HP HP-UX AAA Administrator's Guide

HP-UX AAA Server A.07.01 Administrator’s Guide

HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3

HP Part Number: T1428-90068 Published: September 2008 Edition: Edition 9

Confidential computer software. Valid license required from HP for possession, use or copying. Consistent with FAR 12.211 and

12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are

licensed to the U.S. Government under vendor’s standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set

forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as

constituting additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

UNIX is a registered trademark of The Open Group.

Java™ is a US trademark of Sun Microsystems.

Microsoft®, Windows ®, and Windows NT ® are U.S. registered trademarks of Microsoft Corporation.

Oracle ® is a registered US trademark of Oracle Corporation, Redwood City, California.

OpenLDAP ® is a registered trademark of the OpenLDAP Foundation

Netscape Navigator ™ is a registered trademark of Time Warner, Inc.

About This Document ..................................................................................................................23

Intended Audience.............................................................................................................23

New and Changed Information in This Edition.................................................................23

Document Organization.....................................................................................................24

Publishing History..............................................................................................................24

Typographic Conventions..................................................................................................25

HP-UX Release Name and Release Identifier.....................................................................26

Related Information............................................................................................................26

HP Encourages Your Comments........................................................................................26

I Introduction...............................................................................................................................27

1 Overview: The HP-UX AAA Server .......................................................................................30

RADIUS Topology ........................................................................................................31

Establishing a RADIUS Session.....................................................................................32

Product Structure..........................................................................................................34

HP-UX AAA Server Daemon, Libraries, and Utilities ............................................34

HP-UX AAA Server Manager Program ..................................................................34

Documentation.........................................................................................................34

HP-UX AAA Server Architecture .................................................................................35

Configuration Files ..................................................................................................36

AATV Plug-Ins ........................................................................................................36

The Software Engine: Finite State Machine ............................................................36

HP-UX AAA Server Commands, Utilities and Daemons.............................................37

Handling an Access Request.........................................................................................37

Authentication to Verify the Client and User .........................................................38

Authorization to Control Sessions and Access to Services .....................................40

Authorization Steps ...........................................................................................41

Session Logs For Accounting .......................................................................................44

IPv6 Support for External Services................................................................................44

2 Upgrading to Version A.07.01..............................................................................................45

The HP-UX AAA Server Upgrade Process...................................................................45

Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01..................45

Upgrading from Version A.06.00.x to Version A.07.01.................................................46

Upgrading from Version A.05.x to Version A.07.01......................................................48

Merging the Dictionary File..........................................................................................48

Merging the radius.fsm File.....................................................................................48

Merging the vendors File............................................................................................48

3 Installing and Securing the HP-UX AAA Server.......................................................................49

Acquiring the HP-UX AAA Server Software................................................................49

Installing and Uninstalling the HP-UX AAA Server....................................................49

To Install the HP-UX AAA Server...........................................................................49

Table of Contents 3

To Uninstall the HP-UX AAA Server Software.......................................................50

HP-UX AAA Server File Locations ..............................................................................51

Securing the HP-UX AAA Server..................................................................................55

Changing the Default HP-UX AAA Server Settings ...............................................55

Changing the Default Tomcat User Name and Password..................................55

Changing the Default RMI Objects Secret..........................................................55

Changing the Default test_user Settings............................................................56

Changing the Default localhost Proxy Settings..................................................56

Environment Specific Security Procedures .............................................................56

Using Secure Socket Layer (SSL) for Secured Remote Server Manager

Administration...................................................................................................56

Creating a Tomcat Identity Specifically for the HP-UX AAA Server ................58

Running the HP-UX AAA Server on Hosts with System Hardening

Software..............................................................................................................59

Running the HP-UX AAA Server as a Non-Root User......................................59

Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot....60

4 Enabling the HP-UX AAA Server for GUI-based Administration................................................62

Accessing the Server Manager......................................................................................62

Starting and Stopping the RMI Objects...................................................................62

Starting and Stopping Tomcat.................................................................................62

Testing the Installation .................................................................................................63

To Test the Installation.............................................................................................63

Starting AAA Servers Using Server Manager...............................................................64

AAA Server Start Options........................................................................................65

Server Manager’s Reload Feature............................................................................66

Starting AAA Servers From the Command Line..........................................................67

Configuring the HP-UX AAA Server to Start Automatically Upon SystemReboot

..................................................................................................................................69

Stopping or Restarting HP-UX AAA Servers...............................................................69

Using Server Manager..............................................................................................70

From the Command Line.........................................................................................70

Adding an HP-UX AAA Server to Your Network........................................................70

II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI ................................72

5 The HP-UX AAA Server Manager Interface.............................................................................76

Commonly Used Icons in the GUI................................................................................77

6 Managing HP-UX AAA Servers.............................................................................................78

Using the Server Connections Screen............................................................................78

Adding a New Server ...................................................................................................78

Modifying Connection Attributes.................................................................................79

Deleting a Server Connection........................................................................................80

Managing Multiple Servers...........................................................................................81

Loading and Saving Your Configuration......................................................................82

4 Table of Contents

7 Configuring RADIUS Clients Using the Access Devices Screen.................................................84

Navigating the Access Devices Screen..........................................................................84

Adding a RADIUS Client..............................................................................................84

Modifying a RADIUS Client’s Properties......................................................................87

Deleting a RADIUS Client.............................................................................................88

8 Configuring Realms.............................................................................................................89

Using the Local Realms Screen.....................................................................................89

Adding a Realm.............................................................................................................89

Modifying Realms.........................................................................................................92

Special Entries...............................................................................................................92

Deleting a Realm...........................................................................................................93

Configuring Realms for Authentication using an External Server...............................94

Configuring Realms for Database Access via SQL..................................................94

Configuring Realms for LDAP ................................................................................96

Modifying a Directory Configuration................................................................98

Deleting a Directory Configuration....................................................................98

Tuning the AAA Server to LDAP Server Connection........................................99

Configuring Realms for Oracle................................................................................99

Configuring the HP-UX AAA Server Using Server Manager..........................100

To Configure and Run the db_srv Daemon .............................................101

Scripts to Start and Stop the HP-UX AAA Server Oracle Daemon.............103

Configuring a SecurID Realm................................................................................103

9 Configuring Proxies...........................................................................................................105

Navigating the Proxy Screen.......................................................................................105

Changing the Default localhost Proxy Settings...........................................................106

Creating or Modifying a Proxy...................................................................................106

Forwarding Authentication Requests From a Proxy Server..................................109

Forwarding Authentication Requests to a Remote Server.....................................110

Changing RADIUS Port Numbers..............................................................................111

Forwarding Requests to Alternate RADIUS Ports.................................................111

Forwarding Accounting Requests...............................................................................111

Proxying Authentication and Accounting Messages to the Same Server...................112

Proxying Accounting Requests to a Central Server....................................................113

Deleting a Proxy..........................................................................................................113

10 Configuring Users............................................................................................................115

Navigating the Users Screen.......................................................................................115

Changing the Default test_user Settings.....................................................................115

Adding a User Profile .................................................................................................116

Tabs on the Add Users Screen................................................................................118

Specifying Attributes Using the Free Attributes Pane......................................118

Adding Users for SecurID Authentication..................................................................119

Modifying User Profiles..............................................................................................119

Deleting a User Profile.................................................................................................120

Table of Contents 5

To Delete a User Profile From the Default users File..........................................120

To Delete a User Profile in a Local Realms File......................................................121

11 Modifying Server Properties..............................................................................................122

Navigating the Server Properties Screen.....................................................................122

DHCP Relay Properties...............................................................................................122

DNS Updates Properties.............................................................................................123

Message Handling Properties.....................................................................................124

SNMP Properties.........................................................................................................125

Enable SNMP Support...........................................................................................125

