HP HP-UX AAA Administrator's Guide

HP-UX AAA Server A.07.01 Administrator’s Guide

HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3
HP Part Number: T1428-90068 Published: September 2008 Edition: Edition 9
Copyright © 2002–2008 Hewlett-Packard Development Company, L.P.
12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are
licensed to the U.S. Government under vendor’s standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set
forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
UNIX is a registered trademark of The Open Group.
Javais a US trademark of Sun Microsystems.
Microsoft®, Windows ®, and Windows NT ® are U.S. registered trademarks of Microsoft Corporation.
Oracle ® is a registered US trademark of Oracle Corporation, Redwood City, California.
OpenLDAP ® is a registered trademark of the OpenLDAP Foundation
Netscape Navigator is a registered trademark of Time Warner, Inc.

Table of Contents

About This Document ..................................................................................................................23
Intended Audience.............................................................................................................23
New and Changed Information in This Edition.................................................................23
Document Organization.....................................................................................................24
Publishing History..............................................................................................................24
Typographic Conventions..................................................................................................25
HP-UX Release Name and Release Identifier.....................................................................26
Related Information............................................................................................................26
HP Encourages Your Comments........................................................................................26
I Introduction...............................................................................................................................27
1 Overview: The HP-UX AAA Server .......................................................................................30
RADIUS Topology ........................................................................................................31
Establishing a RADIUS Session.....................................................................................32
Product Structure..........................................................................................................34
HP-UX AAA Server Daemon, Libraries, and Utilities ............................................34
HP-UX AAA Server Manager Program ..................................................................34
Documentation.........................................................................................................34
HP-UX AAA Server Architecture .................................................................................35
Configuration Files ..................................................................................................36
AATV Plug-Ins ........................................................................................................36
The Software Engine: Finite State Machine ............................................................36
HP-UX AAA Server Commands, Utilities and Daemons.............................................37
Handling an Access Request.........................................................................................37
Authentication to Verify the Client and User .........................................................38
Authorization to Control Sessions and Access to Services .....................................40
Authorization Steps ...........................................................................................41
Session Logs For Accounting .......................................................................................44
IPv6 Support for External Services................................................................................44
2 Upgrading to Version A.07.01..............................................................................................45
The HP-UX AAA Server Upgrade Process...................................................................45
Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01..................45
Upgrading from Version A.06.00.x to Version A.07.01.................................................46
Upgrading from Version A.05.x to Version A.07.01......................................................48
Merging the Dictionary File..........................................................................................48
Merging the radius.fsm File.....................................................................................48
Merging the vendors File............................................................................................48
3 Installing and Securing the HP-UX AAA Server.......................................................................49
Acquiring the HP-UX AAA Server Software................................................................49
Installing and Uninstalling the HP-UX AAA Server....................................................49
To Install the HP-UX AAA Server...........................................................................49
Table of Contents 3
To Uninstall the HP-UX AAA Server Software.......................................................50
HP-UX AAA Server File Locations ..............................................................................51
Securing the HP-UX AAA Server..................................................................................55
Changing the Default HP-UX AAA Server Settings ...............................................55
Changing the Default Tomcat User Name and Password..................................55
Changing the Default RMI Objects Secret..........................................................55
Changing the Default test_user Settings............................................................56
Changing the Default localhost Proxy Settings..................................................56
Environment Specific Security Procedures .............................................................56
Using Secure Socket Layer (SSL) for Secured Remote Server Manager
Administration...................................................................................................56
Creating a Tomcat Identity Specifically for the HP-UX AAA Server ................58
Running the HP-UX AAA Server on Hosts with System Hardening
Software..............................................................................................................59
Running the HP-UX AAA Server as a Non-Root User......................................59
Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot....60
4 Enabling the HP-UX AAA Server for GUI-based Administration................................................62
Accessing the Server Manager......................................................................................62
Starting and Stopping the RMI Objects...................................................................62
Starting and Stopping Tomcat.................................................................................62
Testing the Installation .................................................................................................63
To Test the Installation.............................................................................................63
Starting AAA Servers Using Server Manager...............................................................64
AAA Server Start Options........................................................................................65
Server Manager’s Reload Feature............................................................................66
Starting AAA Servers From the Command Line..........................................................67
Configuring the HP-UX AAA Server to Start Automatically Upon SystemReboot
..................................................................................................................................69
Stopping or Restarting HP-UX AAA Servers...............................................................69
Using Server Manager..............................................................................................70
From the Command Line.........................................................................................70
Adding an HP-UX AAA Server to Your Network........................................................70
II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI ................................72
5 The HP-UX AAA Server Manager Interface.............................................................................76
Commonly Used Icons in the GUI................................................................................77
6 Managing HP-UX AAA Servers.............................................................................................78
Using the Server Connections Screen............................................................................78
Adding a New Server ...................................................................................................78
Modifying Connection Attributes.................................................................................79
Deleting a Server Connection........................................................................................80
Managing Multiple Servers...........................................................................................81
Loading and Saving Your Configuration......................................................................82
4 Table of Contents
7 Configuring RADIUS Clients Using the Access Devices Screen.................................................84
Navigating the Access Devices Screen..........................................................................84
Adding a RADIUS Client..............................................................................................84
Modifying a RADIUS Client’s Properties......................................................................87
Deleting a RADIUS Client.............................................................................................88
8 Configuring Realms.............................................................................................................89
Using the Local Realms Screen.....................................................................................89
Adding a Realm.............................................................................................................89
Modifying Realms.........................................................................................................92
Special Entries...............................................................................................................92
Deleting a Realm...........................................................................................................93
Configuring Realms for Authentication using an External Server...............................94
Configuring Realms for Database Access via SQL..................................................94
Configuring Realms for LDAP ................................................................................96
Modifying a Directory Configuration................................................................98
Deleting a Directory Configuration....................................................................98
Tuning the AAA Server to LDAP Server Connection........................................99
Configuring Realms for Oracle................................................................................99
Configuring the HP-UX AAA Server Using Server Manager..........................100
To Configure and Run the db_srv Daemon .............................................101
Scripts to Start and Stop the HP-UX AAA Server Oracle Daemon.............103
Configuring a SecurID Realm................................................................................103
9 Configuring Proxies...........................................................................................................105
Navigating the Proxy Screen.......................................................................................105
Changing the Default localhost Proxy Settings...........................................................106
Creating or Modifying a Proxy...................................................................................106
Forwarding Authentication Requests From a Proxy Server..................................109
Forwarding Authentication Requests to a Remote Server.....................................110
Changing RADIUS Port Numbers..............................................................................111
Forwarding Requests to Alternate RADIUS Ports.................................................111
Forwarding Accounting Requests...............................................................................111
Proxying Authentication and Accounting Messages to the Same Server...................112
Proxying Accounting Requests to a Central Server....................................................113
Deleting a Proxy..........................................................................................................113
10 Configuring Users............................................................................................................115
Navigating the Users Screen.......................................................................................115
Changing the Default test_user Settings.....................................................................115
Adding a User Profile .................................................................................................116
Tabs on the Add Users Screen................................................................................118
Specifying Attributes Using the Free Attributes Pane......................................118
Adding Users for SecurID Authentication..................................................................119
Modifying User Profiles..............................................................................................119
Deleting a User Profile.................................................................................................120
Table of Contents 5
To Delete a User Profile From the Default users File..........................................120
To Delete a User Profile in a Local Realms File......................................................121
11 Modifying Server Properties..............................................................................................122
Navigating the Server Properties Screen.....................................................................122
DHCP Relay Properties...............................................................................................122
DNS Updates Properties.............................................................................................123
Message Handling Properties.....................................................................................124
SNMP Properties.........................................................................................................125
Enable SNMP Support...........................................................................................125
Tunneling Properties...................................................................................................125
Tunneling Reply Items (Optional).........................................................................126
Certificate Properties...................................................................................................126
File Size Properties......................................................................................................127
Maximum Logfile Size...........................................................................................127
Miscellaneous Properties.............................................................................................127
Permit Microsoft Client Authenticate As Computer.............................................127
Local Users File Properties..........................................................................................128
ProLDAP Properties....................................................................................................128
12 Logging and Monitoring ..................................................................................................129
Overview.....................................................................................................................129
Server Log Files ..........................................................................................................129
Using Server Manager to Retrieve Logfile Information.........................................129
Search Parameters.............................................................................................130
Message Types .................................................................................................131
Using Server Manager to Retrieve Statistics .........................................................131
Accounting Log Files ..................................................................................................132
Using Server Manager to Retrieve Accounting Logfiles........................................133
Format of Accounting Records in the Default Merit Style....................................134
Time-Based Values............................................................................................134
Client A-V Pairs................................................................................................135
User Entry A-V Pairs.........................................................................................135
Session Tracking................................................................................................135
Writing Livingston CDR Accounting Records.......................................................136
Livingston CDR Session Record Format..........................................................137
Changing the Accounting Log Filename...............................................................137
Changing the Accounting Log Rollover Interval...................................................138
Rolling Over the Log File and Accounting Stream................................................138
III Advanced Configuration Information........................................................................................139
13 Securing LAN Access With EAP........................................................................................142
Overview.....................................................................................................................142
The Secure LAN Advisor.......................................................................................142
Preparing Your LAN ...................................................................................................143
Determining the EAP Authentication Method to Use................................................144
6 Table of Contents
Securing WLANs with the HP-UX AAA Server.........................................................146
Digital Certificate Administration...............................................................................147
Using the “Self-Signed” Digital Certificates..........................................................147
Installing Your Own Digital Certificates and Keys................................................148
Installing Server Certificates and Keys.............................................................149
Installing Client Certificates and Keys.............................................................149
Defining Certificate Locations on the HP-UX AAA Server..............................149
14 Managing Sessions.........................................................................................................152
Session Logs.................................................................................................................152
Displaying Session Attributes................................................................................152
Stopping a Session..................................................................................................153
Session Limits..............................................................................................................153
Setting Limits on a User-by-User Basis..................................................................154
Setting Timeout Values.....................................................................................154
Establishing a Filter...........................................................................................154
Limiting Access Points (NAS-Port, NAS-ID, Calling-Station ID, and
others)...............................................................................................................154
Denying Access (Called-Station-ID and others)...............................................155
Limiting Simultaneous Sessions.......................................................................155
Setting Limits for Users on a Global Basis.............................................................156
Setting Limits for All User Profiles Grouped by Realms.................................156
15 Assigning IP Addresses....................................................................................................157
Assigning Static IP Addresses.....................................................................................157
To Assign a Static IP (IPv4) Address to a Profile in Flat Files................................157
To Assign a Static IPv6 Address to a Profile in Flat Files......................................158
To Assign Static Traditional IP (IPv4) Addresses to a User Profile in an LDAP
LDIF File.................................................................................................................160
To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF File.............161
Assigning Dynamic IP Addresses Using DHCP.........................................................161
16 OATH Standards-Based OTP Authentication.......................................................................162
OTP and OATH Overview..........................................................................................162
HP-UX AAA Server and OATH Support....................................................................163
Components Required to Configure OTP Authentication..........................................164
Configuring OTP Authentication on the HP-UX AAA Server ..................................165
OTP Authentication Configuration Flowchart......................................................165
Basic or Typical Configuration...............................................................................167
Advanced Configuration........................................................................................168
Advanced OTP Authentication Configuration Concepts.................................169
Attributes for Configuring OTP Authentication.........................................172
Advanced Deployment Scenarios.....................................................................177
Validating OTP Alone..................................................................................178
Configuring Two-Factor Authentication.....................................................180
OTP or Password Validation at External RADIUS Server...........................187
Table of Contents 7
Predefined Mapping and Conversion Functions...................................................194
Sample Configuration Files....................................................................................194
The sqlaccess.config Sample File.............................................................194
Sample Policy Files...........................................................................................197
The oath-request-ingress.grp Sample File......................................197
The oath-reply-egress.grp Sample File............................................198
The oath-proxy-egress.grp Sample File............................................199
IV Integrating the HP-UX AAA Server With External Services..........................................................200
17 LDAP Authentication.........................................................................................................204
LDAP Server Compatibility ........................................................................................204
Related LDAP Documentation ...................................................................................204
Authentication with LDAP .........................................................................................204
Configuring the LDAP Server ...............................................................................204
The HP-UX AAA Server LDAP Schema...........................................................205
To Configure Netscape Directory Server v6.....................................................206
To Configure iPlanet Directory Server v5.........................................................206
To Configure OpenLDAP 2.0.x.........................................................................206
18 SQL Access.....................................................................................................................207
SQL Access Overview.................................................................................................207
SQL Access Concepts.............................................................................................208
RADIUS Attribute to SQL Statement Mapping................................................209
Mapping Functions...........................................................................................210
Conversion Functions.......................................................................................210
SQL Action Processing and Result Handling...................................................211
Implementing SQL Access..........................................................................................211
Sample Implementation Files.................................................................................211
sqlaccess.config Sample File....................................................................212
dbsetup.sql Sample File...............................................................................214
Finite State Machine Sample.............................................................................215
Pre-requisites for SQL Access................................................................................215
Database Server and Schema............................................................................215
Database Security........................................................................................216
High Availability.........................................................................................216
Database Client.................................................................................................216
Shared Library Path Configuration.............................................................216
Database Client Connector Libraries................................................................217
SQL Access Implementation Details......................................................................217
sqlaccess.config File Configuration........................................................................218
Database Connection Definition.......................................................................219
SQL Actions......................................................................................................221
Mapping Syntax................................................................................................222
RAD Mapping.............................................................................................223
DBC Mapping..............................................................................................224
8 Table of Contents
DBP Mapping..............................................................................................225
Mapping Functions......................................................................................227
Conversion Functions..................................................................................229
SQL Statement..................................................................................................229
SQL Result Mapping.........................................................................................230
Result Handling for Retrieval Requests......................................................231
Global Definitions.............................................................................................232
Advanced SQL Mapping Configuration................................................................232
Developing Custom Functions.........................................................................233
Null SQL Statements.........................................................................................233
Null Source and Target Mapping.....................................................................234
Time Synchronization.......................................................................................234
Finite State Table Configuration in the FSM.....................................................235
Stored Procedures.............................................................................................236
Administering Users and Tokens Stored in an SQL Database....................................237
Managing Users.....................................................................................................238
Adding Users to an SQL Database...................................................................238
Modifying User Credentials.............................................................................240
Managing Users Using OTP to Authenticate.........................................................241
Importing Tokens into the Database.................................................................241
Assigning Tokens to Users................................................................................242
Assigning a Specific Token to a User...........................................................242
Allocating Any Available Tokens to a User.................................................243
Enrolling Tokens (Procedure for Users)...........................................................243
Synchronizing Tokens (Procedure for Users)...................................................245
Terminating Tokens..........................................................................................246
Viewing User and Token Statistics.........................................................................246
Valid Token Status Values......................................................................................246
Invoking the User Database Administration Manager Interface from Server
Manager.................................................................................................................247
19 Oracle Authentication (Supported Using SQL Access).........................................................248
Related AATV Plug-In Modules And Processes ........................................................248
The db_srv Package ...............................................................................................249
Oracle Compatibility .............................................................................................250
The Oracle Database Structure ...................................................................................250
The Oracle Information Model ..............................................................................250
Table Spaces .....................................................................................................251
User Schema .....................................................................................................251
Tables ................................................................................................................251
Configuring the Oracle Database ..........................................................................251
To Create the AUTH_NET_USERS Table ........................................................251
To Manage User Records in the AUTH_NET_USERS Table ...........................251
Table Structure .......................................................................................................253
Table of Contents 9
Modifying the Table Structure ....................................................................................254
Supported Attributes ..................................................................................................254
20 Simple Network Management Protocol (SNMP) Support.....................................................256
Setting Up SNMP to Monitor the HP-UX AAA Server...............................................256
21 VPN Tunneling................................................................................................................258
Establishing a Tunnel for a User..................................................................................258
22 Using DHCP...................................................................................................................260
Required DHCP Server Features.................................................................................260
Recommended DHCP Server Features..................................................................260
Defining DHCP Address Pools for Specific Users......................................................260
To Associate an Address Pool with a User Profile in AAA Server Flat Files.........260
To Associate an Address Pool with a User Profile in an LDAP LDIF File.............261
Associating Address Pools with Realms and Other Conditions.................................261
23 Using SecurID.................................................................................................................262
Authentication Of Users .............................................................................................262
Configuring SecurID Authentication .........................................................................263
Configuring the AAA Server for RSA SecurID Authentication ...........................263
Configuring the ACE/Server .................................................................................263
Synchronizing the AAA Server with the ACE/Server ..........................................265
Related Documentation ..............................................................................................266
V Customizing the HP-UX AAA Server..........................................................................................267
24 Customizing the HP-UX AAA Server Using the Finite State Machine......................................270
States ...........................................................................................................................270
Using Xstring to call Policy ...................................................................................273
Using Xstring to Call an Alternate authfile ...........................................................273
Event Names ...............................................................................................................273
Predefined Event Names .......................................................................................274
Creating New Names ............................................................................................276
Actions ........................................................................................................................276
FSM Tables.............................................................................................................278
Custom State Tables ....................................................................................................279
Tracking Versions ..................................................................................................279
Examples ...............................................................................................................279
Preprocessing Module .....................................................................................279
Interim Logging .....................................................................................................280
Custom Logging Format .......................................................................................280
Proxy Accounting Messages..................................................................................281
25 Customizing the HP-UX AAA Server Using Policies..............................................................283
Policy Overview..........................................................................................................283
Defining a Policy in a Decision File.............................................................................284
Action Commands.................................................................................................285
The delete Command....................................................................................286
10 Table of Contents
The insert Command....................................................................................287
The modify Command....................................................................................289
The exit Command.........................................................................................290
The log Command...........................................................................................290
The if Command.............................................................................................291
Attribute Specifications..........................................................................................293
Attribute Names...............................................................................................294
Vendor Names..................................................................................................294
Attribute Instance Specifications......................................................................294
No Instance Specification............................................................................294
Numeric Instance Specification...................................................................294
Keyword Instance Specification..................................................................295
Attribute Functions...........................................................................................295
The count Attribute Function....................................................................296
The length Attribute Function..................................................................296
The substr Attribute Function..................................................................296
The tolower Attribute Function................................................................300
The toupper Attribute Function................................................................300
Value Types............................................................................................................301
Supported Operators..............................................................................................302
Operator Precedence and Association..............................................................302
Type Compatibility................................................................................................303
Invoking a Policy.........................................................................................................304
Invoking Policies Through Predefined Policy Hooks............................................304
Request Ingress Policy......................................................................................304
User Policy........................................................................................................305
Invoking Policy from User Profiles.............................................................306
Reply Egress Policy...........................................................................................306
Proxy Egress Policy...........................................................................................307
Proxy Ingress Policy..........................................................................................308
Useful Attributes for Policy Conditions.................................................................309
Modifying the FSM for Specific Customizations ..................................................310
Sample Policy Implementations..................................................................................311
Dynamic Access Control........................................................................................311
Step 1 – Modifying the Default FSM for DAC..................................................311
Step 2 – Defining the DAC Policies...................................................................312
DNIS Routing.........................................................................................................313
Step 1 – Modifying the Default FSM for DNIS Routing...................................313
Step 2 – Defining the DNIS Routing Policies....................................................313
26 Customizing the HP-UX AAA Server Using the SDK.............................................................315
SDK Overview.............................................................................................................315
Migrating Plug-ins Created Using Previous Versions of the SDK..............................317
