A value of 0 disables writing these messages; a
value of -1 enables writing these messages. The syntax of this property follows a
block syntax that is different from the other aaa.config variables.
Configuring Realms for Oracle
This section discusses how to configure realms for Oracle authentication. These realms
can be configured only after setting up the Oracle database server. See Chapter 19:
“Oracle Authentication(Supported Using SQL Access)” (page 248) for more information
on setting up the Oracle database server for Oracle authentication.
To authenticate users stored in an Oracle database, you must configure the AAA server,
run the db_srv daemon on each Oracle host machine, and configure one or more
Configuring Realms for Authentication using an External Server99
Oracle databases with user information according to your requirements. See
“Configuring the Oracle Database ” (page 251) for information on how to configure
your Oracle database.
Configuring the HP-UX AAA Server Using Server Manager
For each realm using Oracle authentication, you must specify the Oracle server.
Complete the following steps to configure the HP-UX AAA Server Manager for Oracle
authentication:
1.From the navigation tree, click Local Realms to open the Local Realms screen.
2.Click the New Realm link to open the Realm Attributes screen.
3.In the Name field, enter the name of the realm. This name does not have to be a
DNS host name. However, HP recommends that the realm namecorresponds with
the domain name. This way, the user recognizes the user@realm syntax that
resembles their e-mail address.
4.In the User Profile Storage, select Oracle.
When you select Oracle from the User Profile Storage drop-down list, a drop-down
list appears in the User Storage Parameters section of the form. This drop-down
list allows you to create and modify Oracle configurations for the realm.
5.In the User Storage Parameters drop-down list, select New Oracle Server, or the
name of an existing Oracle server.
6.Complete the Oracle Server screen (shown in Figure 8-5) that appears by specifying
the host name or IP address of the Oracle server ( db_srvdaemon), followed by
the port number that it uses.
Figure 8-5 New Oracle Server Screen
You can list an unlimited number of Oracle servers. However, in this context, you
must use the appropriate number of servers based on the number of requests
received, and machine performance. Each listed server must have a unique DNS
name and port.
7.Repeat steps 6 and 7 for each redundant directory you wish to use.
100Configuring Realms
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.