Tunneling Properties...................................................................................................125

Tunneling Reply Items (Optional).........................................................................126

Certificate Properties...................................................................................................126

File Size Properties......................................................................................................127

Maximum Logfile Size...........................................................................................127

Miscellaneous Properties.............................................................................................127

Permit Microsoft Client Authenticate As Computer.............................................127

Local Users File Properties..........................................................................................128

ProLDAP Properties....................................................................................................128

12 Logging and Monitoring ..................................................................................................129

Overview.....................................................................................................................129

Server Log Files ..........................................................................................................129

Using Server Manager to Retrieve Logfile Information.........................................129

Search Parameters.............................................................................................130

Message Types .................................................................................................131

Using Server Manager to Retrieve Statistics .........................................................131

Accounting Log Files ..................................................................................................132

Using Server Manager to Retrieve Accounting Logfiles........................................133

Format of Accounting Records in the Default Merit Style....................................134

Time-Based Values............................................................................................134

Client A-V Pairs................................................................................................135

User Entry A-V Pairs.........................................................................................135

Session Tracking................................................................................................135

Writing Livingston CDR Accounting Records.......................................................136

Livingston CDR Session Record Format..........................................................137

Changing the Accounting Log Filename...............................................................137

Changing the Accounting Log Rollover Interval...................................................138

Rolling Over the Log File and Accounting Stream................................................138

III Advanced Configuration Information........................................................................................139

13 Securing LAN Access With EAP........................................................................................142

Overview.....................................................................................................................142

The Secure LAN Advisor.......................................................................................142

Preparing Your LAN ...................................................................................................143

Determining the EAP Authentication Method to Use................................................144

6 Table of Contents

Securing WLANs with the HP-UX AAA Server.........................................................146

Digital Certificate Administration...............................................................................147

Using the “Self-Signed” Digital Certificates..........................................................147

Installing Your Own Digital Certificates and Keys................................................148

Installing Server Certificates and Keys.............................................................149

Installing Client Certificates and Keys.............................................................149

Defining Certificate Locations on the HP-UX AAA Server..............................149

14 Managing Sessions.........................................................................................................152

Session Logs.................................................................................................................152

Displaying Session Attributes................................................................................152

Stopping a Session..................................................................................................153

Session Limits..............................................................................................................153

Setting Limits on a User-by-User Basis..................................................................154

Setting Timeout Values.....................................................................................154

Establishing a Filter...........................................................................................154

Limiting Access Points (NAS-Port, NAS-ID, Calling-Station ID, and

others)...............................................................................................................154

Denying Access (Called-Station-ID and others)...............................................155

Limiting Simultaneous Sessions.......................................................................155

Setting Limits for Users on a Global Basis.............................................................156

Setting Limits for All User Profiles Grouped by Realms.................................156

15 Assigning IP Addresses....................................................................................................157

Assigning Static IP Addresses.....................................................................................157

To Assign a Static IP (IPv4) Address to a Profile in Flat Files................................157

To Assign a Static IPv6 Address to a Profile in Flat Files......................................158

To Assign Static Traditional IP (IPv4) Addresses to a User Profile in an LDAP

LDIF File.................................................................................................................160

To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF File.............161

Assigning Dynamic IP Addresses Using DHCP.........................................................161

16 OATH Standards-Based OTP Authentication.......................................................................162

OTP and OATH Overview..........................................................................................162

HP-UX AAA Server and OATH Support....................................................................163

Components Required to Configure OTP Authentication..........................................164

Configuring OTP Authentication on the HP-UX AAA Server ..................................165

OTP Authentication Configuration Flowchart......................................................165

Basic or Typical Configuration...............................................................................167

Advanced Configuration........................................................................................168

Advanced OTP Authentication Configuration Concepts.................................169

Attributes for Configuring OTP Authentication.........................................172

Advanced Deployment Scenarios.....................................................................177

Validating OTP Alone..................................................................................178

Configuring Two-Factor Authentication.....................................................180

OTP or Password Validation at External RADIUS Server...........................187

Table of Contents 7

Predefined Mapping and Conversion Functions...................................................194

Sample Configuration Files....................................................................................194

The sqlaccess.config Sample File.............................................................194

Sample Policy Files...........................................................................................197

The oath-request-ingress.grp Sample File......................................197

The oath-reply-egress.grp Sample File............................................198

The oath-proxy-egress.grp Sample File............................................199

IV Integrating the HP-UX AAA Server With External Services..........................................................200

17 LDAP Authentication.........................................................................................................204

LDAP Server Compatibility ........................................................................................204

Related LDAP Documentation ...................................................................................204

Authentication with LDAP .........................................................................................204

Configuring the LDAP Server ...............................................................................204

The HP-UX AAA Server LDAP Schema...........................................................205

To Configure Netscape Directory Server v6.....................................................206

To Configure iPlanet Directory Server v5.........................................................206

To Configure OpenLDAP 2.0.x.........................................................................206

18 SQL Access.....................................................................................................................207

SQL Access Overview.................................................................................................207

SQL Access Concepts.............................................................................................208

RADIUS Attribute to SQL Statement Mapping................................................209

Mapping Functions...........................................................................................210

Conversion Functions.......................................................................................210

SQL Action Processing and Result Handling...................................................211

Implementing SQL Access..........................................................................................211

Sample Implementation Files.................................................................................211

sqlaccess.config Sample File....................................................................212

dbsetup.sql Sample File...............................................................................214

Finite State Machine Sample.............................................................................215

Pre-requisites for SQL Access................................................................................215

Database Server and Schema............................................................................215

Database Security........................................................................................216

High Availability.........................................................................................216

Database Client.................................................................................................216

Shared Library Path Configuration.............................................................216

Database Client Connector Libraries................................................................217

SQL Access Implementation Details......................................................................217

sqlaccess.config File Configuration........................................................................218

Database Connection Definition.......................................................................219

SQL Actions......................................................................................................221

Mapping Syntax................................................................................................222

RAD Mapping.............................................................................................223

DBC Mapping..............................................................................................224

8 Table of Contents

DBP Mapping..............................................................................................225

Mapping Functions......................................................................................227

Conversion Functions..................................................................................229

SQL Statement..................................................................................................229

SQL Result Mapping.........................................................................................230

Result Handling for Retrieval Requests......................................................231

Global Definitions.............................................................................................232

Advanced SQL Mapping Configuration................................................................232

Developing Custom Functions.........................................................................233

Null SQL Statements.........................................................................................233

Null Source and Target Mapping.....................................................................234

Time Synchronization.......................................................................................234

Finite State Table Configuration in the FSM.....................................................235

Stored Procedures.............................................................................................236

Administering Users and Tokens Stored in an SQL Database....................................237

Managing Users.....................................................................................................238

Adding Users to an SQL Database...................................................................238

Modifying User Credentials.............................................................................240

Managing Users Using OTP to Authenticate.........................................................241

Importing Tokens into the Database.................................................................241

Assigning Tokens to Users................................................................................242

Assigning a Specific Token to a User...........................................................242

Allocating Any Available Tokens to a User.................................................243

Enrolling Tokens (Procedure for Users)...........................................................243

Synchronizing Tokens (Procedure for Users)...................................................245

Terminating Tokens..........................................................................................246

Viewing User and Token Statistics.........................................................................246

Valid Token Status Values......................................................................................246

Invoking the User Database Administration Manager Interface from Server

Manager.................................................................................................................247

19 Oracle Authentication (Supported Using SQL Access).........................................................248

Related AATV Plug-In Modules And Processes ........................................................248

The db_srv Package ...............................................................................................249

Oracle Compatibility .............................................................................................250

The Oracle Database Structure ...................................................................................250

The Oracle Information Model ..............................................................................250