Prerequisites for Using the SDK..................................................................................317
Table of Contents 11
SDK Directory Structure..............................................................................................317
SDK Concepts..............................................................................................................317
Overview of AATVs...............................................................................................317
AATV Components................................................................................................318
The init Function...........................................................................................318
The action Function..........................................................................................318
The timer or callback Function.........................................................................319
The cleanup Function.......................................................................................319
Creating Plug-ins.........................................................................................................319
Using AATVs to Create a Plug-in..........................................................................320
Compiling and Loading a Plug-in.........................................................................321
Testing and Debugging a Plug-in..........................................................................322
Using the GNU Project Debugger....................................................................322
Using gdb to Debug Your Software Module...............................................322
VI Troubleshooting.....................................................................................................................324
27 Troubleshooting Overview................................................................................................327
AAA Environment Components.................................................................................327
HP-UX AAA Server Operation...................................................................................328
Probable Causes for Failure.........................................................................................330
Configuration Problems.........................................................................................330
External Service Problems......................................................................................330
Protocol Limitations...............................................................................................331
RADIUS Client and Supplicant Considerations....................................................331
28 Troubleshooting Procedures..............................................................................................332
Troubleshooting Flowchart.........................................................................................332
Troubleshooting Flowchart Process.......................................................................334
Troubleshooting the Server Manager Administration Utility.....................................335
Common Problems With the Server Manager.......................................................336
Troubleshooting Server Manager Launch Problems........................................337
Troubleshooting Remote Management Problems............................................338
Troubleshooting the HP-UX AAA Server...................................................................339
Troubleshooting HP-UX AAA Server Startup Problems.......................................339
Common Problems with HP-UX AAA Server Startup.....................................339
Troubleshooting Bind Errors at HP-UX AAA Server Startup.....................342
Troubleshooting an Unresponsive HP-UX AAA Server........................................343
Troubleshooting Common Configuration Problems........................................344
Troubleshooting External Services...................................................................346
Identifying External Service Failures using Logfile Error Messages..........347
Identifying Unrecorded External Datastore Failures..................................351
Identifying Proxy Server Failures................................................................351
Identifying Unrecorded DHCP Failures.....................................................352
Troubleshooting Access-Rejects from the HP-UX AAA Server.............................352
Common Authentication Failure Problems......................................................352
12 Table of Contents
EAP Problems........................................................................................................360
Troubleshooting Provisioning Errors.....................................................................363
29 Troubleshooting Resources................................................................................................364
HP-UX AAA Server Troubleshooting Utilities............................................................364
The radcheck Utility: For Checking the Server Status........................................364
The radpwtst Utility: For Testing Authentication...............................................365
The raddbginc Utility: For Setting Debug Output Levels..................................365
The radsignal Utility: For Rolling Over the Debug Output to New Files.........365
The HP-UX AAA Server Logfile and Debug File........................................................366
The HP-UX AAA Server Logfile............................................................................366
The HP-UX AAA Server Debug File......................................................................366
30 Reporting Problems.........................................................................................................368
Server Set Up Information...........................................................................................368
Server Manager Related Information..........................................................................369
External Components..................................................................................................369
External Databases.................................................................................................369
SNMP Servers.........................................................................................................369
DHCP Servers.........................................................................................................369
OpenSSL.................................................................................................................369
EAP Related Information............................................................................................369
Clients.....................................................................................................................370
Access Points..........................................................................................................370
VII Reference.............................................................................................................................371
31 Configuration Files ..........................................................................................................374
HUP Processing...........................................................................................................374
The aaa.config File.................................................................................................375
Variables in the aaa.config File.........................................................................375
The strict_duplicate_check Variable.....................................................375
The aatv.ProLDAP Property..........................................................................376
The log_threshold_limit and suppression_interval Variables......376
The list_copy_limit Variable....................................................................377
The localUsersFile.FilterType Property.............................................377
The default_users_file_cis_search Property.....................................377
The log_forwarding Variable.......................................................................377
The log_generated_request Variable.......................................................378
The ourhostname Variable.............................................................................378
The packet_log Variable...............................................................................378
The radius_log_fmt Variable.......................................................................379
The reply_check Variable.............................................................................379
OTP Authentication Related Configuration Items................................................379
The clients File........................................................................................................380
Prefixed Users and authfile...............................................................................380
Wildcard Support for IPv4 and IPv6......................................................................381
Table of Contents 13
The users File ............................................................................................................381
Syntax of a User Entry ...........................................................................................382
Syntax of IPv6 Attributes.......................................................................................382
NAS-IPv6-Address...........................................................................................382
Framed-Interface-Id..........................................................................................382
Framed-IPv6-Prefix...........................................................................................383
Login-IPv6-Host................................................................................................383
Framed-IPv6-Route...........................................................................................384
Framed-IPv6-Pool.............................................................................................384
With Tunneling ......................................................................................................384
The dictionary File .................................................................................................385
Attribute Entries ....................................................................................................386
Pruning Expressions ..............................................................................................387
Value Entries ..........................................................................................................388
The las.conf File .....................................................................................................389
LAS Session Timing Parameters ...........................................................................389
Token Pool Configuration .....................................................................................390
Realm Configuration .............................................................................................391
The vendors File .......................................................................................................392
Syntax of a vendors File.......................................................................................392
The log.config File .................................................................................................393
Syntax of a Stream Entry........................................................................................393
Default Entry .........................................................................................................395
End Entry ...............................................................................................................395
Logging Multiple Streams .....................................................................................395
Values Logged by Default.................................................................................395
Examples................................................................................................................396
Livingston Call Detail Record (CDR) Format...................................................396
Multiple Logging Streams ...............................................................................396
Logging Based on attributes.............................................................................397
Accounting Log Based on Attribute Value.......................................................398
Changing the Accounting Log Rollover Interval.............................................399
32 Attribute-Value Pairs.........................................................................................................400
Specifying Attribute-Value Pairs.................................................................................400
Attribute-Value Formats........................................................................................400
Examples................................................................................................................401
Tagged Attributes ..................................................................................................401
Attributes in User Profiles...........................................................................................401
Configuration Attributes........................................................................................402
Local Authorization Service (LAS) Configuration...........................................403
Simultaneous-Use Attribute........................................................................404
Attributes Concerning OTP Authentication...............................................404
Check (and Deny) Items..............................................................................................404
14 Table of Contents
Attributes Concerning the NAS.............................................................................404
Policy Attributes.....................................................................................................405
Other Attributes.....................................................................................................406
Reply Items..................................................................................................................406
General Attributes..................................................................................................408
Attributes Concerning Login Users.......................................................................409
Attributes for Framed Users..................................................................................410
Tunneling Attributes..............................................................................................411
Other Attributes.....................................................................................................414
Attributes in Accounting Records...............................................................................415
Additional Session Information.............................................................................415
33 MIB Objects...................................................................................................................419
MIB Objects..................................................................................................................419
A Supported IETF RFCs..............................................................................................................424
B Supported Authentication Methods...........................................................................................426
C RADIUS Data Packets.............................................................................................................428
Data Packet Format...........................................................................................................428
Attribute-Value Pair Format .......................................................................................428
D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK........................................430
Header Files and Data Structures in the SDK...................................................................430
APIs in the HP-UX AAA Server SDK...............................................................................430
A-V Pair APIs..............................................................................................................431
sdk_avp_t *sdk_avp_allocate()..............................................................................431
void sdk_avp_free()................................................................................................431
int sdk_get_avp_info()...........................................................................................431
int sdk_set_avp()....................................................................................................432
int sdk_set_vend_avp()..........................................................................................432
Authreq APIs...............................................................................................................433
sdk_avp_t *sdk_find_avp()....................................................................................433
sdk_avp_t *sdk_find_vend_avp()..........................................................................434
int sdk_del_avp()....................................................................................................435
int sdk_insert_avp()...............................................................................................435
int sdk_get_authreq_info().....................................................................................436
Logging APIs...............................................................................................................438
int sdk_logit().........................................................................................................438
int sdk_log_debug()...............................................................................................439
Asynchronous Event and I/O APIs.............................................................................440
int sdk_pollfd_register().........................................................................................440
int sdk_pollfd_unregister()....................................................................................440
int sdk_schedule_event()........................................................................................441
Secondary APIs............................................................................................................441
sdk_authreq_t *sdk_get_authreq_by_id()..............................................................441
char *sdk_get_config_dir().....................................................................................442
Table of Contents 15
int sdk_set_authreq()..............................................................................................442
int sdk_get_client_info().........................................................................................442
int sdk_decrypt_passwd()......................................................................................443
int sdk_encrypt_passwd()......................................................................................444
E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server......................................445
Expressions ......................................................................................................................445
Specifying Attributes in Group Entries ...........................................................................446
Dynamic Access Control ............................................................................................446
Internal Values ............................................................................................................447
Using Indirection .............................................................................................................447
Example Group Entries ....................................................................................................448
DNIS.grp for DNIS Routing........................................................................................448
DAC.grp for Dynamic Access Control.......................................................................449
Glossary of Terms......................................................................................................................452
Index........................................................................................................................................458
16 Table of Contents
List of Figures
1-1 Typical AAA Network Topology................................................................................32
1-2 Client-Server RADIUS Transaction.............................................................................33
1-3 Authentication Process................................................................................................36
1-4 Default Action Sequence.............................................................................................38
1-5 Authentication Steps...................................................................................................39
1-6 Authorization Steps....................................................................................................41
4-1 Return Value After Successfully Starting a AAA Server............................................65
4-2 Server Manager’s Start Options Screen.......................................................................65
4-3 Algorithm for Determining Which FSM to Load........................................................69
5-1 The HP-UX AAA Server Manager User Interface......................................................76
6-1 Server Manager’s Connected Server Screen................................................................78
6-2 The Add Connection Screen........................................................................................79
6-3 The Modify Connection Screen...................................................................................80
6-4 The Delete Server Connections Screen........................................................................81
6-5 Server Manager’s Server Status Frame........................................................................81
6-6 Server Manager’s Load Configuration Screen............................................................83
6-7 Server Manager’s Save Configuration Screen.............................................................83
7-1 Server Manager’s Access Device Screen.....................................................................84
7-2 Server Manager’s Access Device Attributes Screen....................................................85
7-3 The Delete Access Device Screen................................................................................88
8-1 Server Manager’s Local Realms Screen.......................................................................89
8-2 Server Manager’s Local Realm Attributes Screen.......................................................90
8-3 The Delete Local Realm Screen...................................................................................94
8-4 User Storage Parameters for Database Access via SQL..............................................95
8-5 New Oracle Server Screen.........................................................................................100
9-1 Proxy Configuration..................................................................................................105
9-2 Server Manager’s Proxy Screen.................................................................................106
9-3 Server Manager’s Proxy Attributes Screen................................................................107
9-4 The Delete Proxy Screen............................................................................................114
10-1 Server Manager’s Users Screen.................................................................................115
10-2 The Add Users Screen...............................................................................................117
10-3 The Modify Users Screen..........................................................................................120
10-4 The Delete Users Screen............................................................................................121
11-1 Server Manager’s Server Properties Screen...............................................................122
12-1 Server Manager’s Logfile Screen...............................................................................130
12-2 Server Manager’s Statistics Screen............................................................................132
12-3 AAA Server Statistics Example.................................................................................132
12-4 Accounting Logfile Search Screen in Server Manager .............................................133
12-5 Detailed Accounting Record for a Selected User......................................................134
13-1 The Secure LAN Advisor For Securing WLANs......................................................143
13-2 Server Manager’s Certificate Properties Screen........................................................150
17
14-1 Sessions Search Filter Screen.....................................................................................152
14-2 Example Return for a Sessions Search ......................................................................153
14-3 Example of a Session’s Attributes..............................................................................153
15-1 The Users Screen.......................................................................................................157
15-2 The Framed User Attributes Form............................................................................158
15-3 The Users Screen.......................................................................................................159
15-4 The Framed User Attributes Form............................................................................160
16-1 OATH Standards-Based OTP Authentication Flow and the HP-UX AAA Server....163
16-2 OTP Authentication Configuration Flowchart.........................................................167
16-3 Usage of Bit Masks to set OTP Authentication Actions............................................170
18-1 SQL Access Components...........................................................................................208
18-2 RADIUS Attribute to SQL Statement Mapping........................................................210
18-3 The User Database Administration Manager ..........................................................238
18-4 The Add User Screen.................................................................................................239
18-5 The Token Validate Screen........................................................................................242
18-6 The Enroll Token Screen............................................................................................244
18-7 The Synchronize Token Screen..................................................................................245
18-8 The User Statistics Screen..........................................................................................246
19-1 Authentication Process with Oracle..........................................................................249
19-2 Oracle Database Table Format...................................................................................253
23-1 SecurID Add Client Screen........................................................................................264
23-2 SecurID Edit Client Screen........................................................................................265
24-1 Default FSM State Transitions...................................................................................271
25-1 Flow of the Request Ingress Policy............................................................................305
25-2 Flow of the User Policy..............................................................................................306
25-3 Flow of the Reply Egress Policy................................................................................307
25-4 Flow of the Proxy Egress Policy................................................................................308
25-5 Flow of the Proxy Ingress Policy...............................................................................309
26-1 SDK Plug-in Example................................................................................................316
27-1 AAA Environment Components...............................................................................328
27-2 HP-UX AAA Server Operation.................................................................................329
28-1 Troubleshooting Flowchart.......................................................................................333
C-1 RADIUS Request/Reply Message Format.................................................................428
C-2 Attribute-Value Pair Format......................................................................................429
18 List of Figures
List of Tables
1 HP-UX AAA Server Administrator’s Guide Printing History...................................25
2 HP-UX 11i Releases.....................................................................................................26
1-1 Commands, Utilities, and Daemons...........................................................................37
1-2 How Requests are Altered Using the proxy-egress and proxy-ingress Policies........42
3-1 File Locations Upon Installation.................................................................................51
3-2 Files Generated During Operation..............................................................................54
3-3 Ports Associated with RMI Objects that must be Configured....................................59
4-1 Server Start Options....................................................................................................66
4-2 radiusd Options..........................................................................................................67
4-3 New Server Connection Screen Fields........................................................................70
6-1 Fields in the Connection Attributes Form...................................................................79
6-2 Icons in Server Manager’s Server Status Frame..........................................................82
7-1 Add Access Device Configuration Form Options......................................................86
8-1 Fields in the Local Realm Attributes Form.................................................................90
8-2 Special Entries.............................................................................................................93
8-3 Values for Configuring Realms for LDAP..................................................................96
8-4 Options......................................................................................................................103
9-1 Proxy Configuration Options....................................................................................108
9-2 Options for Forwarding Requests.............................................................................110
9-3 Accounting Logging Options....................................................................................112
10-1 General Attributes in the Add User Screen...............................................................117
11-1 DHCP Relay Properties.............................................................................................123
11-2 DNS Update Properties.............................................................................................124
11-3 Message Handling Properties...................................................................................124
11-4 Certificate Path Properties.........................................................................................126
11-5 ProLDAP Properties..................................................................................................128
12-1 Filter Parameters for Searching Logfiles...................................................................130
12-2 Statistic Search Parameters .......................................................................................132
12-3 Accounting Logfile Search Parameters ....................................................................133
12-4 Reasons Why The Record Was Generated................................................................135
13-1 LAN Configuration Items.........................................................................................144
13-2 Supported EAP Methods and Their Features...........................................................146
16-1 Bit Masks to Configure OTP Authentication Tasks..................................................169
16-2 Common OTP Authentication Actions.....................................................................171
16-3 Attributes for Configuring OTP Authentication.......................................................172
16-4 System-Wide OTP Configuration Items....................................................................175
16-5 SQL actions and Stored Procedures that Support OTP Authentication...................195
17-1 The HP-UX AAA Server LDAP Schema...................................................................205
18-1 The sqlaccess.config Sample File.....................................................................212
18-2 Database Access Parameters.....................................................................................220
18-3 Input Mapping Data Types and Syntax....................................................................222
19
18-4 Output Mapping Data Types and Syntax.................................................................223
18-5 RAD Mapping Parameters........................................................................................223
18-6 DBC Mapping Parameters.........................................................................................225
18-7 DBP Mapping Parameters.........................................................................................226
18-8 Pre-defined Mapping Functions...............................................................................228
18-9 Pre-defined Conversion Functions............................................................................229
18-10 Fields in the Add Users Form...................................................................................239
18-11 Fields in the Enroll Token Device Form....................................................................244
18-12 Fields in the Synchronize Token Form......................................................................246
18-13 Valid Token Status Values.........................................................................................247
19-1 Files Related to db_srv..............................................................................................250
19-2 AUTH_NET_USERS Table........................................................................................254
24-1 Predefined Event Names...........................................................................................274
24-2 Available Actions.......................................................................................................277
24-3 Predefined FSM Tables..............................................................................................278
25-1 Examples Illustrating the Use of the delete Command.........................................286
25-2 Behavior of the insert Command in Various Scenarios........................................288
25-3 Examples Illustrating the Use of the insert Command.........................................288
25-4 Examples Illustrating the Use of the modify Command.........................................289
25-5 A-V Pair Expression Operators.................................................................................302
25-6 Compatible Attribute Types......................................................................................304
25-7 Attributes Typically Used in Policy Group Conditions and Replies........................309
25-8 Interlink-specific Attributes Used by DAC...............................................................311
28-1 Common Problems with the Server Manager...........................................................336
28-2 Common Problems with HP-UX AAA Server Startup.............................................339
28-3 Common Configuration Problems............................................................................344
28-4 External Service Failure Problems............................................................................347
28-5 Common Authentication Failure Problems..............................................................353
28-6 EAP Problems............................................................................................................361
29-1 Debugging Levels in the HP-UX AAA Server..........................................................367
31-1 Default LAS Session Timing Parameters..................................................................390
31-2 Information Recorded by LOG_V2_o.......................................................................395
32-1 Reply Item Attributes................................................................................................406
32-2 Session Termination Causes......................................................................................416
33-1 MIB Objects and Definitions.....................................................................................419
A-1 Supported IETF RFCs................................................................................................424
A-2 Additional IETF RFCs Supported by HP-UX AAA Server.......................................424
A-3 AAA RFCs Supported by HP-UX AAA Server.........................................................425
C-1 RADIUS Request/Reply Message Format Description ............................................428
C-2 Attribute Value Pair Format Description .................................................................429
D-1 Actions Performed as a Result of the loc_avp A-V Pair.............................................436
D-2 Information Types.....................................................................................................437
D-3 HP-UX AAA Server Debug Levels............................................................................439
D-4 Possible Values of the infotype Parameter..................................................................443
20 List of Tables
E-1 A-V Pair Expression Operators.................................................................................445
E-2 A-V Pair Expression Examples..................................................................................446
21
List of Examples
18-1 Define the Oracle Database Connection Parameters................................................221
18-2 Define the MySQL Database Connection Parameters...............................................221
18-3 User and Password Input and Output Mappings.....................................................227
18-4 SQL Statement to Delete a Row................................................................................230
18-5 SQL Statement with Result Mapping - OCI..............................................................232
18-6 SQL Action with Null Source and Target Mappings................................................234
18-7 Timestamp Synchronization.....................................................................................235
18-8 FSM with Accounting Log via SQL Access...............................................................236
18-9 Remove Session Stored Procedure Definition...........................................................237
25-1 An example of a policy file that restricts Session-Timeout to one hour for guests,
removes unwanted attributes, and provides administrative privileges to
administrators...........................................................................................................285
25-2 Examples Illustrating the Use of the if Command..................................................293
25-3 Examples Illustrating the Use of the offset Keyword...........................................298
25-4 Examples Illustrating the Use of the before Keyword...........................................299
25-5 Examples Illustrating the Use of the after Keyword.............................................300
25-6 Examples Illustrating Precedence Rules...................................................................303
26-1 Example of a Pre-Paid Billing Application Using a Plug-in Created Using the HP-UX
AAA Server SDK.......................................................................................................316
31-1 Examples of NAS-IPv6-Address Attribute Syntax...................................................382
31-2 Examples of Framed-Interface-Id Attribute Syntax..................................................383
31-3 Examples of Framed-IPv6-Prefix Attribute Syntax...................................................383
31-4 Examples of Login-IPv6-Host Attribute Syntax.......................................................384
31-5 Example of a Framed-IPv6-Route Attribute Syntax.................................................384
31-6 Example of a Framed-IPv6-Pool Attribute Syntax....................................................384
22 List of Examples