Table Spaces .....................................................................................................251

User Schema .....................................................................................................251

Tables ................................................................................................................251

Configuring the Oracle Database ..........................................................................251

To Create the AUTH_NET_USERS Table ........................................................251

To Manage User Records in the AUTH_NET_USERS Table ...........................251

Table Structure .......................................................................................................253

Table of Contents 9

Modifying the Table Structure ....................................................................................254

Supported Attributes ..................................................................................................254

20 Simple Network Management Protocol (SNMP) Support.....................................................256

Setting Up SNMP to Monitor the HP-UX AAA Server...............................................256

21 VPN Tunneling................................................................................................................258

Establishing a Tunnel for a User..................................................................................258

22 Using DHCP...................................................................................................................260

Required DHCP Server Features.................................................................................260

Recommended DHCP Server Features..................................................................260

Defining DHCP Address Pools for Specific Users......................................................260

To Associate an Address Pool with a User Profile in AAA Server Flat Files.........260

To Associate an Address Pool with a User Profile in an LDAP LDIF File.............261

Associating Address Pools with Realms and Other Conditions.................................261

23 Using SecurID.................................................................................................................262

Authentication Of Users .............................................................................................262

Configuring SecurID Authentication .........................................................................263

Configuring the AAA Server for RSA SecurID Authentication ...........................263

Configuring the ACE/Server .................................................................................263

Synchronizing the AAA Server with the ACE/Server ..........................................265

Related Documentation ..............................................................................................266

V Customizing the HP-UX AAA Server..........................................................................................267

24 Customizing the HP-UX AAA Server Using the Finite State Machine......................................270

States ...........................................................................................................................270

Using Xstring to call Policy ...................................................................................273

Using Xstring to Call an Alternate authfile ...........................................................273

Event Names ...............................................................................................................273

Predefined Event Names .......................................................................................274

Creating New Names ............................................................................................276

Actions ........................................................................................................................276

FSM Tables.............................................................................................................278

Custom State Tables ....................................................................................................279

Tracking Versions ..................................................................................................279

Examples ...............................................................................................................279

Preprocessing Module .....................................................................................279

Interim Logging .....................................................................................................280

Custom Logging Format .......................................................................................280

Proxy Accounting Messages..................................................................................281

25 Customizing the HP-UX AAA Server Using Policies..............................................................283

Policy Overview..........................................................................................................283

Defining a Policy in a Decision File.............................................................................284

Action Commands.................................................................................................285

The delete Command....................................................................................286

10 Table of Contents

The insert Command....................................................................................287

The modify Command....................................................................................289

The exit Command.........................................................................................290

The log Command...........................................................................................290

The if Command.............................................................................................291

Attribute Specifications..........................................................................................293

Attribute Names...............................................................................................294

Vendor Names..................................................................................................294

Attribute Instance Specifications......................................................................294

No Instance Specification............................................................................294

Numeric Instance Specification...................................................................294

Keyword Instance Specification..................................................................295

Attribute Functions...........................................................................................295

The count Attribute Function....................................................................296

The length Attribute Function..................................................................296

The substr Attribute Function..................................................................296

The tolower Attribute Function................................................................300

The toupper Attribute Function................................................................300

Value Types............................................................................................................301

Supported Operators..............................................................................................302

Operator Precedence and Association..............................................................302

Type Compatibility................................................................................................303

Invoking a Policy.........................................................................................................304

Invoking Policies Through Predefined Policy Hooks............................................304

Request Ingress Policy......................................................................................304

User Policy........................................................................................................305

Invoking Policy from User Profiles.............................................................306

Reply Egress Policy...........................................................................................306

Proxy Egress Policy...........................................................................................307

Proxy Ingress Policy..........................................................................................308

Useful Attributes for Policy Conditions.................................................................309

Modifying the FSM for Specific Customizations ..................................................310

Sample Policy Implementations..................................................................................311

Dynamic Access Control........................................................................................311

Step 1 – Modifying the Default FSM for DAC..................................................311

Step 2 – Defining the DAC Policies...................................................................312

DNIS Routing.........................................................................................................313

Step 1 – Modifying the Default FSM for DNIS Routing...................................313

Step 2 – Defining the DNIS Routing Policies....................................................313

26 Customizing the HP-UX AAA Server Using the SDK.............................................................315

SDK Overview.............................................................................................................315

Migrating Plug-ins Created Using Previous Versions of the SDK..............................317

Prerequisites for Using the SDK..................................................................................317

Table of Contents 11

SDK Directory Structure..............................................................................................317

SDK Concepts..............................................................................................................317

Overview of AATVs...............................................................................................317

AATV Components................................................................................................318

The init Function...........................................................................................318

The action Function..........................................................................................318

The timer or callback Function.........................................................................319

The cleanup Function.......................................................................................319

Creating Plug-ins.........................................................................................................319

Using AATVs to Create a Plug-in..........................................................................320

Compiling and Loading a Plug-in.........................................................................321

Testing and Debugging a Plug-in..........................................................................322

Using the GNU Project Debugger....................................................................322

Using gdb to Debug Your Software Module...............................................322

VI Troubleshooting.....................................................................................................................324

27 Troubleshooting Overview................................................................................................327

AAA Environment Components.................................................................................327

HP-UX AAA Server Operation...................................................................................328

Probable Causes for Failure.........................................................................................330

Configuration Problems.........................................................................................330

External Service Problems......................................................................................330

Protocol Limitations...............................................................................................331

RADIUS Client and Supplicant Considerations....................................................331

28 Troubleshooting Procedures..............................................................................................332

Troubleshooting Flowchart.........................................................................................332

Troubleshooting Flowchart Process.......................................................................334

Troubleshooting the Server Manager Administration Utility.....................................335

Common Problems With the Server Manager.......................................................336

Troubleshooting Server Manager Launch Problems........................................337

Troubleshooting Remote Management Problems............................................338

Troubleshooting the HP-UX AAA Server...................................................................339

Troubleshooting HP-UX AAA Server Startup Problems.......................................339

Common Problems with HP-UX AAA Server Startup.....................................339

Troubleshooting Bind Errors at HP-UX AAA Server Startup.....................342

Troubleshooting an Unresponsive HP-UX AAA Server........................................343

Troubleshooting Common Configuration Problems........................................344

Troubleshooting External Services...................................................................346

Identifying External Service Failures using Logfile Error Messages..........347

Identifying Unrecorded External Datastore Failures..................................351

Identifying Proxy Server Failures................................................................351

Identifying Unrecorded DHCP Failures.....................................................352

Troubleshooting Access-Rejects from the HP-UX AAA Server.............................352

Common Authentication Failure Problems......................................................352

12 Table of Contents

EAP Problems........................................................................................................360

Troubleshooting Provisioning Errors.....................................................................363

29 Troubleshooting Resources................................................................................................364

HP-UX AAA Server Troubleshooting Utilities............................................................364

The radcheck Utility: For Checking the Server Status........................................364

The radpwtst Utility: For Testing Authentication...............................................365

The raddbginc Utility: For Setting Debug Output Levels..................................365

The radsignal Utility: For Rolling Over the Debug Output to New Files.........365

The HP-UX AAA Server Logfile and Debug File........................................................366

The HP-UX AAA Server Logfile............................................................................366

The HP-UX AAA Server Debug File......................................................................366

30 Reporting Problems.........................................................................................................368

Server Set Up Information...........................................................................................368

Server Manager Related Information..........................................................................369

External Components..................................................................................................369

External Databases.................................................................................................369

SNMP Servers.........................................................................................................369

DHCP Servers.........................................................................................................369

OpenSSL.................................................................................................................369

EAP Related Information............................................................................................369

Clients.....................................................................................................................370

Access Points..........................................................................................................370

VII Reference.............................................................................................................................371

31 Configuration Files ..........................................................................................................374

HUP Processing...........................................................................................................374

The aaa.config File.................................................................................................375

Variables in the aaa.config File.........................................................................375

The strict_duplicate_check Variable.....................................................375

The aatv.ProLDAP Property..........................................................................376

The log_threshold_limit and suppression_interval Variables......376

The list_copy_limit Variable....................................................................377

The localUsersFile.FilterType Property.............................................377

The default_users_file_cis_search Property.....................................377

The log_forwarding Variable.......................................................................377

The log_generated_request Variable.......................................................378

The ourhostname Variable.............................................................................378

The packet_log Variable...............................................................................378

The radius_log_fmt Variable.......................................................................379

The reply_check Variable.............................................................................379

OTP Authentication Related Configuration Items................................................379

The clients File........................................................................................................380

Prefixed Users and authfile...............................................................................380

Wildcard Support for IPv4 and IPv6......................................................................381

Table of Contents 13

The users File ............................................................................................................381

Syntax of a User Entry ...........................................................................................382

Syntax of IPv6 Attributes.......................................................................................382

NAS-IPv6-Address...........................................................................................382

Framed-Interface-Id..........................................................................................382

Framed-IPv6-Prefix...........................................................................................383

Framed-IPv6-Route...........................................................................................384

Framed-IPv6-Pool.............................................................................................384

With Tunneling ......................................................................................................384

The dictionary File .................................................................................................385

Attribute Entries ....................................................................................................386

Pruning Expressions ..............................................................................................387

Value Entries ..........................................................................................................388

The las.conf File .....................................................................................................389

LAS Session Timing Parameters ...........................................................................389

Token Pool Configuration .....................................................................................390

Realm Configuration .............................................................................................391

The vendors File .......................................................................................................392

Syntax of a vendors File.......................................................................................392

The log.config File .................................................................................................393

Syntax of a Stream Entry........................................................................................393

Default Entry .........................................................................................................395

End Entry ...............................................................................................................395

Logging Multiple Streams .....................................................................................395

Values Logged by Default.................................................................................395

Examples................................................................................................................396

Livingston Call Detail Record (CDR) Format...................................................396

Multiple Logging Streams ...............................................................................396

Logging Based on attributes.............................................................................397

Accounting Log Based on Attribute Value.......................................................398

Changing the Accounting Log Rollover Interval.............................................399

32 Attribute-Value Pairs.........................................................................................................400

Specifying Attribute-Value Pairs.................................................................................400

Attribute-Value Formats........................................................................................400

Examples................................................................................................................401

Tagged Attributes ..................................................................................................401

Attributes in User Profiles...........................................................................................401

Configuration Attributes........................................................................................402

Local Authorization Service (LAS) Configuration...........................................403

Simultaneous-Use Attribute........................................................................404

Attributes Concerning OTP Authentication...............................................404

Check (and Deny) Items..............................................................................................404

14 Table of Contents

Attributes Concerning the NAS.............................................................................404

Policy Attributes.....................................................................................................405

Other Attributes.....................................................................................................406

Reply Items..................................................................................................................406

General Attributes..................................................................................................408

Attributes Concerning Login Users.......................................................................409

Attributes for Framed Users..................................................................................410

Tunneling Attributes..............................................................................................411

Other Attributes.....................................................................................................414

Attributes in Accounting Records...............................................................................415

Additional Session Information.............................................................................415

33 MIB Objects...................................................................................................................419

MIB Objects..................................................................................................................419

A Supported IETF RFCs..............................................................................................................424

B Supported Authentication Methods...........................................................................................426

C RADIUS Data Packets.............................................................................................................428

Data Packet Format...........................................................................................................428

Attribute-Value Pair Format .......................................................................................428

D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK........................................430

Header Files and Data Structures in the SDK...................................................................430

APIs in the HP-UX AAA Server SDK...............................................................................430

A-V Pair APIs..............................................................................................................431

sdk_avp_t *sdk_avp_allocate()..............................................................................431

void sdk_avp_free()................................................................................................431

int sdk_get_avp_info()...........................................................................................431

int sdk_set_avp()....................................................................................................432

int sdk_set_vend_avp()..........................................................................................432

Authreq APIs...............................................................................................................433

sdk_avp_t *sdk_find_avp()....................................................................................433

sdk_avp_t *sdk_find_vend_avp()..........................................................................434

int sdk_del_avp()....................................................................................................435

int sdk_insert_avp()...............................................................................................435

int sdk_get_authreq_info().....................................................................................436

Logging APIs...............................................................................................................438

int sdk_logit().........................................................................................................438

int sdk_log_debug()...............................................................................................439

Asynchronous Event and I/O APIs.............................................................................440

int sdk_pollfd_register().........................................................................................440

int sdk_pollfd_unregister()....................................................................................440

int sdk_schedule_event()........................................................................................441

Secondary APIs............................................................................................................441

sdk_authreq_t *sdk_get_authreq_by_id()..............................................................441

char *sdk_get_config_dir().....................................................................................442

Table of Contents 15

int sdk_set_authreq()..............................................................................................442

int sdk_get_client_info().........................................................................................442

int sdk_decrypt_passwd()......................................................................................443

int sdk_encrypt_passwd()......................................................................................444

E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server......................................445

Expressions ......................................................................................................................445

Specifying Attributes in Group Entries ...........................................................................446

Dynamic Access Control ............................................................................................446

Internal Values ............................................................................................................447

Using Indirection .............................................................................................................447

Example Group Entries ....................................................................................................448

DNIS.grp for DNIS Routing........................................................................................448

DAC.grp for Dynamic Access Control.......................................................................449

Glossary of Terms......................................................................................................................452

Index........................................................................................................................................458

16 Table of Contents

List of Figures

1-1 Typical AAA Network Topology................................................................................32

1-2 Client-Server RADIUS Transaction.............................................................................33

1-3 Authentication Process................................................................................................36

1-4 Default Action Sequence.............................................................................................38

1-5 Authentication Steps...................................................................................................39

1-6 Authorization Steps....................................................................................................41

4-1 Return Value After Successfully Starting a AAA Server............................................65

4-2 Server Manager’s Start Options Screen.......................................................................65

4-3 Algorithm for Determining Which FSM to Load........................................................69

5-1 The HP-UX AAA Server Manager User Interface......................................................76

6-1 Server Manager’s Connected Server Screen................................................................78

6-2 The Add Connection Screen........................................................................................79

6-3 The Modify Connection Screen...................................................................................80

6-4 The Delete Server Connections Screen........................................................................81

6-5 Server Manager’s Server Status Frame........................................................................81

6-6 Server Manager’s Load Configuration Screen............................................................83

6-7 Server Manager’s Save Configuration Screen.............................................................83

7-1 Server Manager’s Access Device Screen.....................................................................84

7-2 Server Manager’s Access Device Attributes Screen....................................................85

7-3 The Delete Access Device Screen................................................................................88

8-1 Server Manager’s Local Realms Screen.......................................................................89

8-2 Server Manager’s Local Realm Attributes Screen.......................................................90

8-3 The Delete Local Realm Screen...................................................................................94

8-4 User Storage Parameters for Database Access via SQL..............................................95

8-5 New Oracle Server Screen.........................................................................................100

9-1 Proxy Configuration..................................................................................................105

9-2 Server Manager’s Proxy Screen.................................................................................106

9-3 Server Manager’s Proxy Attributes Screen................................................................107

9-4 The Delete Proxy Screen............................................................................................114

10-1 Server Manager’s Users Screen.................................................................................115

10-2 The Add Users Screen...............................................................................................117

10-3 The Modify Users Screen..........................................................................................120

10-4 The Delete Users Screen............................................................................................121

11-1 Server Manager’s Server Properties Screen...............................................................122