About This Document

This document provides an overview of the HP-UX AAA Server and describes how to configure, administer, and troubleshoot the product. This document does not cover installing the product.
The document printing date and part number on the cover indicate the document’s current edition. The printing date and part number changes when a new edition is printed. Minor changes can be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
Document updates may be issued between editions to correct errors or document product changes. To ensure that you receive the updated or new editions, subscribe to the appropriate product support service. Contact your HP sales representative for details.
The latest version of this document is available at:
http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29.

Intended Audience

This document is intended for HP-UX AAA Server administrators who understand the HP-UX operating system.

New and Changed Information in This Edition

The following additions and changes have been made for this edition:
Includes a new chapter called “OATH Standards-Based OTP Authentication” that
describes OATH standards-based authentication and procedures for configuring OATH standards-based OTP and two-factor authentication.
Includes a new section called “Administering Users and Tokens Stored in an SQL
Database” that describes how to use the User Database Administration tool to
manage users and tokens stored in an SQL database.
Includes a new chapter called “Customizing the HP-UX AAA Server Using Policies”
that describes the advanced policy syntax for decision files.
Includes a new chapter called “Customizing the HP-UX AAA Server Using the
SDK” that describes how to use the SDK to customize the HP-UX AAA Server.
Additionally, Appendix D (page 430) describes the new header files and APIs included in the SDK
Other minor changes have been made through the document, as required.
Intended Audience 23

Document Organization

The HP-UX AAA Server A.07.01 Administrator's Guide is organized as follows:
Part I — Introduction provides general information about the HP-UX AAA Server
product and the RADIUS protocol. It also describes how to secure your HP-UX AAA Server installation.
Part II — Configuring the HP-UX AAA Server Manager Using the Server Manager
GUI describes how to use the Server Manager to administer your AAA
environment.
Part III— Advanced Configuration Information provides information on advanced
topics, such as securing LAN access using EAP, session management, assigning IP addresses, and configuring OTP and two-factor authentication.
Part IV — Integrating the HP-UX AAA Server With External Services describes
how tointegrate the HP-UX AAA Server with external services such as Lightweight Directory Access Protocol (LDAP), SQL Access, Oracle, Dynamic Host Configuration Protocol (DHCP), Simple Network Management Protocol (SNMP), and Virtual Private Network (VPN).
Part V — Customizing the HP-UX AAA Server describes how to customize the
HP-UX AAA Server to meet various deployment scenarios.
Part VI — Troubleshooting provides guidelines and error messages to help
troubleshoot issues with the HP-UX AAA Server.
Part V— Reference provides information to supplement the task-based information
in the previous parts of the document. Use the information in this section to learn more about non-task-based topics such as configuration files, and attribute-value pairs.
Appendix A (page 424) lists all the RFCs that are supported by the HP-UX AAA
Server.
Appendix B (page 426) lists and describes all the authentication methods that are
supported by the HP-UX AAA Server.
Appendix C (page 428) provides information about the RADIUS data packet format.
Appendix D (page 430) lists and describes all the header files, data structures, and
APIs included in the HP-UX AAA Server SDK.
Appendix E (page 445) discusses the syntax of decision files that are supported by
previous versions of the HP-UX AAA Server.

Publishing History

The following table shows the printing history of this document. The first entry in the table corresponds to the current edition, and previous editions are listed in reverse chronological order.
24
Table 1 HP-UX AAA Server Administrator’s Guide Printing History
Document Part Number
Document Release Date (month/year)

Typographic Conventions

This document uses the following typographical conventions: audit(5) An HP-UX manpage. In this example, audit is the name and 5 is the
section in the HP-UX Reference. On the web and on the Instant Information CD, it may be a link to the manpage itself. From the HP-UX command line, you can enter “man audit” or “man 5
audit” to view the manpage. See man( 1).
Book Title The title of a book. On the web and on the Instant Information CD,
it may be a link to the book itself.
KeyCap The name of a keyboard key. Note that Return and Enter both refer
to the same key.
Emphasis Text that is emphasized.
Emphasis Text that is strongly emphasized. Term The defined use of an important word or phrase.
ComputerOut
UserInput
Command
Variable
[ ] The contents are optional in formats and command descriptions. If
Text displayed by the computer. Commands and other text that you type. A command name or qualified command phrase. The name of a variable that you may replace in a command or
function or information in a display that represents several possible values.
the contents are a list separated by |, you can choose one of the items.
Supported OSSupports Software Version
HP-UX 11i v1, 11i v2, 11i v3A.07.0103/08T1428-90066
HP-UX 11i v1, 11i v2, 11i v3A.07.0009/07T1428–90064
HP-UX 11i v1, 11i v2A.07.0009/065991-6434
HP-UX 11i v1, 11i v2A.06.0211/05T1428-90061
HP-UX 11.00, 11i v1, 11i v2A.06.01.x01/04T1428-90050
HP-UX 11.00, 11i v1A.06.01.x10/03T1428-90042
HP-UX 11.00, 11i v1A.06.00.0804/03T1428-90025
HP-UX 11.00, 11i v1A.06.00.0702/03T1428-90014
HP-UX 11.00, 11i v1A.05.01.0106/02T1428-90001
Typographic Conventions 25
{ } The contents are required in formats and command descriptions. If
the contents are a list separated by |, you can choose one of the items. ... The preceding element can be repeated an arbitrary number of times. | Separates items in a list of choices.

HP-UX Release Name and Release Identifier

Each HP-UX 11i release has an associated release name and release identifier. The uname(1) command with the -r option returns the release identifier. The following table lists the releases available for HP-UX 11i.
Table 2 HP-UX 11i Releases

Related Information

In addition to this document, additional information about the HP-UX AAA server can be found in the Internet and Security Solutions collection under AAA Server (RADIUS) at:
http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29
Release NameRelease Identifier
HP-UX 11i v1B.11.11
HP-UX 11i v2B.11.23
HP-UX 11i v3B.11.31

HP Encourages Your Comments

HP encourages your comments concerning this document. We are committed to providing documentation that meets your needs.
Send your comments to: netinfo_feedback@cup.hp.com
Include thedocument title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.
26

Part I Introduction

This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:
Chapter 1: “Overview: The HP-UX AAA Server ” (page 30)
Chapter 2: “Upgrading to Version A.07.01” (page 45)
Chapter 3: “Installing and Securing the HP-UX AAA Server” (page 49)
Chapter 4: “Enabling the HP-UX AAA Server for GUI-based Administration” (page 62)
27
Table of Contents
1 Overview: The HP-UX AAA Server .............................................................................................30
RADIUS Topology .............................................................................................................31
Establishing a RADIUS Session..........................................................................................32
Product Structure................................................................................................................34
HP-UX AAA Server Daemon, Libraries, and Utilities .................................................34
HP-UX AAA Server Manager Program .......................................................................34
Documentation..............................................................................................................34
HP-UX AAA Server Architecture ......................................................................................35
Configuration Files .......................................................................................................36
AATV Plug-Ins .............................................................................................................36
The Software Engine: Finite State Machine ..................................................................36
HP-UX AAA Server Commands, Utilities and Daemons..................................................37
Handling an Access Request..............................................................................................37
Authentication to Verify the Client and User ...............................................................38
Authorization to Control Sessions and Access to Services ..........................................40
Authorization Steps ................................................................................................41
Session Logs For Accounting .............................................................................................44
IPv6 Support for External Services.....................................................................................44
2 Upgrading to Version A.07.01...................................................................................................45
The HP-UX AAA Server Upgrade Process.........................................................................45
Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01........................45
Upgrading from Version A.06.00.x to Version A.07.01.......................................................46
Upgrading from Version A.05.x to Version A.07.01...........................................................48
Merging the Dictionary File................................................................................................48
Merging the radius.fsm File...........................................................................................48
Merging the vendors File.................................................................................................48
3 Installing and Securing the HP-UX AAA Server.............................................................................49
Acquiring the HP-UX AAA Server Software.....................................................................49
Installing and Uninstalling the HP-UX AAA Server..........................................................49
To Install the HP-UX AAA Server.................................................................................49
To Uninstall the HP-UX AAA Server Software.............................................................50
HP-UX AAA Server File Locations ....................................................................................51
Securing the HP-UX AAA Server.......................................................................................55
Changing the Default HP-UX AAA Server Settings ....................................................55
Changing the Default Tomcat User Name and Password.......................................55
Changing the Default RMI Objects Secret...............................................................55
Changing the Default test_user Settings..................................................................56
Changing the Default localhost Proxy Settings.......................................................56
Environment Specific Security Procedures ..................................................................56
28 Table of Contents
Using Secure Socket Layer (SSL) for Secured Remote Server Manager
Administration.........................................................................................................56
Creating a Tomcat Identity Specifically for the HP-UX AAA Server .....................58
Running the HP-UX AAA Server on Hosts with System Hardening Software......59
Running the HP-UX AAA Server as a Non-Root User............................................59
Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot.........60
4 Enabling the HP-UX AAA Server for GUI-based Administration......................................................62
Accessing the Server Manager............................................................................................62
Starting and Stopping the RMI Objects.........................................................................62
Starting and Stopping Tomcat.......................................................................................62
Testing the Installation .......................................................................................................63
To Test the Installation...................................................................................................63
Starting AAA Servers Using Server Manager....................................................................64
AAA Server Start Options.............................................................................................65
Server Manager’s Reload Feature..................................................................................66
Starting AAA Servers From the Command Line...............................................................67
Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot
.......................................................................................................................................69
Stopping or Restarting HP-UX AAA Servers.....................................................................69
Using Server Manager...................................................................................................70
From the Command Line..............................................................................................70
Adding an HP-UX AAA Server to Your Network.............................................................70
Table of Contents 29

1 Overview: The HP-UX AAA Server

The Remote Authentication Dial In User Service (RADIUS) protocol defines a standard for information exchange between a network device or software application and an authentication, authorization, and accounting (AAA) server to manage and track user access to network services.
A RADIUS AAA server provides authentication (verifying user credentials), authorization (supplyingprovisioning information for the user), and accounting (storage of usage information into accounting logs) services to devices and software applications (AAA clients) that support the IETF RADIUS standards.
The AAA or RADIUS client is the access device or application that acts as an enforcement point to control access to a resource. The user device itself or application requesting access to the resource is referred to as the supplicant.
30 Overview: The HP-UX AAA Server

RADIUS Topology

The RADIUS protocol follows the client-server architecture. The client sends user information to the AAA server using Access-Request or accounting-Request messages. The AAA server processes the request locally, or, if acting as a proxy server, forwards (proxies) the request to a secondary RADIUS Server.
When processing a RADIUS request locally, the AAA server can utilize additional external services (LDAP, external database access, DHCP, and so on.) to service the request.
The processing of RADIUS requests is usually configured on a per-realm basis. A realm is a group of users sharing a common component in the Network Access Identifier (NAI) attribute in the RADIUS request (for example,"example.org" is the realm component for "username@example.org").
In Figure 1-1 (page 32), a sample Internet Service Provider (ISP) uses four AAA servers to handle user requests. User organizations are grouped into realms. Each user connects to one of the ISP's servers through a local Network Access Server (NAS). The NAS sends a RADIUS Access-Request containing the user's credentials to one of the AAA servers. In turn, theAAA server accesses userand policy information from the repository specified for the user's realm. The repository can be in flat text files associated with the AAA Server, an external database or LDAP Server, or an HP-UX Unix user repository.
When authenticating users stored in replicated LDAP directory servers or databases, the server can be configured to perform load balancing and failover to achieve greater scalability and availability.
RADIUS Topology 31
Figure 1-1 Typical AAA Network Topology

Establishing a RADIUS Session

A RADIUSsession tracks the life of a user session through a series of message exchanges. RADIUS sessions are used to limit simultaneous access to a resource for users who share the same credential, and to manage the allocation and release of IP addresses acquired on behalf of the user by the AAA server. Figure 1-2 (page 33) illustrates the transaction between a RADIUS AAA server and a client:
32 Overview: The HP-UX AAA Server
Figure 1-2 Client-Server RADIUS Transaction
When the user's device connects to the client, the client sends a RADIUS Access-Request to the AAA server. When the server receives the request, it validates the sending client. If the client is permitted to send requests to the server, the server then takes information from the Access-Request and attempts to match the request to a user profile. If all conditions are met, the server sends an Access-Accept packet to the client; otherwise, the server sends an Access-Reject packet. An Access-Accept data packet often includes authorization information that specifies the services the user can access and other session information, such as a timeout value that indicates when the user must be disconnected from the system.
When the client receives an Access-Accept packet, it generates an Accounting-Request to start the session and send the request to the server. The Accounting-Request data packet describes the type of service being delivered and the user of the service. The server then responds with an Accounting-Response to acknowledge that the request was successfully received and recorded. The user's session ends when the client generates an Accounting-Request that is triggered by the user, the client, or an interruption in service-to stop the session. The server acknowledges the Accounting-Request with an Accounting-Response.
Establishing a RADIUS Session 33

Product Structure

The HP-UX AAA Server is based on the client-server architecture. The HP-UX AAA Server consists of the following components:
HP-UX AAA Server daemon, libraries, and utilities
The AAA Server Manager program that performs administration and configuration
tasks from a web browser for one or more AAA servers
Documentation (Administrator’s Guide, READMEs, and the Secure LAN Advisor
help system)
NOTE: To secure the communication between the Server Manager and HP-UX AAA
Server, install the Server Manager and the HP-UX AAA Server in a secure network.
HP-UX AAA Server Daemon, Libraries, and Utilities
The server daemon, libraries, and utilities perform the authentication, authorization, and accounting functions while processing requests. The HP-UX AAA Server also includes the AAA RMI objects. The RMI objects provide communication between the HP-UX AAA Server and the HP-UX Tomcat-based Servlet Engine which hosts the HP-UX AAA Server Manager.
HP-UX AAA Server Manager Program
The HP-UX AAA Server Manager utilizes the HP-UX Tomcat-based Servlet Engine to provide a configuration interface between a web browser and one or more HP-UX AAA Servers. The Server Manager is used for configuring and managing the servers. In addition, the Server Manager can retrieve logged server sessions and accounting information for an administrator. By specifying a set of HP-UX AAA Servers, the Server Manager can be used to manage a group of HP-UX AAA Servers with a common configuration.
Documentation
The following documentation is accessible through the Server Manager:
Context-sensitive help on the Server Manager's buttons and options
A Secure LAN Advisor help system to guide you through securing your Wireless
Local Area Networks (WLANs) with the HP-UX AAA Server. The Secure LAN Advisor provides information only; it does not edit configuration files
The HP-UX AAA Server Administrator's Guide in .pdf format. Use this document
for step-by-step instructions on configuring the HP-UX AAA Server.
34 Overview: The HP-UX AAA Server
IMPORTANT: For the most recent product documentation, see http://
www.docs.hp.com.

HP-UX AAA Server Architecture

The HP-UX AAA Server architecture consists of the following components:
Configuration files. Files to provide the information necessary for the server to
perform authentication, authorization, and accounting requests for your system. In most cases, these files can be modified by using the Server Manager.
AATV plug-ins. Dynamically loaded libraries that perform discrete actions, such
as initiating an authentication request, replying to an authentication request, or logging an accounting record.
The radiusd software engine, which includes the Finite State Machine (FSM) and
associated routines. At server startup, the FSM reads instructions from the state table in the /etc/opt/aaa/radius.fsm configuration file. The state table outlines what AATV actions to call and what order to call them in.
When the server is initialized, it loads and initializes the AATV plug-ins. It also reads the configuration files to initialize the data required for the actions to execute according to the application's requirements.
Figure 1-3 illustrates the general process of server initialization and response to an
authentication request.
HP-UX AAA Server Architecture 35
Figure 1-3 Authentication Process
Configuration Files
For detailed information on the server configuration files, Chapter 31: “Configuration
Files ” (page 374).
AATV Plug-Ins
An AATV plug-in defines the actions that perform a variety of functions, including authenticating requests, authorization, and logging. Built-in actions support authentication of users using information from several different repositories, and accounting requests using several different polices and storage formats.
For more information on these built-in actions, see “Actions ” (page 276)
The Software Engine: Finite State Machine
The Finite State Machine (FSM) controls the step-by-step process that the server follows to process and respond to an authentication request. You can configure the FSM to customize your server configuration without programming software modules. For
36 Overview: The HP-UX AAA Server
more information on the Finite State Machine, see Chapter 24: “Customizingthe HP-UX
AAA Server Using the Finite State Machine” (page 270).

HP-UX AAA Server Commands, Utilities and Daemons

Table 1-1 provides an overview of the HP-UX AAA Server commands, utilities, and
daemons.
Table 1-1 Commands, Utilities, and Daemons
DescriptionCommand
radcheck
raddbginc
radsignal
radiusd
radpwtst
db_srv
Sends RADIUS status and protocol requests to a AAA server and displays the replies. Receiving the reply confirms that the HP-UX AAA Server is operational. The radcheck utility can be invoked on any host by any user. However the HP-UX AAA Server returns more information to registered clients.
Sets debug logging level for the HP-UX AAA Server running correctly. Turn debugging on and off, or set the levelof outputwhile theAAA Server is running.
Rolls over the server log file and accounting stream while the AAA Server is running.
RADIUS server daemon. Services user authentication and accounting requests from RADIUS clients. Authentication and accounting requests are transmitted to the radiusd daemon in theform of UDP packets that conform to the RADIUS protocol. Theradiusd daemon can be startedfrom the Server Manager, command line, or at boot time using the /etc/rc.config.d/radiusd.conf file.
RADIUS client utility that can process commands to send requests to and check responses from a RADIUS server.
Deprecated. Performs Oracle database access operations for authentication on behalf of one or more remote HP-UX AAA Servers.

Handling an Access Request

When the HP-UX AAA server receives a RADIUS message, it calls the FSM and defines a starting event according to the type of message. This event is stored in the Interlink-Proxy-Action attribute. In the default FSM, the first action for all requests is request-ingress POLICY. If this POLICY is executed successfully, the next action is determined by the event stored in Interlink-Proxy-Action. By default, for an Access-Request this action is iaaaUsers. Figure 1-4 (page 38) shows how the FSM actions interact to process the Access-Request for authentication and authorization.
HP-UX AAA Server Commands, Utilities and Daemons 37
Figure 1-4 Default Action Sequence
Authentication to Verify the Client and User
The authentication of an access request has a number of distinctive steps, as shown in
Figure 1-5 (page 39). The rounded rectangles represent configuration files that the
HP-UX AAA Server uses and the ovals represent one or more authentication types.
38 Overview: The HP-UX AAA Server
Figure 1-5 Authentication Steps
Authentication Steps
Following lists the authentication steps followed by the HP-UX AAA Server:
1. After the HP-UX AAA server receives an Access-Request, it attempts to match the client making the request to an entry in the clients file. The server attempts to authenticate a request only if a match can be made.
Handling an Access Request 39
2. The iaaaUsers action checks the local users file. In this step, the User-Name
attribute value from the Access-Request is used to find an entry for the user in the /etc/opt/aaa/users file.
If User-Name matches an entry, the server retrieves that profile and then
authentication moves to step 5.
If User-Name does not match an entry, authentication moves to step 3.
3. If the iaaaUsers action does not find a matching user profile in the users file, the FSMcalls the iaaaRealm action. The iaaaRealm action parses the User-Name attribute value for a realm name, and searches authfile to determine the data store where the user profiles for the parsed realm are located. A default entry can be used to handle any realms that are not explicitly configured in authfile.
NOTE: If no realm is specified in the NAI, the server assigns the value NULL for
the realm. You can configure NULL realm behavior in the same manner as named realms.
4. The iaaaRealmaction calls another action that attempts to retrieve a matching user profile from the data store for the realm, as indicated by authfile:
A realm-specific AAA users file;
An external data store, such as LDAP or a database;
A Unix user profile service via the getpwent() system call.
If the realm is defined as a proxy, the RADIUS request is forwarded to the target RADIUS server defined for this realm.
5. The user is authenticated according to the protocol established by the Access-Request. If a password-based protocol(PAP,CHAP, MSCHAP) is specified, the user's password is verified. If an EAP method is used, mutual authentication is carried out according to the EAP type (PEAP, TLS, TTLS, or LEAP).
If User-Name matches no entry, either in a local text file or an external data source, the authentication fails.
Authorization to Control Sessions and Access to Services
The HP-UX AAA server can authorize users using one of the following methods:
Provisioning on a user-by-user basis with check items and by adding reply items
to an Access-Accept message (simple policy)
Through Local Authorization Server (LAS) functions based on realms
Through stored policy decisions based on other logical groups that can add check
and reply items to the request
Like authentication, the authorization of an access request has a number of distinctive steps, as shown in Figure 1-6 (page 41). The rounded rectangles represent configuration files and the ovals represent one or more actions called by the FSM.
40 Overview: The HP-UX AAA Server
Figure 1-6 Authorization Steps
Authorization Steps
1. The server receives the Access-Request.
2. The server evaluates the request-ingress policy. This is the first step in the FSM, before the request is despatched for processing. The request ingress policy can be used to alter the request in one of the following ways:
A-V pairs may be added, changed, or removed.
The request classification may be altered.
The request may be rejected immediately.
The request may be dropped entirely, and no reply is sent.
If the request-ingress policy is evaluated successfully, the HP-UX AAA Server continues with the authorization process.
3. If a request is being proxied, then the HP-UX AAA Server evaluates the proxy-egress and proxy-ingress policies. The HP-UX AAA Server applies the proxy-egress policy before the RADIUS proxy request message is created and sent. The proxy-ingress policy is applied after the proxy response is received. Table 1-2 discusses how these policies are used to alter requests.
Handling an Access Request 41
Table 1-2 How Requests are Altered Using the proxy-egress and proxy-ingress Policies
Use of the proxy-ingress PolicyUse of the proxy-egress Policy
A-V pairs can be added, modified, or removed.A-V pairs can be added, modified, or removed.
The reply type may be altered.The request may be rejected immediately.
The request may be dropped entirely and no reply is sent.
The request may be dropped entirely and no reply is sent.
The request may be rejected immediately.The proxy target host may be changed.
4. Check Items. After authentication each check item in the user profile is processed or matched against the request's corresponding Attribute-Value (A-V) pairs.
If all the check and deny items associated with User-Name are satisfied, the
CHK_DNY action returns an ACK value to the FSM.
If any check or deny item, including the user's password, is not matched
correctly, the authentication module returns a NAK value to the FSM. The request fails, and an Access-Reject message is returned to the client.
5. User Policy. All requests are subjected to user policy after authentication. The user policy is applied only after successful authentication. A user policy can be specified in a Policy-Pointer attribute on the request as either a check item or a reply item. If the Policy-Pointer attribute is found in the check items, then the HP-UX AAA Server does not look for one in the reply items. The value of the Policy-Pointer attribute should specify the URL for the decision file to be evaluated. If a request contains a Policy-Pointer attribute, as either a check item or a reply item, the specified policy is applied. If the request does not contain a Policy-Pointer, then no user policy is applied. In this case the POLICY action returns an ACK event to the FSM.
Some policies that can be implemented include:
Dialed Number Identification Service (DNIS)-routing requests according to
the number called from or called;
Grouping users by NAS addresses or ports;
Control session duration, concurrent usage, or delivered services by logical
groupings defined by the contents of specified A-V pairs;
Control access according to any time-based criteria.
6. Local Authorization Server (LAS). The LAS refers to the routines and code in the server that handles authorization. LAS and POSTLAS actions are part of the LAS. Session control with LAS is based on realms. Local Session tracking must be explicitly enabled for a realm via the Server Manager or the /etc/opt/aaa/ las.conf file. If the realm is not listed, LAS does not enforce any session control for users from that realm. When the LAS handles an Access-Request for a user in
42 Overview: The HP-UX AAA Server
a local realm configured in the las.conf file, the LAS module performs the following actions:
Checks the user profile for a Simultaneous-Session attribute-value pair, which
determines the maximum number of active sessions the user can have. Default value is 1.
Authorizes or denies service based on Service-Class.
The POSTLAS action performs Simultaneous Access Token (SAT) control, which is used to implement realm-based simultaneous session control.
NOTE: HP recommends not to enable local session tracking for any realms
utilizing session management via SQL Access.
7. Reply items refer to the generation of an Access-Accept or Access-Reject message
by the ReplyPrep action. By adding reply items to a user's profile or through policy decisions, ReplyPrep can provide a NAS with provisioning information in an Access-Accept data packet. Depending on the capabilities of the NAS, the reply items can be used to control a user's session. For example, the following user entry limits the length of the session and the hosts that can be accessed:
guest@library.org Password = "public" Filter = "library", Session-Timeout = 3600
Users can authenticate as guest@example.org using password public to connect for one hour (3600 seconds) to the library hosts that the filter library allows.
The ReplyPrep action also checks for a Service-Type value, equates the value with user entries, and then appends reply items to the request accordingly. The attribute values for these items specify the default values to use when configuring the connection specified by Service-Type. The special user entries are not used for authentication; the reply items for one of these entries are appended to a request from any user requesting the corresponding service type. If duplicate A-V pairs exist, pruning is applied to determine the A-V pair that must be included in the Access-Accept or Access-Reject message.
8. The HP-UX AAA Server evaluates the reply-egress policy just before the RADIUS reply message is created and sent. The reply-egress policy can be used to alter the request in one of the following ways:
A-V pairs may be added, modified, or removed
The reply type may be modified
The request may be dropped entirely and no reply is sent.
Handling an Access Request 43

Session Logs For Accounting

During operation, the HP-UX AAA Server processes information received in an Accounting-Request from the client. By default, session logging information is written to a file following a predefined format, such as Merit or Livingston. You can modify how and where the server generates the logs by editing the log.config file. You can also schedule logging by editing the FSM. In addition, modifying the FSM and configuring SQL Access enables you to use a database to store session log information. For more information, see Chapter 18: “SQL Access” (page 207).

IPv6 Support for External Services

The HP-UX AAA Server can be configured to use IPv6 addresses and support IPv6 attributes for most of the protocols and services it supports. The HP-UX AAA Server currently supports only IPv4 for the following services:
Dynamic user IP address assignment using DHCP
Access to Oracle servers via the Oracle authentication module
Access to RSA SecurID servers
IMPORTANT: The HP-UX AAA Server supports the use of RADIUS IPv6 attributes
with HP-UX 11i v1 (and subsequent releases). RADIUS communication over IPv6 transports is supported with HP-UX 11i v2 (and subsequent releases).
44 Overview: The HP-UX AAA Server

2 Upgrading to Version A.07.01

This chapter explains how to upgrade to the HP-UX AAA Server A.07.01 from previous versions.

The HP-UX AAA Server Upgrade Process

The following process describes the HP-UX AAA Server A.07.01 product installation on a system where a previous version of the HP-UX AAA server is currently installed:
1. The contents of the existing configuration in /etc/opt/aaa/ are copied to /etc/
opt/aaa.old/. If any files with the same names exist in /etc/opt/aaa.old/,
they will be overwritten.
2. The old product binaries are removed and new product binaries are installed.
3. Old unmodified configuration files are replaced with the new default configuration
files in /etc/opt/aaa/.
4. Backup of the default A.07.01 files are installed in /opt/aaa/newconfig/etc/
opt/aaa/ for your reference.
5. Generally, no additional migration is necessary, except as specified in the following
sections:
Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01.”
“Upgrading from Version A.06.00.x to Version A.07.01” (page 46)
“Upgrading from Version A.05.x to Version A.07.01” (page 48)
NOTE: Contact your HP Supportrepresentative if you are upgrading from version
A.05.x and require assistance.

Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01

No migration is required. If you have modified /etc/opt/aaa/dictionary, and want to use SQL Access, OTP authentication, or use pre-defined policy hooks in the FSM, merge the dictionary file. For information on merging the dictionary file, see
“Merging the Dictionary File” (page 48).
If you have modified the radius.fsm file, and you want to use OTP authentication or usepre-defined policy hooks in the FSM, merge the radius.fsm file. For information on merging the radius.fsm file, see “Merging the radius.fsm File” (page 48).
If you have configured realms with LDAP as the back end, and you want to enable CIS search, then you must specify the Filter-Type in the realm configuration in the authfile as follows:
The HP-UX AAA Server Upgrade Process 45
<realm name> -DEFAULT ProLDAP "" { Filter-Type CIS Directory "directory_name" { Host <ldap-server-hostname> Port <ldap-server-port> Administrator <ldap-server-administrator> Password <Password> Searchbase <search-base> Authenticate <auto | search | bind> } }
Additions have been made to the vendors file in this version of the HP-UX AAA Server. If you have modified the vendors file, you must merge the vendors file. For information on merging the vendors file, see“Merging the vendors File” (page 48).