12-1 Server Manager’s Logfile Screen...............................................................................130

12-2 Server Manager’s Statistics Screen............................................................................132

12-3 AAA Server Statistics Example.................................................................................132

12-4 Accounting Logfile Search Screen in Server Manager .............................................133

12-5 Detailed Accounting Record for a Selected User......................................................134

13-1 The Secure LAN Advisor For Securing WLANs......................................................143

13-2 Server Manager’s Certificate Properties Screen........................................................150

14-1 Sessions Search Filter Screen.....................................................................................152

14-2 Example Return for a Sessions Search ......................................................................153

14-3 Example of a Session’s Attributes..............................................................................153

15-1 The Users Screen.......................................................................................................157

15-2 The Framed User Attributes Form............................................................................158

15-3 The Users Screen.......................................................................................................159

15-4 The Framed User Attributes Form............................................................................160

16-1 OATH Standards-Based OTP Authentication Flow and the HP-UX AAA Server....163

16-2 OTP Authentication Configuration Flowchart.........................................................167

16-3 Usage of Bit Masks to set OTP Authentication Actions............................................170

18-1 SQL Access Components...........................................................................................208

18-2 RADIUS Attribute to SQL Statement Mapping........................................................210

18-3 The User Database Administration Manager ..........................................................238

18-4 The Add User Screen.................................................................................................239

18-5 The Token Validate Screen........................................................................................242

18-6 The Enroll Token Screen............................................................................................244

18-7 The Synchronize Token Screen..................................................................................245

18-8 The User Statistics Screen..........................................................................................246

19-1 Authentication Process with Oracle..........................................................................249

19-2 Oracle Database Table Format...................................................................................253

23-1 SecurID Add Client Screen........................................................................................264

23-2 SecurID Edit Client Screen........................................................................................265

24-1 Default FSM State Transitions...................................................................................271

25-1 Flow of the Request Ingress Policy............................................................................305

25-2 Flow of the User Policy..............................................................................................306

25-3 Flow of the Reply Egress Policy................................................................................307

25-4 Flow of the Proxy Egress Policy................................................................................308

25-5 Flow of the Proxy Ingress Policy...............................................................................309

26-1 SDK Plug-in Example................................................................................................316

27-1 AAA Environment Components...............................................................................328

27-2 HP-UX AAA Server Operation.................................................................................329

28-1 Troubleshooting Flowchart.......................................................................................333

C-1 RADIUS Request/Reply Message Format.................................................................428

C-2 Attribute-Value Pair Format......................................................................................429

18 List of Figures

List of Tables

1 HP-UX AAA Server Administrator’s Guide Printing History...................................25

2 HP-UX 11i Releases.....................................................................................................26

1-1 Commands, Utilities, and Daemons...........................................................................37

1-2 How Requests are Altered Using the proxy-egress and proxy-ingress Policies........42

3-1 File Locations Upon Installation.................................................................................51

3-2 Files Generated During Operation..............................................................................54

3-3 Ports Associated with RMI Objects that must be Configured....................................59

4-1 Server Start Options....................................................................................................66

4-2 radiusd Options..........................................................................................................67

4-3 New Server Connection Screen Fields........................................................................70

6-1 Fields in the Connection Attributes Form...................................................................79

6-2 Icons in Server Manager’s Server Status Frame..........................................................82

7-1 Add Access Device Configuration Form Options......................................................86

8-1 Fields in the Local Realm Attributes Form.................................................................90

8-2 Special Entries.............................................................................................................93

8-3 Values for Configuring Realms for LDAP..................................................................96

8-4 Options......................................................................................................................103

9-1 Proxy Configuration Options....................................................................................108

9-2 Options for Forwarding Requests.............................................................................110

9-3 Accounting Logging Options....................................................................................112

10-1 General Attributes in the Add User Screen...............................................................117

11-1 DHCP Relay Properties.............................................................................................123

11-2 DNS Update Properties.............................................................................................124

11-3 Message Handling Properties...................................................................................124

11-4 Certificate Path Properties.........................................................................................126

11-5 ProLDAP Properties..................................................................................................128

12-1 Filter Parameters for Searching Logfiles...................................................................130

12-2 Statistic Search Parameters .......................................................................................132

12-3 Accounting Logfile Search Parameters ....................................................................133

12-4 Reasons Why The Record Was Generated................................................................135

13-1 LAN Configuration Items.........................................................................................144

13-2 Supported EAP Methods and Their Features...........................................................146

16-1 Bit Masks to Configure OTP Authentication Tasks..................................................169

16-2 Common OTP Authentication Actions.....................................................................171

16-3 Attributes for Configuring OTP Authentication.......................................................172

16-4 System-Wide OTP Configuration Items....................................................................175

16-5 SQL actions and Stored Procedures that Support OTP Authentication...................195

17-1 The HP-UX AAA Server LDAP Schema...................................................................205

18-1 The sqlaccess.config Sample File.....................................................................212

18-2 Database Access Parameters.....................................................................................220

18-3 Input Mapping Data Types and Syntax....................................................................222

18-4 Output Mapping Data Types and Syntax.................................................................223

18-5 RAD Mapping Parameters........................................................................................223

18-6 DBC Mapping Parameters.........................................................................................225

18-7 DBP Mapping Parameters.........................................................................................226

18-8 Pre-defined Mapping Functions...............................................................................228

18-9 Pre-defined Conversion Functions............................................................................229

18-10 Fields in the Add Users Form...................................................................................239

18-11 Fields in the Enroll Token Device Form....................................................................244

18-12 Fields in the Synchronize Token Form......................................................................246

18-13 Valid Token Status Values.........................................................................................247

19-1 Files Related to db_srv..............................................................................................250

19-2 AUTH_NET_USERS Table........................................................................................254

24-1 Predefined Event Names...........................................................................................274

24-2 Available Actions.......................................................................................................277

24-3 Predefined FSM Tables..............................................................................................278

25-1 Examples Illustrating the Use of the delete Command.........................................286

25-2 Behavior of the insert Command in Various Scenarios........................................288

25-3 Examples Illustrating the Use of the insert Command.........................................288

25-4 Examples Illustrating the Use of the modify Command.........................................289

25-5 A-V Pair Expression Operators.................................................................................302

25-6 Compatible Attribute Types......................................................................................304

25-7 Attributes Typically Used in Policy Group Conditions and Replies........................309

25-8 Interlink-specific Attributes Used by DAC...............................................................311

28-1 Common Problems with the Server Manager...........................................................336

28-2 Common Problems with HP-UX AAA Server Startup.............................................339

28-3 Common Configuration Problems............................................................................344

28-4 External Service Failure Problems............................................................................347

28-5 Common Authentication Failure Problems..............................................................353

28-6 EAP Problems............................................................................................................361

29-1 Debugging Levels in the HP-UX AAA Server..........................................................367

31-1 Default LAS Session Timing Parameters..................................................................390

31-2 Information Recorded by LOG_V2_o.......................................................................395

32-1 Reply Item Attributes................................................................................................406

32-2 Session Termination Causes......................................................................................416

33-1 MIB Objects and Definitions.....................................................................................419

A-1 Supported IETF RFCs................................................................................................424

A-2 Additional IETF RFCs Supported by HP-UX AAA Server.......................................424

A-3 AAA RFCs Supported by HP-UX AAA Server.........................................................425

C-1 RADIUS Request/Reply Message Format Description ............................................428

C-2 Attribute Value Pair Format Description .................................................................429

D-1 Actions Performed as a Result of the loc_avp A-V Pair.............................................436

D-2 Information Types.....................................................................................................437

D-3 HP-UX AAA Server Debug Levels............................................................................439

D-4 Possible Values of the infotype Parameter..................................................................443