Upgrading from Version A.06.00.x to Version A.07.01

To upgrade the configuration files, complete the following steps:
1. Backup your existing HP-UX AAA server configuration.
2. Install the HP-UX AAA Server A.07.01 without removing your existing HP-UX AAA Server software.
3. Copy the following files from /etc/opt/aaa.old/ to /etc/opt/aaa/. You do not need to modify these files when migrating to A.07.01:
The clients file
The las.conf file
The iaaaAgent.conf file
The db_srv.opt file
The engine.config file
The DAC.grp file and additional policy files
New or modified certificate files (to be copied from /etc/opt/aaa.old/
security/ to /etc/opt/aaa/security/)
4. Update the following A.07.01 files in /etc/opt/aaa/ to include any modifications you made for your legacy configuration. Perform this step to include your legacy configuration in the new A.07.01 file format. Refer to the copy of your legacy files in /etc/opt/aaa.old/ and update the corresponding A.07.01 files listed below:
The vendors file
The log.config file
The radius.fsm file
The dictionary file
The aaa.config file
46 Upgrading to Version A.07.01
5. Copy your legacy users files from /etc/opt/aaa.old/ to /etc/opt/aaa/
(including the default users file and all files with the .users extension). Update the users files as follows:
Remove all DEFAULT, dumbuser, pppuser, and slipuser entries. The
following shows example entries for each:
DEFAULT DEFAULT Authentication-Type = Realm
Filter-Id = "unlim"
dumbuser dumbuser Authentication-Type = None
Service-Type = Login, Login-Service = Telnet, Login-IP-Host = 255.255.255.255
pppuser pppuser Authentication-Type = None
Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP
slipuser slipuser Authentication-Type = None
Service-Type = Framed, Framed-Protocol = SLIP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP
Remove all Authentication-Type=Realm and
Authentication-Type=File strings from the remaining user entries. The following is a sample sed command you can modify to remove these entries:
$ sed -e s/Authentication-Type[ ]*=[ ]*Realm[ ,,]*//g-e
s/Authentication-Type[ ]*=[ ]*File[ ,,]*//g <users or *.users file name>
6. Use Server Manager to re-configure all of your legacy realm and outbound proxy
entries on A.07.01. Refer to your legacy authfile at /etc/opt/aaa.old/ authfile:
Use Server Manager’s Proxies link to re-configure entries in /etc/opt/
aaa.old/authfile with the following syntax:
realm.com RADIUS <Realm_host_name>
Use Server Manager’s Local Realms link to re-configure the realm entries as
they appear in /etc/opt/aaa.old/authfile.
7. If you are using a Netscape Directory server, update the RADIUS schema file for
the directory server. Copy /opt/aaa/examples/proldap/ 55iaaa-radius.ldif to the Netscape Directory server. Stop and restart slapd after copying the schema file to the Netscape server.
Upgrading from Version A.06.00.x to Version A.07.01 47
8. If you are using an OpenLDAP server, update the RADIUS schema file for the
directory server. Copy /opt/aaa/examples/proldap/iaaa-radius.ldif to the OpenLDAP server. Stop and restart slapd after copying the schema file to the OpenLDAP server.

Upgrading from Version A.05.x to Version A.07.01

Contact your HP Support representative if you are upgrading from Version A.05.x to Version A.07.01 or if you need assistance with your migration.

Merging the Dictionary File

To merge the legacy dictionary file changes to the new A.07.01 dictionary file, complete the following steps:
1. Copy the new dictionary file from /opt/aaa/newconfig/etc/opt/aaa/ to /etc/opt/aaa/.
2. Update the /etc/opt/aaa/dictionary file to include any modification you made for your legacy dictionary file.
Refer to the copy of your legacy dictionary file in /etc/opt/aaa.old/.

Merging the radius.fsm File

To merge the legacy radius.fsm file changes to the new A.07.01 radius.fsm file, complete the following steps:
1. Copy the new radius.fsm file from /opt/aaa/newconfig/etc/opt/aaa/ to /etc/opt/aaa/.
2. Update the /etc/opt/aaa/radius.fsm file to include any modification you made for your legacy radius.fsm file.
Refer to the copy of your legacy radius.fsm file in /etc/opt/aaa.old/

Merging the vendors File

To merge the legacy vendors file changes to the new A.07.01 vendors file, complete the following steps:
1. Copy the new vendors file from /opt/aaa/newconfig/etc/opt/aaa/ to /etc/opt/aaa/.
2. Update the /etc/opt/aaa/vendors file to include any modification you made for your legacy vendors file.
48 Upgrading to Version A.07.01

3 Installing and Securing the HP-UX AAA Server

This chapter explains how to acquire, install, and secure the HP-UX AAA Server product. Always refer to the HP-UX AAA Server Release Notes for important information specific to each version of the product, including requirements and dependencies.

Acquiring the HP-UX AAA Server Software

You can get the most recent version of the HP-UX AAA Server product at the HP Software Depot: http://www.hp.com/go/softwaredepot.
IMPORTANT: Be sure to review the HP-UX AAA Server Release Notes before
installation. The Release Notes list the requirements for each release, including: installation, patch, and browser requirements.
You can access the Release Notes online at:
http://docs.hp.com/en/internet.html#HP-UX%20AAA%20Server%20%28RADIUS%29)

Installing and Uninstalling the HP-UX AAA Server

The following components are installed when you install the HP-UX AAA Server:
AAA Server binaries, libraries, and utilities
RMI objects that facilitate communication from the AAA server to Server Manager
AAA server AATV modules
To Install the HP-UX AAA Server
Complete the following steps to install the HP-UX AAA Server:
1. Log in to your system as root.
2. Verify that the product dependencies are installed:
# export PATH=$PATH:/usr/sbin # swlist |egrep hpuxwsTomcat|hpuxwsApache|T1456AA
IMPORTANT: Be sure you have the correct versions of the product dependencies
installed -- refer to the HP-UX AAA Server Release Notes.
3. Verify that the patch dependencies are installed. Skip this step if you are installing the HP-UX AAA Server on an HP–UX 11i v2 or HP-UX 11i v3 operating system.
# swlist -l product | grep aC
Review the patch requirements in the product Release Notes if the following value is not returned:
HP aC++ -AA runtime libraries (aCC A.03.37)
Acquiring the HP-UX AAA Server Software 49
NOTE: Check the Release Notes for the HP-UX AAA Server version you are
installing to verify patch requirements.
4. Download the AAA Server depot file from http://www.software.hp.com and move it to /tmp
5. Verify that you have downloaded the file correctly:
# swlist -d -s /tmp/<AAA Server>.depot
6. Stop any active Tomcat processes:
/opt/hpws/tomcat/bin/shutdown.sh
7. Install the AAA Server:
# swinstall -s /tmp/<AAA Server>.depot HPUX-AAAServer
NOTE: If the installation is not successful, an error message is displayed. The
cause of the failure will appear at the end of /var/adm/sw/swagent.log file.
8. After installing the product,add the following entries to the /etc/services file:
# RADIUS protocol radius 1812/udp radacct 1813/udp
NOTE: These RADIUS values are the server’s defaults and are specified in the
RADIUS RFC 2865.
To Uninstall the HP-UX AAA Server Software
Complete the following steps to uninstall the HP-UX AAA Server:
1. From the navigation tree, click Administration.
2. Verify the AAA server you want to stop is selected in the Server Status Frame.
3. Click Stop to stop the server.
4. From the command line, stop the RMI objects and Tomcat. See “Starting and
Stopping the RMI Objects” (page 62) and “Starting and Stopping Tomcat” (page 62)
for more information.
NOTE: Enter the following command if you have not done it already:
# export JAVA_HOME=/opt/java1.4
5. Check if db_srv is running:
$ ps -ef |grep db_srv
6. If db_srv is running, stop it with the /opt/aaa/bin/stop_db_srv.sh script.
50 Installing and Securing the HP-UX AAA Server
7. Remove all files residing in the /var/opt/aaa/ and /opt/hpws/tomcat/webapps/aaa/aaalog/ subdirectories.
8. Logout anyone using HP-UX AAA Server administrator login “aaa”.
9. As root user, enter swremove HPUX-AAAServer or swremove at the command prompt to invoke the standard HP-UX GUI to select HPUX-AAAServer bundle for removal. Refer the swremove manpage for more information on this command.

HP-UX AAA Server File Locations

Although HP-UX AAA Server can be run as root user, HP recommends running it as a non-root user.
A user and group, both named aaa, is created during installation. The HP-UX AAA Server can be run as non-root user, using the default aaa user created during installation, or any other user who is part of the aaa group.
IMPORTANT: Do not remove the default login aaa and group aaa created during
installation, even if you prefer not to use them.
Table 3-1 File Locations Upon Installation
FileDirectory
/opt/aaa/aatv
/opt/aaa/bin
Server modules and plug-ins
Server daemons and utilities:
db_srv: Oracle client daemon for the ORACLE
authentication module
las.test.sh: script to create simulated sessions for
testing
radcheck: AAA Server test utility (like the ping
command)
raddbginc: controls server debug output
radsignal: controlsserverdebug output androlls over
the server log file and accounting stream
radiusd: AAA Server executable
radpwtst: AAA test client utility
start_db_srv.sh: script to start the Oracle client
daemon
stop_db_srv.sh: script to stop the Oracle client
daemon
HP-UX AAA Server File Locations 51
Table 3-1 File Locations Upon Installation (continued)
FileDirectory
/opt/aaa/examples/config
/opt/aaa/examples/sqlaccess/mysql-1
Finite state machine, sample policy files:
*.fsm: Sample FSM tables
sqlaccess-acct.fsm: Sample FSM required to
implement accounting without session management using SQL Access
sqlaccess-acct-sess.fsm: Sample FSM required
to implementaccounting with session management using SQL Access
*.grp: Sample decision files
OTP sample reference implementation files:
oath-request-ingress.grpoath-reply-ingress.grpoath-proxy-egress.grp
Configuration files and scripts that enable the HP-UX AAA Server to use an ODBC client to interact with a MySQL database:
sqlaccess.config: Sample configuration file that
defines database connections, SQL statements, and RADIUS - database mappings
dbsetup.sql: Scriptthat creates the database tables for
the sample configuration and inserts a test user in a database table
NOTE: Refer to Chapter 18: “SQL Access” (page 207) for
details on using the SQL Access feature.
/opt/aaa/examples/sqlaccess/oracle-1
52 Installing and Securing the HP-UX AAA Server
Configuration file and script that enable the HP-UX AAA Server to use an OCI client to interact with an Oracle database server:
sqlaccess.config: Sample configuration file that
defines database connections, SQL statements, and RADIUS - database mappings
dbsetup.sql: Scriptthat creates the database tables for
the sample configuration and inserts a test user in a database table
NOTE: Refer to Chapter 18: “SQL Access” (page 207) for
details on using the SQL Access feature.
Table 3-1 File Locations Upon Installation (continued)
FileDirectory
/opt/aaa/lib/dbcon/alternate
/opt/aaa/examples/oracle
/opt/aaa/examples/proldap
/opt/aaa/lib
Connector libraries that enable HP-UX AAA Server to communicate with supported database clients:
libdbcon_oci.so: OCI client connector library
libdbcon_odbc.so: MySQL Unix ODBC client
connector library
NOTE: Refer to Chapter 18: “SQL Access” (page 207) for
details on using the client connector libraries.
Scripts to create and modify tables in the Oracle database used by the ORACLE authentication module:
create.sql: SQL script to create Oracle users table
delete.sql: Sample SQL script to delete Oracle user
records
insert.sql: Sample SQL script to add Oracle user
records
LDAP schema and sample LDIF files
Shared libraries:
libradlib.sl: Contains functions that interface with
the main server
librpilib.sl: Contains functions for programs and
utilities
libjniAgent.sl: Contains functions for Server
Manager.
NOTE: Shared library files have .so file extensions on
HP-UX 11i v2 (B.11.23) and HP-UX 11i v3 (B.11.31).
/opt/aaa/newconfig
/etc/opt/aaa/security/
/opt/aaa/share/man/man5 and ~/man1m
/opt/aaa/share/doc/
Default configuration files. Files residing here are copied to /etc/opt/aaa directory during installation.
Directory containing a unique set of self-signed digital certificates created during installation.
Directories where manpages are installed
Directory containing Administrator’s Guide and product documentation.
HP-UX AAA Server File Locations 53
Table 3-1 File Locations Upon Installation (continued)
FileDirectory
/etc/opt/aaa
Configuration files:
aaa.config: runtime and tunneling configuration file
authfile: realm to authentication-type mapping file
clients: client to shared secret mapping file
db_srv.opt: configuration script for db_srv
environment variables
dictionary: definition file required by the radiusd
daemon
las.conf: authorization and accounting configuration
file
log.config: session logging configuration file
radius.fsm: external FSM table for the server
users: holds user security profiles and reply items
vendors: holds Internet Assigned Numbers Authority
(IANA) numbers and other vendor specific details
engine.config: stores most of the AAA server
properties.
EAP.authfile: configuresEAP authentication for user
profiles
iaaaAgent.conf: specifieshow often the AAA server ’s
SNMP subagent will check to see if a master agent is active
aaa.config.license: Do not alter this file
RADIUS-ACC-SERVER-MIB.txt: describes RADIUS
Accounting MIB definitions.
RADIUS-AUTH-SERVER-MIB.txt: describes RADIUS
Authentication MIB definitions.
Default policy files:
request-ingress.grpreply-egress.grpproxy-egress.grpproxy-ingress.grp
Table 3-2 lists the files generated during operation and located in /var/opt/aaa/ by
default:
Table 3-2 Files Generated During Operation
/acct/session.yyyy-mm-dd.log
/data/session.las
54 Installing and Securing the HP-UX AAA Server
FileDirectory
Default session accounting logs, Merit style
Currently active sessions log file
Table 3-2 Files Generated During Operation (continued)
FileDirectory
/ipc/*.sm
/logs/logfile
/logs/logfile.yyyymmdd
/radacct/*
/run/radius.pid
Shared memory files related to the interface used for some authentication types.
IMPORTANT: You must not alter or delete the shared
memory (*.sm) files. The server does not operate correctly if the files are changed or removed from the ipc directory.
The server log file
Compressed daily or weekly log files
For session accounting logs in Livingston call detail records directory styleformat (notgenerated by default configuration)
Contains the process id (pid) for the server.

Securing the HP-UX AAA Server

Performing the steps in this section increases the security of your HP-UX AAA Server installation. HP recommends all customers perform the steps in“Changing the Default
HP-UX AAA Server Settings ” (page 55). Perform the steps in “Environment Specific Security Procedures ” (page 56) depending on your environment.
Changing the Default HP-UX AAA Server Settings
The following information explains how to increase the security of your HP-UX AAA Server by changing some of the default settings. HP recommends that all customers change the default values.
Changing the Default Tomcat User Name and Password
All Tomcat servers come with the same default user name and password. You must change the user name and password to unique values.
Complete the following steps to change the Tomcat user name and password:
1. Open /opt/hpws/tomcat/conf/tomcat-users.xml.
2. Look for entries with the roles=“tomcat” string. These entries are valid Tomcat user names and passwords.
3. Modify the file to include only the user name and password you want to use. Use the following format:
<user username="new user name" password="new password" roles="tomcat"/>
Changing the Default RMI Objects Secret
HP recommends changing the default RMI Objects secret.
Complete the following steps to change the default RMI objects secret:
Securing the HP-UX AAA Server 55
1. Open/opt/hpws/tomcat/webapps/aaa/WEB-INF/gui.properties.
2. Look for the following entry:
rmi.config.secret = "secret"
3. Change the “secret” portion to a new value
4. Open the /opt/aaa/remotecontrol/rmiserver.properties file.
5. Look for the following entry:
rmi.config.secret = "secret"
6. Change the “secret” portion to the same value configured in Step 3.
IMPORTANT: The rmi.config.secret in /opt/aaa/remotecontrol/
rmiserver.properties and in /opt/hpws/tomcat/webapps/aaa/ WEB-INF/gui.properties must be identical.
Changing the Default test_user Settings
HP recommends changing the default test_users password. This password can be changed only after starting the Server Manager. More information on how to change the default test_users passwordis provided in “Changing the Default test_user Settings”
(page 115)
Changing the Default localhost Proxy Settings
HP recommends changing the default localhost proxy settings. This setting can be changed only after starting the Server Manager. More information on how to change the default localhost proxy settings is provided in “Changing the Default localhost
Proxy Settings” (page 106).
Environment Specific Security Procedures
Depending on your environment needs, you can perform any of the following steps for additional security:
Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration
Use the following steps to configure SSL (HTTPS):
56 Installing and Securing the HP-UX AAA Server
1. Generate a certificate for Tomcat to establish the SSL connection. Use the following steps to create a self-signed certificate with the Java command line keytool utility:
1. Remove $HOME/.keystore if it already exists
2. Enter the following command:
$ export JAVA_HOME=/opt/java1.4
3. Enter the following command:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
4. Enter a password for the key store when prompted.
5. Enter the certificate information (company, contact name, etc.), when
prompted. This information must be accurate because it is displayed to users who attempt to administer Server Manager.
6. Enter a password for the key when prompted. Use the same password you
used for the key store
2. Uncomment the following underlined comments in /opt/hpws/tomcat/conf/
server.xml:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <!-- <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true" useURIValidationHack="false" <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" /> </Connector>
-->
3. Add the keystorePass attribute to the uncommented field in /opt/hpws/ tomcat/conf/server.xml to establish the key store and key password on Tomcat. Add the keystorePass attribute as shown in the following:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystorePass="<password>" />
IMPORTANT: Replace <password> with the password used to generate the
keystore in Step 1.
4. Stop and start Tomcat:
Stop -/opt/hpws/tomcat/bin/shutdown.sh
Start - /opt/hpws/tomcat/bin/startup.sh
5. Point your web browser to:
https://<hostname>:8443/aaa
Securing the HP-UX AAA Server 57
Creating a Tomcat Identity Specifically for the HP-UX AAA Server
If several applications use Tomcat, you can configure Tomcat to have a user name and password specifically for the AAA Server. All other applications using Tomcat will have a different user name and password.
Complete the following steps to create a Tomcat identity specifically for your HP-UX AAA Server:
1. Search for the following line in/opt/hpws/tomcat/conf/server.xml:
<!-- Tomcat Examples Context -->
Add the following code above this line:
<Context path="/aaa" docBase="aaa" debug="0" reloadable="false" crossContext="false"> <Realm className="org.apache.catalina.realm.MemoryRealm" debug="0" pathname="conf/aaa-users.xml"/> </Context>
2. Open the /opt/hpws/tomcat/conf/aaa-users.xml file.
3. Replace adminaaa with the new user name and password
4. Enter the following command:
$ export JAVA_HOME=/opt/java1.4
5. Stop Tomcat if it is running:
$ /opt/hpws/tomcat/bin/shutdown.sh
6. Restart Tomcat:
$ /opt/hpws/tomcat/bin/startup.sh
7. Stop the RMI objects if they are running:
$ /opt/aaa/remotecontrol/rmistop.sh
8. Set the shared library path to the OCI client or ODBC driver in the /opt/aaa/ remotecontrol/rmistart.sh script if you are implementing the SQL Access
feature. See the following README files for more information:
/opt/aaa/examples/sqlaccess/oracle-1/README: for Oracle - OCI
/opt/aaa/examples/sqlaccess/mysql-1/README: for MySQL -ODBC
See Chapter 18: “SQL Access” (page 207) for more information on the SQL Access feature.
9. Start the RMI objects:
/opt/aaa/remotecontrol/rmistart.sh
10. Point your web browser to:
http://<hostname>:8081/aaa
11. Login with the new AAA Server-specific user name and password
58 Installing and Securing the HP-UX AAA Server
Running the HP-UX AAA Server on Hosts with System Hardening Software
If you are setting up the HP-UX AAA Server on a system that is being hardened using lock-down software such as Bastille, you must ensure thatthe portsused by the HP-UX AAA Server are kept open. The following ports must be kept open if you are running the HP-UX AAA Server:
Port 1812 (Radius authentication port)
Port 1813 (Radius accounting port)
Port 8081 (port used by the Server Manager. Needed only if this host is going to
run the Server Manager)
Port 2099 (port used by the RMI server. Needed only if the HP-UX AAA Server
on this host needs to be remotely managed from another host.)
RMI Server ports listed in Table 3-3. By default, these ports change each time the
RMI objects are started.
NOTE: These ports are default ports. However, you can configure these services to
use other ports.
If the HP-UX AAA Server on the host needs to be remotely managed from another host, then some additional ports need to be opened. By default, these ports are chosen randomly and keep changing every time the RMI server is restarted. To make it more convenient to open, these ports can be configured in /opt/aaa/remotecontrol/ rmiserver.properties. Table 3-3 lists the ports that need to be configured and opened for the corresponding remote management functionality required.
Table 3-3 Ports Associated with RMI Objects that must be Configured
adm.server.port
conf.server.port
file.server.port
stat.server.port
acct.server.port
log.server.port
sess.server.port
Running the HP-UX AAA Server as a Non-Root User
Some organizations require network server processes to run as the non-root user.
Complete the following steps to run the AAA server as a non-root user:
1. Login to the system as the root user.
2. Add the user name www to the aaa group.
3. Use the following command to start the RMI objects as the aaa user:
FunctionalityPort
If you are using the administrative functions
If you are modifying, loading, or saving the configuration
If you are using maintenance features such as accounting, logging, reporting, getting statistics, or session management
Securing the HP-UX AAA Server 59
$ su - aaa -c /opt/aaa/remotecontrol/rmistart.sh
4. Use the following command to start Tomcat as the www user:
$ su - www -c "export JAVA_HOME=/opt/java1.4; /opt/hpws/tomcat/bin/startup.sh"
5. Point your web browser to:
http://<hostname>:8081/aaa
NOTE: Any log files created when the HP-UX AAA server was running as the root
user will not be accessible after performing this procedure. To view these logfiles, change the ownership to match the UID of when the log files were created. For more information, see the chown manpage for more information.
Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot
Complete the following steps to set up the HP-UX AAA Server to start as non-root user after reboot:
1. Set the RADIUSD variable to 1 in the /etc/rc.config.d/radiusd.conf file.
2. Open the /sbin/init.d/radiusd.rc file and look for the following entry:
DAEMONNM=radiusd CONFFILE=$AAAPATH/clients DAEMONEXE=/opt/aaa/bin/${DAEMONNM}
3. Change the DAEMONEXE line to set radiusd to start as the aaa user after reboot:
Change:
DAEMONEXE=/opt/aaa/bin/${DAEMONNM}
To:
DAEMONEXE=/usr/bin/su - aaa -c /opt/aaa/bin/${DAEMONNM}
4. Look for the following entry:
echo "$DAEMONNM started with <$retval>" if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1 fi
5. Change the then statement to start the RMI objects as the aaa user after reboot:
Change:
if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1 fi
To:
if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then /usr/bin/nohup /usr/bin/su - aaa -c
60 Installing and Securing the HP-UX AAA Server
/opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1 fi
6. Look for the following entry:
# stop the daemon!!! if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi
7. Change the then statement to stop the RMI objects as the aaa user during shutdown:
Change:
if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi
To:
if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /usr/bin/su - aaa -c /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi
8. If you are implementing the SQL Access feature, add the following environment variable settings in the user’s .profiles file in the home directory:
(For ODBC only)
export ODBCINI=path/odbc.ini
(For OCI and ODBC)
export SHLIB_PATH=${SHLIB_PATH}:Path for odbc/oci client libraries
Securing the HP-UX AAA Server 61
4 Enabling the HP-UX AAA Server for GUI-based
Administration
This chapter explains how to enable your HP-UX AAA server software to begin administration.

Accessing the Server Manager

To start the HP-UX AAAServer and the Server Manager graphic user interface,complete the following steps:
1. Enter the following command:
# export JAVA_HOME=/opt/java1.4
2. Start the Remote Method Invocation (RMI) objects to allow the AAA server software to communicate with Server Manager. Use the following command:
# /opt/aaa/remotecontrol/rmistart.sh
3. Start the HP-UX Tomcat-based Servlet Engine. Use the following command:
# /opt/hpws/tomcat/bin/startup.sh
4. Enable the Java Runtime Environment (JRE) and Javascript for the browser, so that the browser can run the Server Manager applets and execute Javascripts.
5. Point your web browser to the following URL to manage the HP-UX AAA Server with the Server Manager interface:
http://<IP-Address or FQDN>:8081/aaa
6. To access the Server Manager, enter your user name and password.
NOTE: The default Server Manager username is tomcat. The default Server
Manager password is tomcat.
Starting and Stopping the RMI Objects
To start and stop the RMI objects, use the following commands:
To start: /opt/aaa/remotecontrol/rmistart.sh
To stop: /opt/aaa/remotecontrol/rmistop.sh
Status: netstat -a | grep 7790
Starting and Stopping Tomcat
To start and stop Tomcat, use the following commands:
To start: /opt/hpws/tomcat/bin/startup.sh
To stop: /opt/hpws/tomcat/bin/shutdown.sh
Status: netstat -a | grep 8081

62 Enabling the HP-UX AAA Server for GUI-based Administration

Testing the Installation

To test the server installation quickly, perform the following procedure using Server Manager:
Add a loopback connection to a AAA server
Start the AAA server
Check the status for a response
To Test the Installation
Complete the following steps to test the server installation:
1. Connect to Server Manager and start the AAA server. See “Accessing the Server
Manager” (page 62).
2. From the navigation tree, click the Server Connections link and then click the Connect to Server link.
3. In the Add Connection screen that opens, enter the values for you server as shown in the following format:
Name The identifying string of a remote server. Domain Name or IP Address The IP address (traditional IPv4 address in
dotted-quad notation, or IPv6 address in IPv6 literal format notation), or valid Domain Name System (DNS) host name of the AAA server that the connection maps to.
Example: IPv4 address- 192.0.2.0
IPv6 address­fedc:ba98:7654:3210:fedc:ba98:7654:3210
Domain Name- example.org
4. Click Create.
5. Verify the server is listed and selected in the Server Status frame.
6. From the navigation tree, click Administration.
7. Click Start.
8. Verify the server has started. A green “GO” icon in the Server Status frame indicates the server is running.
9. Verify the server is selected in the Server Status frame and then select the Status option.
10. Check Server Manager’s Message Frame for the status reply. The following reply at the bottom of the Message Frame indicates the server is running correctly:
<server name> (port#) is responding
Testing the Installation 63
11. Verify that your HP-UX AAA Server is installed and operating correctly by using
the testinguser (named test_user) created during installation. After test_user is authenticated and the AAA server sends an Access-Accept, the client sends an Accounting-Request to start the session. After the session is terminated, the client sends an Accounting-Request stop message to stop the session logging and the AAA server writes the session information to a file.
a. Enter the following command:
# /opt/aaa/bin/radpwtst -s localhost -i 192.0.2.0 -l test_user
This command simulates an Access-Request from port 1 of a NAS with an IP address of 192.0.2.0. When prompted for a password, enter: password. The command must return the following output:
test_user authentication OK
b. Enter the following command:
# /opt/aaa/bin/radpwtst -c 4 -s localhost -i 192.0.2.0 -l 1 -u ppp -:Acct-Status-Type=Start test_user
This command simulates an Accounting-Request start message, activating the users’s PPP session. The command must return the following output:
Accounting Response received
c. Enter the following command:
# /opt/aaa/bin/radpwtst -c 4 -s localhost -i 192.0.2.0 -l 1 -u ppp -:Acct-Status-Type=Stop test_user
This command simulates an Accounting-Request stop message, terminating the users’s session. The command must return the following output:
Accounting Response received
d. View the session logs for test_users start and stop accounting messages
by selecting Accounting in Server Manager’s navigation tree and clicking Display.
IMPORTANT: HP recommends removing test_user or changing it’s default
password before deploying the HP-UX AAA Server in a production environment. See
“Securing the HP-UX AAA Server” (page 55) for more information.

Starting AAA Servers Using Server Manager

To start AAA servers using Server Manager, complete the following steps:
1. From the navigation tree, click Administration.
2. Select the servers you want to start in the Server Status frame.
64 Enabling the HP-UX AAA Server for GUI-based Administration
NOTE: Server commands will only be executed on servers selected in the Server
Status frame.
3. Click Start.
Figure 4-1 shows the return value in Server Manager’s message frame when a server
is successfully started.
Figure 4-1 Return Value After Successfully Starting a AAA Server
AAA Server Start Options
Select the Start button’s corresponding icon to display the Start Options screen shown in Figure 4-2. Table 4-1 describes the start options you can use.
Figure 4-2 Server Manager’s Start Options Screen
Starting AAA Servers Using Server Manager 65
Table 4-1 Server Start Options
DescriptionOption
Port number to listen to authentication requestsAuthentication
Port number to listen to accounting requests.Accounting
Authentication Relay
Accounting Relay
Debug Level
Reset Session Table
Port number to relay authentication requests. This option is useful when proxying requests to a AAA server that is not listening on the default port.
Port number to relay accounting requests. This option is useful when proxying requests to a AAA server that is not listening on the default port.
Specifies the debug level. Higher levels write more information to the radius.debug file. Increasing thisvalue can cause performance todecline.
Empties the logfile and debug file when the server is started.Reset Logfile
Empties stored session table at server startup.
IMPORTANT: This option is only intended for experimental use or testing
and not for a live production server. If you reset a production server, the server loses track of the sessions that are still active.
NOTE: All options specified when the server is started are written to the server’s
logfile.
IMPORTANT: Modified start options will not take effect until the server is stopped
(by selecting the stop button) and then restarted.
Server Manager’s Reload Feature
The Reload button signals the HP-UX AAA Server to reload specific configuration information while the server is running. The result of the command will be displayed in the Message frame. The HP-UX AAA server will reload the following files after you select Reload:
users
clients
authfile
aaa.config
engine.config (all values except the certificate properties, which require you
to stop and restart the server to be refreshed)
las.conf
EAP.authfile
aaa.config.license
sqlaccess.config
66 Enabling the HP-UX AAA Server for GUI-based Administration
request-ingress.grp
reply-egress.grp
proxy-egress.grp
proxy-ingress.grp
In order for other configuration changes to take effect, you must stop and restart the server.
IMPORTANT: Save the configuration before reloading the configuration information.

Starting AAA Servers From the Command Line

The radiusd daemon is a process that services user authentication and accounting requests from RADIUS clients. Authentication and accounting requests come to the radiusd daemon in the form of UDP packets conforming to the RADIUS protocol. You can start the radiusd daemon from the Server Manager GUI, command line, or through an inetd service.
radiusd Syntax
radiusd [-c workdir] [-C] [-d configdir] [-da aatvdir] [-dl logdir] [-di ipcdir] [-dr rundir] [-dd datadir] [-dm meritdir] [-p authport] [-q acctport] [-f fsm] [-l [-n] [-pp authproxy] [-qq acctproxy] [-g logtype] [-h] [-s] [-t timeout] [-v] [-z] [-x] [-x] [-x] [-x]
Table 4-2 describes all the radiusd options.
Table 4-2 radiusd Options
-c Working-directory
-C tokcachedir
-d Config-directory
-da AATV-directory
-dl Logfile-directory
-di IPC-directory
-dr Run-directory
DescriptionOption
Sets current working directory. This optioncan beuseful for determining the location of system generated files, such as core files.
Enables token caching.
Specifies the directory where the configuration files are located. If omitted, the default directory is /etc/opt/aaa.
Specifies thedirectory where the AATV libraries are located. If omitted, the default directory is /opt/aaa/aatv.
Specifies the directory where the log and debug files are located. If omitted, the default directory is /var/opt/aaa/logs.
Specifies the directory where the files generated for shared memory operation are located. If omitted, the default directory is /var/opt/ aaa/ipc.
Specifies the directory wherethe server's process id file (radiusd.pid) is located. If omitted, the default directory is /var/opt/aaa/run.
Starting AAA Servers From the Command Line 67
Table 4-2 radiusd Options (continued)
DescriptionOption
-dd Data-directory
-dm Accounting-directory
-p Authentication-port
-q Accounting-port
-f FSM
-l Log-format
-n
Specifies the directory where the active session file (session.las) is located. If omitted, the default directory is /var/opt/aaa/data.
Specifies the directory where Merit style accounting log files (session logs) are located. If omitted, the default directory is /var/opt/aaa/ acct.
Specifies the UDP port number to listen to auth requests. If omitted, the local host services will be queried for the RADIUS port (see services(4)). If unable to obtain the port from host services, the RADIUS standard default of 1812 will be used.
Specifies the UDP port number to listen for acct requests. If omitted, the local host services will be queried to obtain the radacct port (see services(4)). If unable to obtain the port from host services, the RADIUS standard default of 1813 will be used.
Allows the user to specify an alternate Finite State Machine (FSM) table file instead of the default radius.fsmfile. Thedefault FSM file (/etc/
opt/aaa/radius.fsm) follows Merit style accounting behavior.
strftime(3) format for naming logfiles. The -l option specifies the
logfile name format withtimestamp precision and dictates whena logfile must start logging. For example, the following specifies the logging to start every hour:
$ ./radiusd -l logfile.%Y%m%d%H
Resets the session table. If omitted, the default is to restore the session table from a previous run.
-pp Authentication-proxy
-qq Accounting-proxy
-h
-t Timeout
-v
-x
68 Enabling the HP-UX AAA Server for GUI-based Administration
Specifies the UDP port number to forward (proxy) authentication requests.
Specifies theUDP port number to forward (proxy)accounting requests.
Selects logfile, syslog, or stderr logging.-g Logtype
Displays help message
Single process (non-spawning) mode-s
Inactivity timeoutvalue (minutes) whenthe radiusddaemon is started through inetd.
Displays AAA server version.
Empties the logfile and the debug file if -x option is used.-z
Adds to debug flag value.
NOTE: The radiusd daemon determines what action must be taken when receiving
requests based upon an FSM that it loads into memory when the server is started. The FSM can be configured, but it is static after server startup. The server uses the algorithm shown in Figure 4-3 to determine which FSM must be loaded into memory:
Figure 4-3 Algorithm for Determining Which FSM to Load
IMPORTANT: When started by the inetd service, radiusd times out if it does not
receive a message in 15 minutes. With the -t Timeout option, you can override this value. If the value is set to 0, it waits indefinitely without timing out.
Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot
You can configure the HP-UX AAA Server (radiusd) and RMI objects to start automatically after a system reboot.
Set the RADIUSD variable in/etc/rc.config.d/radiusd.conf to 1. The default setting is 0.
CAUTION: Modifying the content in the /sbin/init.d/radiusd.rc file other
than radiusd options can disallow booting of the system.
NOTE: You can also start the Server Manager interface after reboot. In the /etc/
rc.config.d/hpws_tomcatconf file, set HPWS_TOMCAT_START to 1, and set JAVA_HOME to/opt/java1.4.