20 List of Tables

E-1 A-V Pair Expression Operators.................................................................................445

E-2 A-V Pair Expression Examples..................................................................................446

List of Examples

18-1 Define the Oracle Database Connection Parameters................................................221

18-2 Define the MySQL Database Connection Parameters...............................................221

18-3 User and Password Input and Output Mappings.....................................................227

18-4 SQL Statement to Delete a Row................................................................................230

18-5 SQL Statement with Result Mapping - OCI..............................................................232

18-6 SQL Action with Null Source and Target Mappings................................................234

18-7 Timestamp Synchronization.....................................................................................235

18-8 FSM with Accounting Log via SQL Access...............................................................236

18-9 Remove Session Stored Procedure Definition...........................................................237

25-1 An example of a policy file that restricts Session-Timeout to one hour for guests,

removes unwanted attributes, and provides administrative privileges to

administrators...........................................................................................................285

25-2 Examples Illustrating the Use of the if Command..................................................293

25-3 Examples Illustrating the Use of the offset Keyword...........................................298

25-4 Examples Illustrating the Use of the before Keyword...........................................299

25-5 Examples Illustrating the Use of the after Keyword.............................................300

25-6 Examples Illustrating Precedence Rules...................................................................303

26-1 Example of a Pre-Paid Billing Application Using a Plug-in Created Using the HP-UX

AAA Server SDK.......................................................................................................316

31-1 Examples of NAS-IPv6-Address Attribute Syntax...................................................382

31-2 Examples of Framed-Interface-Id Attribute Syntax..................................................383

31-3 Examples of Framed-IPv6-Prefix Attribute Syntax...................................................383

31-4 Examples of Login-IPv6-Host Attribute Syntax.......................................................384

31-5 Example of a Framed-IPv6-Route Attribute Syntax.................................................384

31-6 Example of a Framed-IPv6-Pool Attribute Syntax....................................................384

22 List of Examples

About This Document

This document provides an overview of the HP-UX AAA Server and describes how to configure, administer, and troubleshoot the product. This document does not cover installing the product.

The document printing date and part number on the cover indicate the document’s current edition. The printing date and part number changes when a new edition is printed. Minor changes can be made at reprint without changing the printing date. The document part number will change when extensive changes are made.

Document updates may be issued between editions to correct errors or document product changes. To ensure that you receive the updated or new editions, subscribe to the appropriate product support service. Contact your HP sales representative for details.

The latest version of this document is available at:

http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29.

Intended Audience

This document is intended for HP-UX AAA Server administrators who understand the HP-UX operating system.

New and Changed Information in This Edition

The following additions and changes have been made for this edition:

• Includes a new chapter called “OATH Standards-Based OTP Authentication” that

describes OATH standards-based authentication and procedures for configuring OATH standards-based OTP and two-factor authentication.

• Includes a new section called “Administering Users and Tokens Stored in an SQL

Database” that describes how to use the User Database Administration tool to

manage users and tokens stored in an SQL database.

• Includes a new chapter called “Customizing the HP-UX AAA Server Using Policies”

that describes the advanced policy syntax for decision files.

• Includes a new chapter called “Customizing the HP-UX AAA Server Using the

SDK” that describes how to use the SDK to customize the HP-UX AAA Server.

Additionally, Appendix D (page 430) describes the new header files and APIs included in the SDK

Other minor changes have been made through the document, as required.

Intended Audience 23

Document Organization

The HP-UX AAA Server A.07.01 Administrator's Guide is organized as follows:

• Part I — Introduction provides general information about the HP-UX AAA Server

product and the RADIUS protocol. It also describes how to secure your HP-UX AAA Server installation.

• Part II — Configuring the HP-UX AAA Server Manager Using the Server Manager

GUI describes how to use the Server Manager to administer your AAA

environment.

• Part III— Advanced Configuration Information provides information on advanced

topics, such as securing LAN access using EAP, session management, assigning IP addresses, and configuring OTP and two-factor authentication.

• Part IV — Integrating the HP-UX AAA Server With External Services describes

how tointegrate the HP-UX AAA Server with external services such as Lightweight Directory Access Protocol (LDAP), SQL Access, Oracle, Dynamic Host Configuration Protocol (DHCP), Simple Network Management Protocol (SNMP), and Virtual Private Network (VPN).

• Part V — Customizing the HP-UX AAA Server describes how to customize the

HP-UX AAA Server to meet various deployment scenarios.

• Part VI — Troubleshooting provides guidelines and error messages to help

troubleshoot issues with the HP-UX AAA Server.

• Part V— Reference provides information to supplement the task-based information

in the previous parts of the document. Use the information in this section to learn more about non-task-based topics such as configuration files, and attribute-value pairs.

• Appendix A (page 424) lists all the RFCs that are supported by the HP-UX AAA

Server.

• Appendix B (page 426) lists and describes all the authentication methods that are

supported by the HP-UX AAA Server.

• Appendix C (page 428) provides information about the RADIUS data packet format.

• Appendix D (page 430) lists and describes all the header files, data structures, and

APIs included in the HP-UX AAA Server SDK.

• Appendix E (page 445) discusses the syntax of decision files that are supported by

previous versions of the HP-UX AAA Server.

Publishing History

The following table shows the printing history of this document. The first entry in the table corresponds to the current edition, and previous editions are listed in reverse chronological order.

Table 1 HP-UX AAA Server Administrator’s Guide Printing History

Document Part Number

Document Release Date (month/year)

Typographic Conventions

This document uses the following typographical conventions: audit(5) An HP-UX manpage. In this example, audit is the name and 5 is the

section in the HP-UX Reference. On the web and on the Instant Information CD, it may be a link to the manpage itself. From the HP-UX command line, you can enter “man audit” or “man 5

audit” to view the manpage. See man( 1).

Book Title The title of a book. On the web and on the Instant Information CD,

it may be a link to the book itself.

KeyCap The name of a keyboard key. Note that Return and Enter both refer

to the same key.

Emphasis Text that is emphasized.

Emphasis Text that is strongly emphasized. Term The defined use of an important word or phrase.

ComputerOut

UserInput

Command

Variable

[ ] The contents are optional in formats and command descriptions. If

Text displayed by the computer. Commands and other text that you type. A command name or qualified command phrase. The name of a variable that you may replace in a command or

function or information in a display that represents several possible values.

the contents are a list separated by |, you can choose one of the items.

Supported OSSupports Software Version

HP-UX 11i v1, 11i v2, 11i v3A.07.0103/08T1428-90066

HP-UX 11i v1, 11i v2, 11i v3A.07.0009/07T1428–90064

HP-UX 11i v1, 11i v2A.07.0009/065991-6434

HP-UX 11i v1, 11i v2A.06.0211/05T1428-90061

HP-UX 11.00, 11i v1, 11i v2A.06.01.x01/04T1428-90050

HP-UX 11.00, 11i v1A.06.01.x10/03T1428-90042

HP-UX 11.00, 11i v1A.06.00.0804/03T1428-90025

HP-UX 11.00, 11i v1A.06.00.0702/03T1428-90014

HP-UX 11.00, 11i v1A.05.01.0106/02T1428-90001

Typographic Conventions 25

{ } The contents are required in formats and command descriptions. If

the contents are a list separated by |, you can choose one of the items. ... The preceding element can be repeated an arbitrary number of times. | Separates items in a list of choices.

HP-UX Release Name and Release Identifier

Each HP-UX 11i release has an associated release name and release identifier. The uname(1) command with the -r option returns the release identifier. The following table lists the releases available for HP-UX 11i.