Stopping or Restarting HP-UX AAA Servers

You must stop or restart AAA servers to update configuration changes.
Stopping or Restarting HP-UX AAA Servers 69
CAUTION: Do not stop a live server in production as it interrupts services to users.
Using Server Manager
1. From the navigation tree, click Administration.
2. Select the servers you want to stop in the Server Status frame.
NOTE: Server commands will only be executed on servers selected in the Server
Status frame.
3. Click Stop.
A message prompt enables you to confirm whether you wish to stop the server. If the server cannot be stopped, the administrator is notified of the problem in the message frame.
From the Command Line
Enter the following command at the prompt to stop radiusd:
kill `cat /var/opt/aaa/run/radiusd.pid|awk '{print$1}'`
Enter the following command at the prompt to restart radiusd:
kill `cat /var/opt/aaa/run/radiusd.pid|awk '{print$1}'`;/opt/aaa/bin/radiusd

Adding an HP-UX AAA Server to Your Network

Multiple servers can be configured and run using the AAA Server Manager graphic interface. You must establish at least one connection before you begin configuration. Only one connection can be local to the Server Manager program.
You can install a server to any machine that meets the system requirements and that can establish a UDP connection to the machine hosting the Server Manager.
To add an HP-UX AAA Server to your network, complete the following steps:
1. From the navigation tree, click the Server Connections link and then click the Connect to AAA Server link.
2. On the Create New Server Connection screen that appears, enter values as shown in Table 4-3.
Table 4-3 New Server Connection Screen Fields
Value to EnterField
An identifying string for a server running the AAA softwareName
70 Enabling the HP-UX AAA Server for GUI-based Administration
Table 4-3 New Server Connection Screen Fields (continued)
Value to EnterField
Domain or IP Address
Full DNS name or IP address (traditional IPv4 or IPv6 address) of an HP-UX AAA server
Examples: IPv4 address- 192.0.2.0
IPv6 address- fedc:ba98:7654:3210:fedc:ba98:7654:3210
Domain name- example.org
3. Click Create.
If the client program successfully connects to the server, the name you specified must appear in the Status Frame displayed in the lowerleft corner of the programs interface.
Adding an HP-UX AAA Server to Your Network 71
Part II Configuring the HP-UX AAA Server Manager Using
the Server Manager GUI
This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:
Chapter 5: “The HP-UX AAA Server Manager Interface” (page 76)
Chapter 6: “Managing HP-UX AAA Servers” (page 78)
Chapter 7: “Configuring RADIUS Clients Using the Access Devices Screen” (page 84)
Chapter 8: “Configuring Realms” (page 89)
Chapter 9: “Configuring Proxies” (page 105)
Chapter 10: “Configuring Users” (page 115)
Chapter 11: “Modifying Server Properties” (page 122)
Chapter 12: “Logging and Monitoring ” (page 129)
72
Table of Contents
5 The HP-UX AAA Server Manager Interface..................................................................................76
Commonly Used Icons in the GUI......................................................................................77
6 Managing HP-UX AAA Servers..................................................................................................78
Using the Server Connections Screen.................................................................................78
Adding a New Server ........................................................................................................78
Modifying Connection Attributes......................................................................................79
Deleting a Server Connection.............................................................................................80
Managing Multiple Servers................................................................................................81
Loading and Saving Your Configuration...........................................................................82
7 Configuring RADIUS Clients Using the Access Devices Screen.......................................................84
Navigating the Access Devices Screen...............................................................................84
Adding a RADIUS Client...................................................................................................84
Modifying a RADIUS Client’s Properties...........................................................................87
Deleting a RADIUS Client..................................................................................................88
8 Configuring Realms..................................................................................................................89
Using the Local Realms Screen...........................................................................................89
Adding a Realm..................................................................................................................89
Modifying Realms..............................................................................................................92
Special Entries.....................................................................................................................92
Deleting a Realm.................................................................................................................93
Configuring Realms for Authentication using an External Server....................................94
Configuring Realms for Database Access via SQL.......................................................94
Configuring Realms for LDAP .....................................................................................96
Modifying a Directory Configuration......................................................................98
Deleting a Directory Configuration.........................................................................98
Tuning the AAA Server to LDAP Server Connection..............................................99
Configuring Realms for Oracle.....................................................................................99
Configuring the HP-UX AAA Server Using Server Manager...............................100
To Configure and Run the db_srv Daemon ...................................................101
Scripts to Start and Stop the HP-UX AAA Server Oracle Daemon..................103
Configuring a SecurID Realm.....................................................................................103
9 Configuring Proxies................................................................................................................105
Navigating the Proxy Screen............................................................................................105
Changing the Default localhost Proxy Settings................................................................106
Creating or Modifying a Proxy.........................................................................................106
Forwarding Authentication Requests From a Proxy Server.......................................109
Forwarding Authentication Requests to a Remote Server..........................................110
Changing RADIUS Port Numbers....................................................................................111
Forwarding Requests to Alternate RADIUS Ports......................................................111
Forwarding Accounting Requests....................................................................................111
Table of Contents 73
Proxying Authentication and Accounting Messages to the Same Server........................112
Proxying Accounting Requests to a Central Server..........................................................113
Deleting a Proxy................................................................................................................113
10 Configuring Users.................................................................................................................115
Navigating the Users Screen.............................................................................................115
Changing the Default test_user Settings..........................................................................115
Adding a User Profile ......................................................................................................116
Tabs on the Add Users Screen.....................................................................................118
Specifying Attributes Using the Free Attributes Pane...........................................118
Adding Users for SecurID Authentication.......................................................................119
Modifying User Profiles....................................................................................................119
Deleting a User Profile......................................................................................................120
To Delete a User Profile From the Default users File................................................120
To Delete a User Profile in a Local Realms File...........................................................121
11 Modifying Server Properties...................................................................................................122
Navigating the Server Properties Screen..........................................................................122
DHCP Relay Properties....................................................................................................122
DNS Updates Properties...................................................................................................123
Message Handling Properties...........................................................................................124
SNMP Properties..............................................................................................................125
Enable SNMP Support.................................................................................................125
Tunneling Properties.........................................................................................................125
Tunneling Reply Items (Optional)...............................................................................126
Certificate Properties........................................................................................................126
File Size Properties............................................................................................................127
Maximum Logfile Size.................................................................................................127
Miscellaneous Properties..................................................................................................127
Permit Microsoft Client Authenticate As Computer...................................................127
Local Users File Properties...............................................................................................128
ProLDAP Properties.........................................................................................................128
12 Logging and Monitoring .......................................................................................................129
Overview...........................................................................................................................129
Server Log Files ................................................................................................................129
Using Server Manager to Retrieve Logfile Information..............................................129
Search Parameters..................................................................................................130
Message Types .......................................................................................................131
Using Server Manager to Retrieve Statistics ...............................................................131
Accounting Log Files .......................................................................................................132
Using Server Manager to Retrieve Accounting Logfiles.............................................133
Format of Accounting Records in the Default Merit Style..........................................134
Time-Based Values.................................................................................................134
Client A-V Pairs......................................................................................................135
User Entry A-V Pairs..............................................................................................135
74 Table of Contents
Session Tracking.....................................................................................................135
Writing Livingston CDR Accounting Records............................................................136
Livingston CDR Session Record Format................................................................137
Changing the Accounting Log Filename.....................................................................137
Changing the Accounting Log Rollover Interval........................................................138
Rolling Over the Log File and Accounting Stream.....................................................138
Table of Contents 75

5 The HP-UX AAA Server Manager Interface

HP-UX AAA Server Manager (Server Manager) is a browser-based application. It uses the HP-UX Tomcat-based Servlet Engine to provide a configuration interface between a web browser and one or more AAA servers. The Server Manager is used to start, stop, configure, and modify the servers. In addition, Server Manager can retrieve information about logged server sessions and accounting information for an administrator.
Figure 5-1 shows the various parts of the Server Manager interface.
The Server Manager user interface consists of the following three sections:
The navigation tree- Click on links in the navigation tree to open the corresponding
section in the Main Screen.
The Main Screen- Configure the HP-UX AAA Server on this screen.
HP-UX AAA Server Status Frame-View the status of your servers on this screen.
Figure 5-1 The HP-UX AAA Server Manager User Interface
76 The HP-UX AAA Server Manager Interface

Commonly Used Icons in the GUI

Click to add new servers, realms, or users.
Click to delete the corresponding entry.
Click to display a context-sensitive Help screen.
Click to edit the corresponding entry.
indicates that the configuration file cannot be modified using the Server
Manager. Edit the configuration file manually using a command line editor.
Commonly Used Icons in the GUI 77

6 Managing HP-UX AAA Servers

Your server configuration can be synchronized and controlled across one or more server installations. These server installations can be on the same machine as the Server Manager program, or on different machines. Server Manager identifies each AAA installation as a server connection and maps a hostname to the IP address (both traditional IPv4, and IPv6 address formats are supported) or DNS name of a remote machine where a AAA server is installed.
NOTE: Before defining a connection, ensure that the HP-UX Tomcat-based Servlet
Engine is running on the machine.
You cannot configure servers until a server connection is established. All configuration modifications are saved locally and are not associated with any server. A connection named localhost is configured as a server connection by default during installation.

Using the Server Connections Screen

The Server Connections screen shown in Figure 6-1 allows you to add a new server connection, and modify or delete an existing connection.
Figure 6-1 Server Manager’s Connected Server Screen

Adding a New Server

To add a new server, complete the following steps:
78 Managing HP-UX AAA Servers
1. Click to display the Add Server screen.
The Add Connection screen appears as shown in Figure 6-2.
Figure 6-2 The Add Connection Screen
2. In the Server Attributes form, enter your server’s attributes according to the format shown in Table 6-1
Table 6-1 Fields in the Connection Attributes Form
AttributesField Name
The identifying string of a remote serverName
Domain Name or IP Address
The client IP address or DNSname. Both traditional IP (IPv4), and IPv6 address formats are supported. The HP-UX AAA server can resolve the DNS name format entries to both IPv4 and IPv6 addresses.
Enter an IPv4 address in dotted-quad notation. Enter an IPv6 address in IPv6 Literal format notation. For example:
IPv4 address — 192.0.2.0
IPv6 address — fedc:ba98:7654:3210:fedc:ba98:7654:3210
3. Click Create to create the server connection.
Click Cancel to return to the Managed Servers screen without creating a new server connection.
IMPORTANT: When adding a connection to a new remote server, you must start
the RMI objects on that host to allow Server Manager to administer the server. You can start the RMI objects from the command line with the following command:
$ /opt/aaa/remotecontrol/rmistart.sh

Modifying Connection Attributes

In the Server Connections screen, select the icon correspondingto the server whose attributes you wish to modify. The Modify Connection screen appears as shown in
Figure 6-3.
Modifying Connection Attributes 79
Figure 6-3 The Modify Connection Screen
HP-UX AAA Server Properties section of the form includes a list of pathnames that cannot be modified. These pathnames must match the installation directories of the remote server.
IMPORTANT: When setting an option to a given directory, the directory must exist
and be editable on the machine. You must specify the logfile directory to access session logs through the maintenance functions listed in the navigation tree menu.

Deleting a Server Connection

To delete a server connection, complete the following steps:
80 Managing HP-UX AAA Servers
1. In the Server Connections screen, click the icon corresponding to the server connection that you want to delete.
The Delete Server Connections screen appears as shown in Figure 6-4. This screen allows you to preview the properties of the server connection before you confirm deletion.
Figure 6-4 The Delete Server Connections Screen
2. Click Delete to remove the server connection. Click Cancel to return to the Server Connections screen without removing the server connection.

Managing Multiple Servers

The Server Status frame, located in the lower left corner of the Server Manager's interface, provides a list of server connections as shown in Figure 6-5.
Figure 6-5 Server Manager’s Server Status Frame
When your network includes multiple AAA servers, click the check box that precedes each listed connection to specify whether a command applies to the corresponding server.
Managing Multiple Servers 81
When a server command, such as Start, is submitted, it will only be sent to checked servers. When you retrieve server logging, statistics, active sessions, or account information, only information from the checked servers will be displayed.
Table 6-2 displays the icons that can appear in Server Manager’s Server Status frame
and describes them briefly.
Table 6-2 Icons in Server Manager’s Server Status Frame
DefinitionIcon
Running - Indicates the server is connected and running.
Stopped - Indicates that the server is connected but is not currently running.
Failure - Indicates a communication error between the Server Manager and the AAA server.

Loading and Saving Your Configuration

AAA configuration files consist of one or more entries. When accessing these files through the Server Manager interface, the initial screen lists each existing entry and provides controls to open HTML forms. You can add or modify the AAA server’s configuration files by entering values in these forms. You must then submit these values to the program. The fields in the HTML forms include text boxes, drop-down lists, and other form controls. Fields with bold labels require values for a complete configuration.
Server Manager stores changes you make to the server configuration, but does not immediately save them on a remote server. When you select the Load Configuration link from the navigation tree, the interface (shown in Figure 6-6) displays a prompt. You can edit the server configuration settings using this prompt. Information for the access device, proxies, local realms, users, and server properties in the loaded configuration will replace the existing information for all server configuration items.
82 Managing HP-UX AAA Servers
Figure 6-6 Server Manager’s Load Configuration Screen
After you have made changes to the server configuration items, you can save the modified configuration on any server that has an active connection with the Server Manager program. When you click Save Configuration, the Server Manager interface displays a prompt (shown in Figure 6-7). Using this prompt, you can select the servers on which the settings must be saved.
CAUTION: Clicking Save saves the entire server configuration settings (accessdevice,
proxies, local realms, users, and server properties) on the specified servers.
Figure 6-7 Server Manager’s Save Configuration Screen
NOTE: If you do not wish to save changes that have been made, you can revert to
the previous settings by loading the original configuration.
A running server does not recognize configuration modifications. After the changes have been saved on a server, you have to restart the server.
NOTE: More than one administrator cannot edit the same functional area (access
device, proxies, local realms, users, server properties) of a server configuration at the same time. After you access the configuration screens for a functional area, the Server Manager does not allow others to access that functional area until you have moved to a different item.
Loading and Saving Your Configuration 83
7 Configuring RADIUS Clients Using the Access Devices
Screen
The server configuration must include all the clients (NASs, access points and other network devices) that can communicate with the AAA server. If an access device is not included in the configuration, the server will not handle requests from, or send requests to the client. The Access Devices screen allows you to add a new client, and modify, or delete an existing client in the server configuration.

Navigating the Access Devices Screen

The Access Devices screen shown in Figure 7-1 allows you to configure a new RADIUS client, modify, or delete an existing RADIUS client.
Figure 7-1 Server Manager’s Access Device Screen

Adding a RADIUS Client

To add a RADIUS client through the Access Devices screen, complete the following steps:

84 Configuring RADIUS Clients Using the Access Devices Screen

1. In the Access Devices screen, click corresponding to the New Access Device list.
The Add Access Device Screen appears as shown in Figure 7-2.
Figure 7-2 Server Manager’s Access Device Attributes Screen
2. In the Access Device Attributes form, enter information according to the information in Table 7-1.
Adding a RADIUS Client 85
Table 7-1 Add Access Device Configuration Form Options
FunctionOption
Name
Enter the network location of the network device. This may be an IPv4address (in dotted-quad notation), an IPv6 address (in colon-separated notation), or a valid DNS host name. When specifying Name as a DNS host name, you must use the name returned by thehostname command.
Notes:
Ensure that your DNS is configured correctly (with both forward and
reverse entries) for your AAA server. The AAA server determines the name of the machine that it is running on. If this name does not match with your local DNS servers database, you cannot configure the access device correctly.
You can use wildcards to provideaccess for alltraditional IP (IPv4) clients
in a particular subnet. Examples of valid IPv4 wildcard patterns are:
*
192.*
192.0.*
192.0.2.*
You can use wildcards to provide access for all IPv6 clients in a particular
subnet. The allowed IPv6 wildcard patterns are constructed byappending an ‘*’ to a partial IPv6 address or by specifying a single ‘*’. Examples of valid IPv6 wildcard patterns are:
* fedc:ba98:7654:3210:fe* fedc:ba98:7654:3210:fedc:ba98:*
The special IPv6 syntax of compressing zeroes using "::" is not allowed in IPv6 Wildcard patterns. For example: ‘fedc::ba98:fe*’ is not allowed.
Shared Secret
Secret
86 Configuring RADIUS Clients Using the Access Devices Screen
Enter the shared secret, or the encryption key between the client and the server. The shared secret must be less than 255 characters. A request from a client forwhich the server does nothave a shared secret is silently discarded.
Confirm the secret by typing it again.Confirm Shared
Table 7-1 Add Access Device Configuration Form Options (continued)
FunctionOption
Vendor
Options
Enter the vendor-specific attributes that must be returned to the access device in a reply. In most applications, you can select the hardware vendor of the device or Generic if the device is notlisted. You can make multiple selections by holding down the control key as you select vendor names.
The server prunes vendor-specific attributes for a given vendor if that vendor’s name is not properly defined in the vendors file, and its attributes are not properly defined in the dictionary file.
NOTE: The Generic vendor prunes all vendor-specific attributes before a
message is returned to a NAS. This attribute can be used to help prevent problems that occur if an unencapsulated vendor attribute is not correctly mapped in the vendors file.
IMPORTANT: Todefine a wireless access pointusing the MS-CHAP protocol,
you must select Microsoft as one of the vendor selections.
Select any of the check boxesto specify additional message-handling options. Following are the options:
RAD_RFC Verifies that the Access-Request conforms with the RADIUS
RFC. Nonconforming messages are dropped.
ACCT_RFC Verifies that the Accounting-Request conforms with the
Accounting RFC. Nonconforming messages are dropped.
Debug Dumps packets into the server’s debug output file. No Check Helps enhance server performance. When this option is
checked theHP-UX AAA Server does not check all attributes to determine if the request is a duplicate. Check this option if you know that the client sends standard messages that can easily be detected as duplicates.
No Encaps Does not encapsulate vendor response (if the client requires
unencapsulated A-V pairs)
Old Chap For clients that perform pre-RFC CHAP.
3. Click Createto submit the newRADIUS client to the ServerManager.Click Cancel
to return to the Access Device screen without making any changes to your server configuration.

Modifying a RADIUS Client’s Properties

To modify the properties of an existing RADIUS client, complete the following steps:
1. In the Access Device screen, click correspondingto the client whose properties you want to edit.
The Modify Access Device screen appears similar to the one shown in Figure 7-2.
2. Edit the fields in the Access Device Attributes form. See Table 7-1 for more information on how to fill the form.
Modifying a RADIUS Client’s Properties 87
3. Click Modify to save changes.
Click Cancel to return to the Access Devices screen without saving any changes.

Deleting a RADIUS Client

To delete a RADIUS client, complete the following steps:
1. In the Access Device screen, click the icon corresponding to the RADIUS client you want to delete.
The Delete Access Device screen appears as shown in Figure 7-3. This screen allows you to preview the access device entry before you confirm deletion.
Figure 7-3 The Delete Access Device Screen
2. Click Delete to delete the RADIUS client. Click Cancel to return to the Access Devices screen without deleting the RADIUS client.
88 Configuring RADIUS Clients Using the Access Devices Screen

8 Configuring Realms

A realm is a group of users who share a common characteristic, such as being customers of the same Internet Service Provider (ISP). All users of a given realm are handled in the same way, either proxied to a remote server or locally authenticated using a specified method according to the authentication type assigned to the realm.

Using the Local Realms Screen

The Local Realms screen (shown in Figure 7-1) allows you to configure realms for the HP-UX AAARADIUS server by adding a new realm, modifying, or deleting an existing realm in the server’s authfile.
Figure 8-1 Server Manager’s Local Realms Screen

Adding a Realm

To add a realm entry, complete the following steps:
1. From the navigation tree, click Local Realms.
The Local Realms screen appears as shown in Figure 8-1.
2. To add a new realm, click the icon.
The Add Local Realm screen appears as shown in Figure 8-2.
Using the Local Realms Screen 89
Figure 8-2 Server Manager’s Local Realm Attributes Screen
3. Complete the form on the Local Realm Attributes screen according to the information given in Table 8-1.
Table 8-1 Fields in the Local Realm Attributes Form
Name
90 Configuring Realms
FunctionOption
Name of the realm that must be mapped. This name does not have to be a DNS host name. However HP recommends that the realm name match a domain name.The user willthen be able to recognize the user@realmsyntax that resembles their email address.
Table 8-1 Fields in the Local Realm Attributes Form (continued)
FunctionOption
Identifies the authentication method used for the realm:User
Authentication
Storage
Enable EAP: Select this option if user authentication by an EAP challenge
is required. Select one or more EAP types.At least one authentication method must be selected. For PEAP (EAP-GTC), you must configure the NULL realm.
The PEAP version ‘0’ only checkbox is displayed if you select PEAP(EAP-GTC), PEAP(EAP-MSCHAP), or PEAP(EAP-MD5). Select this checkbox if your supplicant uses the PEAP version 0 protocol.
Enable RADIUSStandard: Default. Selectthis option ifuser authentication
via password checking is required.
If Enable EAP and Enable RADIUS Standard are selected, authentication is carried out based on the Authentication-Type configuration attribute set in the RADIUS request.
To indicate the location where the AAA server must retrieve user profiles:User Profile
users: Choose this option to store user information locally in AAA Server
flat files. Choosing this option allows you to administer user information with Server Manager. Server Manager can administer user information stored locally in the AAA Server flat files only.
Database Access via SQL, LDAP, Oracle, or SecurID/ACE Server: Choose
this option if the user profile information is stored in an external database. See the individual chapters for more information.
OS SecurityDatabase: HP-UX operating system HP-UXoperating systems
use a number of repositories or “databases” to store information about hosts, users, passwords, etc. User password lookup is performed through the name-service switch configured in /etc/nsswitch.conf. See the nsswitch.conf man page for more information.
No Store: EAP-TLS Certificates: Choose this option if you are using TLS
and do not want to store user information. If you are using TLS, you are not required to store user information because the TLS certificates provide the user information needed for authentication.
No Store: Allow All Users: Choose this option to allow all requests from a
realm.
No Store: Deny All Users: Choose this option to deny all requests from a
realm.
User Storage Parameters
Alias
Identifies the location, access, and policy parameters for the selected User Profile Storage.
Optional. A paranthesized list of one or more aliases, delimited by commas. Each realm alias is equivalent to the realm name. An alias is provided for user convenience or other purposes, such as to save typing when logging on to your network. Aliases are allowed on wild card entries and are interpreted as meaning *.alias.
Adding a Realm 91
Table 8-1 Fields in the Local Realm Attributes Form (continued)
FunctionOption
Filter ID
Session Tracking
4. To add a new realm, click Create to submit the new realm to the Server Manager.
To return to the Realms screen without making any changes to your server configuration, click Cancel.

Modifying Realms

To modify the properties of an existing realm, complete the following steps:
1. From the navigation tree, click Local Realms.
The Local Realms screen appears as shown in Figure 8-1.
2. Click the icon corresponding to the realm whose properties you want to modify.
The Modify Local Realm screen appears similar to the screen shown in Figure 8-2.
3. Modify the properties on the Local Realm Attributes screen according to the information given in Table 8-1.
4. To submit changes to the realm entry to the Server Manager, click Modify.
To return to the Realms screen without making any changes to your server configuration, click Cancel.
Optional. Allows the specification of a packet filtername tobe associatedwith authentication through this realm name. It overrides any explicit filter name specified in a user profile.
Optional. Determines if session tracking is enabled for a realm. When you enable session tracking, accounting records are generated for a realm and active sessions can be searched using the Session option on the navigation tree.
NOTE: indicates that the configuration file cannot be modified using the Server
Manager. Edit the file manually using a command line editor.

Special Entries

There are a few special entries that you can use while configuring realms. Table 8-2 shows the various special entries you can use.
92 Configuring Realms
Table 8-2 Special Entries
When to UseSpecial Entries
Wildcard Entries
DEFAULT Realm
NULL Realm

Deleting a Realm

Complete the following steps to delete a realm:
When specifying the primary realm for an entry, you can use a wild card syntax such as *.realm. This syntax provides a shorthand for associating several related realms with a single authentication type. For example, a company may have several branches, eastern.company.com, western.company.com, and central.company.com. The wild card entry for that company would define *.company.com as the realm. This notation would include all three realms. HP recommends that any such wild card entry be listed after more specific entries. This order allows the preceding, specific entries to override the wild card entry.
The DEFAULT realm acts as a matching realm entry for all realms. By default, the DEFAULT realm is configured to authenticate against the default set of users. Disable the DEFAULT realm by choosing the No Store - Deny All Users option in the User Profile Storage drop-down list.
The Null realm authenticates users that do not identify their realm when requesting access (for example, the AAA server receives an access request from user, instead of user@organization.com). By default, the NULL realmis disabled with the No Store: Deny All Users setting.
Deleting a Realm 93
1. In the Local Realms screen, click the icon corresponding to the realm you want to delete.
The Delete Local Realm screen appears as shown in Figure 8-3. This screen allows you to preview the realm attributes before you confirm deletion.
Figure 8-3 The Delete Local Realm Screen
2. Click Delete to delete the realm. Click Cancel to return to the Local Realms screen without deleting the realm.

Configuring Realms for Authentication using an External Server

This section discusses how to configure realms for authentication using Database via SQL Access, Lightweight Directory Access Protocol (LDAP), Oracle authentication module, and SecureID/ACE server.
Configuring Realms for Database Access via SQL
A realm can be configured for Database Access via SQL only after setting up the HP-UX AAA Server to connect to the database and configuring the connection parameters and
94 Configuring Realms
SQL actions in sqlaccess.config. See Chapter 18: “SQL Access” (page 207) for details on setting up the HP-UX AAA Server for SQL Access.
Perform the following steps to configure the realm for Database Access via SQL.
1. From the navigation tree, click Local Realms.
2. On the Local Realms screen, click New Local Realm to open the Local Realm
Attributes screen.
3. In the Name field, enter the name of the realm for which the user profiles are stored in a database and accessed using the SQL Access feature.
The name does not have to be a DNS host name. However, HP recommends that you set the realm name to correspond with the domain name. This enables the user@realm syntax to resemble the e-mail address for all theusers in the domain.
4. In the User Profile Storage field, select Database Access via SQL.
The user storage parameters for Database Access via SQL are displayed as shown in.
Figure 8-4 User Storage Parameters for Database Access via SQL
5. In the User Storage Parameters Field, select one of the following options:
RADIUS Attribute: Specify the RADIUS attribute in the
<vendorID>:<attribute> format. This RADIUS attribute must contain the SQL action used for authentication. If vendorID is not specified, 0 that corresponds to standard RADIUS attribute will be used.
NOTE: The <vendorID> component must be a value that is defined in the
vendors file and the <attribute> component must be a value that is defined
in the dictionary file.
SQL Action Id: Select the SQL action from the drop-down list.
IMPORTANT: Ensure that the appropriate SQL action is selected from the
drop-down list. Selecting an incorrect SQL action can result in an authentication failure or unintentional changes to the database records.
6. Complete any remaining optional fields as necessary for your configuration.
7. Click Create. If the realm is successfully created, the Local Realms screen will list the new realm.
Configuring Realms for Authentication using an External Server 95
8. From the navigation tree, click Save Configuration
If you have multiple remote servers, you will be prompted to select and confirm the servers where the realm configuration will be applied.
Configuring Realms for LDAP
This sectiondiscusses how to configure realms for Lightweight Directory Access Protocol (LDAP). These realms can be configured only after setting up the LDAP server. See
Chapter 17: “LDAP Authentication” (page 204) for information on setting up an LDAP
server.
To configure each realm using LDAP, you must specify the directory server, search base, and other parameters necessary to find profiles for the users in the realm.
Complete the following steps to configure realms for LDAP:
1. From the navigation tree, click Local Realms.
2. On the Local Realms screen, click New Local Realm to open the Local Realm
Attributes screen.
3. In the Name field, enter the name of the realm to map to the defined LDAP location. This name does not have to be a DNS host name. However HP recommends that the realm name corresponds with the domain name. This way, the user recognizes the user@realm syntax which resembles their e-mail address.
4. In the User Authentication Field, select the authentication methods to authenticate users for the realm. If you are using TTLS-PAP, TTLS-MSCHAP, or TTLS-CHAP, select Enable RADIUS Standard. For all other methods, select Enable EAP and choose at least one EAP method from the drop-down list.
5. In the User Profile Storage field, select LDAP.
The user storage parameters for LDAP appear when you select LDAP from the User Profile Storage drop-down list. These parameters identify a section of the directory tree on one or more LDAP servers where the HP-UX AAA software will attempt to retrieve user profiles.
6. In the User Storage Parameters Field, select New LDAP Directory or the name of an existing LDAP Directory.
7. In the LDAP screen that appears, configure the LDAP directory using the information described in Table 8-3.
Table 8-3 Values for Configuring Realms for LDAP
Directory Name
96 Configuring Realms
DescriptionValue
Start of a directory configuration. Give a name to the directory, which can be an arbitrary string. If the name contains spaces or tabs, the string must be enclosed in single or double quotes.
Table 8-3 Values for Configuring Realms for LDAP (continued)
DescriptionValue
Host
Port (Optional)
Use SSL
Administrator
Password
Search Base
Name of the host on which the LDAP directory server runs. The value must be a fully qualified DNS name, although an IP address also works. Both traditional IP (IPv4) and IPv6 address formats are supported. The HP-UX AAA Server can resolve DNS name format entries to IPv4 and IPv6 addresses.
Enter an IPv4 addressin dotted-quad notation. Enter anIPv6 address in IPv6 Literal format notation. For example:
IPv4 address — 192.0.2.0
IPv6 address — fedc:ba98:7654:3210:fedc:ba98:7654:3210
Port number on which the directory server is running. Default value is 389.
Enables ordisables SSL connections between the HP-UX AAA Server and the LDAP directory. If you are enabling SSL, you must specify the server's CA certificate path or fully qualified file name in the Server Properties -> ProLDAP Properties window.
Special user ID used when an authenticated search is allowed on the LDAP directory server. This administrator does not need to be a real administrator of the LDAP directory server, but must have read access to all the users (and their passwords). Intended to be authenticated by the AAA server.
Password for Administratorto bind (authenticate) itself to the LDAP directory server.
Pointer into the directory where the search for users in a realm starts. Specifying a search base improves server performance by limiting the scope of search operations on user information for a particular realm. A search base contains a list of A-V pairs that trace a path from a location in the directory's schema to the top of the directory. For example, a search base of o=hp, c=US represents a search for one of the users on the following tree:
c=US ____________|_______ | o=hp ____________|____________________ | | | | uid=Joe uid=Bob uid=Dawn uid=Maria
The A-V pairs used depend on the schema of your particular directory server.
NOTE: Itis moreefficient to start your search lower in the directory
structure rather than higher. HP recommends that you eliminate spaces between Search Base components (i.e., instead of ou=abc,o=cde, c=us, use ou=abc,o=cde,c=us).
Configuring Realms for Authentication using an External Server 97
Table 8-3 Values for Configuring Realms for LDAP (continued)
DescriptionValue
Filter
Authentication Type AUTO performs a search as the configured Administrator
Filter flag allows authentication to be based either on the LDAP uid attribute, which normally is CIS, or on the AAA Server User-Id attribute, which is normally BIN. User-Id is a AAA Server-specific RADIUS attribute. This optional flag defaults to uid.
IMPORTANT: With multiple LDAP directory servers, the Filter
used for lookups must be consistent across all directories specified for a particular realm. Potential filters are uid, User-Id or some other key that uniquely identifies a subject to be authenticated on the system. Currently, the LDAP module does not enforce the use of consistent filters, but using inconsistent filters may produce unpredictable authentication failures.
(searches anonymously if no administrator is configured), anticipating the password is in the result. It binds as the user if the password is not available. This mode makes the AAA server flexible in accommodating LDAP directories. If directories are configured to return passwords with search,AUTO is equivalent to SEARCH.
BIND binds as the user for authentication.
SEARCH performsa search as the configured Administrator and
expects the user's password in the search result.
8. In the LDAP screen, click Save.
9. Repeat steps 6 and 7 for each redundant directory you wish to use for failover.
10. Complete any remaining optional fields as necessary for your configuration.
11. Click Create.
12. From the navigation tree, click Save Configuration
If you have multiple remote servers you will be prompted to select and confirm which servers you wish to add the entry to.
Modifying a Directory Configuration
Complete the following steps to modify a directory configuration:
1. On the Local Realms screen, select the name of the directory definition you wish to modify.
2. Change the values if needed.
3. Click Modify.
Deleting a Directory Configuration
Complete the following steps to delete a directory configuration:
98 Configuring Realms
1. On the Local Realms screen, select the name of the directory definition you wish to delete.
2. Click Delete.
Tuning the AAA Server to LDAP Server Connection
The AAA server to LDAP server connection can be modified by adding the following entry to /etc/opt/aaa/aaa.config and then stopping and starting the server:
aatv.ProLDAP { Retry-Interval 60 Retry-Wait 1 Timeout 60 TCP-Timeout 3 Debug 0 }
Retry-Interval sets the number of seconds for the AAA server to wait before trying
to reconnect to a LDAP directory server when a realm has failover directory servers configured. Default value is 60 seconds.
Retry-Wait sets the number of seconds that the AAA server will wait before
attempting to connect to the same failover LDAP server. When all failover directory servers configured for a realm are down, the AAA server will try to reconnect to one every time an access request is received. In that situation, this parameter guarantees that the software does not spend too much time in trying to reconnect those directory servers. Default value is 1 second.
Timeout sets the number of seconds that an LDAP connection will remain open
when the AAA server has not been able to successfully perform any successful LDAP operation. This parameter allows better handling of the situation where the LDAP directory times out client connections.
TCP-Timeout sets the number of seconds that the AAA server will wait for an
LDAP server when trying to establish the Transmission Control Protocol (TCP) connection.
Debug determines whether OpenLDAP debug messages should be written to the
AAA server radius.debug file. A value of 0 disables writing these messages; a value of -1 enables writing these messages. The syntax of this property follows a block syntax that is different from the other aaa.config variables.
Configuring Realms for Oracle
This section discusses how to configure realms for Oracle authentication. These realms can be configured only after setting up the Oracle database server. See Chapter 19:
“Oracle Authentication(Supported Using SQL Access)” (page 248) for more information
on setting up the Oracle database server for Oracle authentication.
To authenticate users stored in an Oracle database, you must configure the AAA server, run the db_srv daemon on each Oracle host machine, and configure one or more
Configuring Realms for Authentication using an External Server 99
Oracle databases with user information according to your requirements. See
“Configuring the Oracle Database ” (page 251) for information on how to configure
your Oracle database.
Configuring the HP-UX AAA Server Using Server Manager
For each realm using Oracle authentication, you must specify the Oracle server.
Complete the following steps to configure the HP-UX AAA Server Manager for Oracle authentication:
1. From the navigation tree, click Local Realms to open the Local Realms screen.
2. Click the New Realm link to open the Realm Attributes screen.
3. In the Name field, enter the name of the realm. This name does not have to be a DNS host name. However, HP recommends that the realm namecorresponds with the domain name. This way, the user recognizes the user@realm syntax that resembles their e-mail address.
4. In the User Profile Storage, select Oracle.
When you select Oracle from the User Profile Storage drop-down list, a drop-down list appears in the User Storage Parameters section of the form. This drop-down list allows you to create and modify Oracle configurations for the realm.
5. In the User Storage Parameters drop-down list, select New Oracle Server, or the name of an existing Oracle server.
6. Complete the Oracle Server screen (shown in Figure 8-5) that appears by specifying the host name or IP address of the Oracle server ( db_srvdaemon), followed by the port number that it uses.
Figure 8-5 New Oracle Server Screen
You can list an unlimited number of Oracle servers. However, in this context, you must use the appropriate number of servers based on the number of requests received, and machine performance. Each listed server must have a unique DNS name and port.
7. Repeat steps 6 and 7 for each redundant directory you wish to use.
100 Configuring Realms
Loading...