Table 2 HP-UX 11i Releases

Related Information

In addition to this document, additional information about the HP-UX AAA server can be found in the Internet and Security Solutions collection under AAA Server (RADIUS) at:

http://www.docs.hp.com/en/internet.html#AAA%20Server%20%28RADIUS%29

Release NameRelease Identifier

HP-UX 11i v1B.11.11

HP-UX 11i v2B.11.23

HP-UX 11i v3B.11.31

HP Encourages Your Comments

HP encourages your comments concerning this document. We are committed to providing documentation that meets your needs.

Send your comments to: netinfo_feedback@cup.hp.com

Include thedocument title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.

Part I Introduction

This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:

• Chapter 1: “Overview: The HP-UX AAA Server ” (page 30)

• Chapter 2: “Upgrading to Version A.07.01” (page 45)

• Chapter 3: “Installing and Securing the HP-UX AAA Server” (page 49)

• Chapter 4: “Enabling the HP-UX AAA Server for GUI-based Administration” (page 62)

Table of Contents

1 Overview: The HP-UX AAA Server .............................................................................................30

RADIUS Topology .............................................................................................................31

Establishing a RADIUS Session..........................................................................................32

Product Structure................................................................................................................34

HP-UX AAA Server Daemon, Libraries, and Utilities .................................................34

HP-UX AAA Server Manager Program .......................................................................34

Documentation..............................................................................................................34

HP-UX AAA Server Architecture ......................................................................................35

Configuration Files .......................................................................................................36

AATV Plug-Ins .............................................................................................................36

The Software Engine: Finite State Machine ..................................................................36

HP-UX AAA Server Commands, Utilities and Daemons..................................................37

Handling an Access Request..............................................................................................37

Authentication to Verify the Client and User ...............................................................38

Authorization to Control Sessions and Access to Services ..........................................40

Authorization Steps ................................................................................................41

Session Logs For Accounting .............................................................................................44

IPv6 Support for External Services.....................................................................................44

2 Upgrading to Version A.07.01...................................................................................................45

The HP-UX AAA Server Upgrade Process.........................................................................45

Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01........................45

Upgrading from Version A.06.00.x to Version A.07.01.......................................................46

Upgrading from Version A.05.x to Version A.07.01...........................................................48

Merging the Dictionary File................................................................................................48

Merging the radius.fsm File...........................................................................................48

Merging the vendors File.................................................................................................48

3 Installing and Securing the HP-UX AAA Server.............................................................................49

Acquiring the HP-UX AAA Server Software.....................................................................49

Installing and Uninstalling the HP-UX AAA Server..........................................................49

To Install the HP-UX AAA Server.................................................................................49

To Uninstall the HP-UX AAA Server Software.............................................................50

HP-UX AAA Server File Locations ....................................................................................51

Securing the HP-UX AAA Server.......................................................................................55

Changing the Default HP-UX AAA Server Settings ....................................................55

Changing the Default Tomcat User Name and Password.......................................55

Changing the Default RMI Objects Secret...............................................................55

Changing the Default test_user Settings..................................................................56

Changing the Default localhost Proxy Settings.......................................................56

Environment Specific Security Procedures ..................................................................56

28 Table of Contents

Using Secure Socket Layer (SSL) for Secured Remote Server Manager

Administration.........................................................................................................56

Creating a Tomcat Identity Specifically for the HP-UX AAA Server .....................58

Running the HP-UX AAA Server on Hosts with System Hardening Software......59

Running the HP-UX AAA Server as a Non-Root User............................................59

Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot.........60

4 Enabling the HP-UX AAA Server for GUI-based Administration......................................................62

Accessing the Server Manager............................................................................................62

Starting and Stopping the RMI Objects.........................................................................62

Starting and Stopping Tomcat.......................................................................................62

Testing the Installation .......................................................................................................63

To Test the Installation...................................................................................................63

Starting AAA Servers Using Server Manager....................................................................64

AAA Server Start Options.............................................................................................65

Server Manager’s Reload Feature..................................................................................66

Starting AAA Servers From the Command Line...............................................................67

Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot

.......................................................................................................................................69

Stopping or Restarting HP-UX AAA Servers.....................................................................69

Using Server Manager...................................................................................................70

From the Command Line..............................................................................................70

Adding an HP-UX AAA Server to Your Network.............................................................70

Table of Contents 29

1 Overview: The HP-UX AAA Server

The Remote Authentication Dial In User Service (RADIUS) protocol defines a standard for information exchange between a network device or software application and an authentication, authorization, and accounting (AAA) server to manage and track user access to network services.

A RADIUS AAA server provides authentication (verifying user credentials), authorization (supplyingprovisioning information for the user), and accounting (storage of usage information into accounting logs) services to devices and software applications (AAA clients) that support the IETF RADIUS standards.

The AAA or RADIUS client is the access device or application that acts as an enforcement point to control access to a resource. The user device itself or application requesting access to the resource is referred to as the supplicant.

30 Overview: The HP-UX AAA Server

RADIUS Topology

The RADIUS protocol follows the client-server architecture. The client sends user information to the AAA server using Access-Request or accounting-Request messages. The AAA server processes the request locally, or, if acting as a proxy server, forwards (proxies) the request to a secondary RADIUS Server.

When processing a RADIUS request locally, the AAA server can utilize additional external services (LDAP, external database access, DHCP, and so on.) to service the request.

The processing of RADIUS requests is usually configured on a per-realm basis. A realm is a group of users sharing a common component in the Network Access Identifier (NAI) attribute in the RADIUS request (for example,"example.org" is the realm component for "username@example.org").

In Figure 1-1 (page 32), a sample Internet Service Provider (ISP) uses four AAA servers to handle user requests. User organizations are grouped into realms. Each user connects to one of the ISP's servers through a local Network Access Server (NAS). The NAS sends a RADIUS Access-Request containing the user's credentials to one of the AAA servers. In turn, theAAA server accesses userand policy information from the repository specified for the user's realm. The repository can be in flat text files associated with the AAA Server, an external database or LDAP Server, or an HP-UX Unix user repository.

When authenticating users stored in replicated LDAP directory servers or databases, the server can be configured to perform load balancing and failover to achieve greater scalability and availability.

RADIUS Topology 31

Figure 1-1 Typical AAA Network Topology

Establishing a RADIUS Session

A RADIUSsession tracks the life of a user session through a series of message exchanges. RADIUS sessions are used to limit simultaneous access to a resource for users who share the same credential, and to manage the allocation and release of IP addresses acquired on behalf of the user by the AAA server. Figure 1-2 (page 33) illustrates the transaction between a RADIUS AAA server and a client:

32 Overview: The HP-UX AAA Server

Figure 1-2 Client-Server RADIUS Transaction

When the user's device connects to the client, the client sends a RADIUS Access-Request to the AAA server. When the server receives the request, it validates the sending client. If the client is permitted to send requests to the server, the server then takes information from the Access-Request and attempts to match the request to a user profile. If all conditions are met, the server sends an Access-Accept packet to the client; otherwise, the server sends an Access-Reject packet. An Access-Accept data packet often includes authorization information that specifies the services the user can access and other session information, such as a timeout value that indicates when the user must be disconnected from the system.

When the client receives an Access-Accept packet, it generates an Accounting-Request to start the session and send the request to the server. The Accounting-Request data packet describes the type of service being delivered and the user of the service. The server then responds with an Accounting-Response to acknowledge that the request was successfully received and recorded. The user's session ends when the client generates an Accounting-Request that is triggered by the user, the client, or an interruption in service-to stop the session. The server acknowledges the Accounting-Request with an Accounting-Response.

Establishing a RADIUS Session 33

Product Structure

The HP-UX AAA Server is based on the client-server architecture. The HP-UX AAA Server consists of the following components:

• HP-UX AAA Server daemon, libraries, and utilities

• The AAA Server Manager program that performs administration and configuration

tasks from a web browser for one or more AAA servers

• Documentation (Administrator’s Guide, READMEs, and the Secure LAN Advisor

help system)

NOTE: To secure the communication between the Server Manager and HP-UX AAA

Server, install the Server Manager and the HP-UX AAA Server in a secure network.

HP-UX AAA Server Daemon, Libraries, and Utilities

The server daemon, libraries, and utilities perform the authentication, authorization, and accounting functions while processing requests. The HP-UX AAA Server also includes the AAA RMI objects. The RMI objects provide communication between the HP-UX AAA Server and the HP-UX Tomcat-based Servlet Engine which hosts the HP-UX AAA Server Manager.

HP-UX AAA Server Manager Program

The HP-UX AAA Server Manager utilizes the HP-UX Tomcat-based Servlet Engine to provide a configuration interface between a web browser and one or more HP-UX AAA Servers. The Server Manager is used for configuring and managing the servers. In addition, the Server Manager can retrieve logged server sessions and accounting information for an administrator. By specifying a set of HP-UX AAA Servers, the Server Manager can be used to manage a group of HP-UX AAA Servers with a common configuration.

Documentation

The following documentation is accessible through the Server Manager:

• Context-sensitive help on the Server Manager's buttons and options

• A Secure LAN Advisor help system to guide you through securing your Wireless

Local Area Networks (WLANs) with the HP-UX AAA Server. The Secure LAN Advisor provides information only; it does not edit configuration files

• The HP-UX AAA Server Administrator's Guide in .pdf format. Use this document

for step-by-step instructions on configuring the HP-UX AAA Server.

34 Overview: The HP-UX AAA Server

IMPORTANT: For the most recent product documentation, see http://

www.docs.hp.com.

HP-UX AAA Server Architecture

The HP-UX AAA Server architecture consists of the following components:

• Configuration files. Files to provide the information necessary for the server to

perform authentication, authorization, and accounting requests for your system. In most cases, these files can be modified by using the Server Manager.

• AATV plug-ins. Dynamically loaded libraries that perform discrete actions, such

as initiating an authentication request, replying to an authentication request, or logging an accounting record.

• The radiusd software engine, which includes the Finite State Machine (FSM) and

associated routines. At server startup, the FSM reads instructions from the state table in the /etc/opt/aaa/radius.fsm configuration file. The state table outlines what AATV actions to call and what order to call them in.

When the server is initialized, it loads and initializes the AATV plug-ins. It also reads the configuration files to initialize the data required for the actions to execute according to the application's requirements.

Figure 1-3 illustrates the general process of server initialization and response to an

authentication request.

HP-UX AAA Server Architecture 35

Figure 1-3 Authentication Process

Configuration Files

For detailed information on the server configuration files, Chapter 31: “Configuration

Files ” (page 374).

AATV Plug-Ins

An AATV plug-in defines the actions that perform a variety of functions, including authenticating requests, authorization, and logging. Built-in actions support authentication of users using information from several different repositories, and accounting requests using several different polices and storage formats.

For more information on these built-in actions, see “Actions ” (page 276)

The Software Engine: Finite State Machine

The Finite State Machine (FSM) controls the step-by-step process that the server follows to process and respond to an authentication request. You can configure the FSM to customize your server configuration without programming software modules. For

36 Overview: The HP-UX AAA Server

more information on the Finite State Machine, see Chapter 24: “Customizingthe HP-UX

AAA Server Using the Finite State Machine” (page 270).

HP-UX AAA Server Commands, Utilities and Daemons

Table 1-1 provides an overview of the HP-UX AAA Server commands, utilities, and

daemons.

Table 1-1 Commands, Utilities, and Daemons

DescriptionCommand

radcheck

raddbginc

radsignal

radiusd

radpwtst

db_srv

Sends RADIUS status and protocol requests to a AAA server and displays the replies. Receiving the reply confirms that the HP-UX AAA Server is operational. The radcheck utility can be invoked on any host by any user. However the HP-UX AAA Server returns more information to registered clients.

Sets debug logging level for the HP-UX AAA Server running correctly. Turn debugging on and off, or set the levelof outputwhile theAAA Server is running.

Rolls over the server log file and accounting stream while the AAA Server is running.

RADIUS server daemon. Services user authentication and accounting requests from RADIUS clients. Authentication and accounting requests are transmitted to the radiusd daemon in theform of UDP packets that conform to the RADIUS protocol. Theradiusd daemon can be startedfrom the Server Manager, command line, or at boot time using the /etc/rc.config.d/radiusd.conf file.

RADIUS client utility that can process commands to send requests to and check responses from a RADIUS server.

Deprecated. Performs Oracle database access operations for authentication on behalf of one or more remote HP-UX AAA Servers.

Handling an Access Request

When the HP-UX AAA server receives a RADIUS message, it calls the FSM and defines a starting event according to the type of message. This event is stored in the Interlink-Proxy-Action attribute. In the default FSM, the first action for all requests is request-ingress POLICY. If this POLICY is executed successfully, the next action is determined by the event stored in Interlink-Proxy-Action. By default, for an Access-Request this action is iaaaUsers. Figure 1-4 (page 38) shows how the FSM actions interact to process the Access-Request for authentication and authorization.

HP-UX AAA Server Commands, Utilities and Daemons 37

Figure 1-4 Default Action Sequence

Authentication to Verify the Client and User

The authentication of an access request has a number of distinctive steps, as shown in

Figure 1-5 (page 39). The rounded rectangles represent configuration files that the

HP-UX AAA Server uses and the ovals represent one or more authentication types.

38 Overview: The HP-UX AAA Server

Figure 1-5 Authentication Steps

Authentication Steps

Following lists the authentication steps followed by the HP-UX AAA Server:

1. After the HP-UX AAA server receives an Access-Request, it attempts to match the client making the request to an entry in the clients file. The server attempts to authenticate a request only if a match can be made.

Handling an Access Request 39

2. The iaaaUsers action checks the local users file. In this step, the User-Name

attribute value from the Access-Request is used to find an entry for the user in the /etc/opt/aaa/users file.

• If User-Name matches an entry, the server retrieves that profile and then

authentication moves to step 5.

• If User-Name does not match an entry, authentication moves to step 3.

3. If the iaaaUsers action does not find a matching user profile in the users file, the FSMcalls the iaaaRealm action. The iaaaRealm action parses the User-Name attribute value for a realm name, and searches authfile to determine the data store where the user profiles for the parsed realm are located. A default entry can be used to handle any realms that are not explicitly configured in authfile.

NOTE: If no realm is specified in the NAI, the server assigns the value NULL for

the realm. You can configure NULL realm behavior in the same manner as named realms.

4. The iaaaRealmaction calls another action that attempts to retrieve a matching user profile from the data store for the realm, as indicated by authfile:

• A realm-specific AAA users file;

• An external data store, such as LDAP or a database;

• A Unix user profile service via the getpwent() system call.

If the realm is defined as a proxy, the RADIUS request is forwarded to the target RADIUS server defined for this realm.

5. The user is authenticated according to the protocol established by the Access-Request. If a password-based protocol(PAP,CHAP, MSCHAP) is specified, the user's password is verified. If an EAP method is used, mutual authentication is carried out according to the EAP type (PEAP, TLS, TTLS, or LEAP).

If User-Name matches no entry, either in a local text file or an external data source, the authentication fails.

Authorization to Control Sessions and Access to Services

The HP-UX AAA server can authorize users using one of the following methods:

• Provisioning on a user-by-user basis with check items and by adding reply items

to an Access-Accept message (simple policy)

• Through Local Authorization Server (LAS) functions based on realms

• Through stored policy decisions based on other logical groups that can add check

and reply items to the request

Like authentication, the authorization of an access request has a number of distinctive steps, as shown in Figure 1-6 (page 41). The rounded rectangles represent configuration files and the ovals represent one or more actions called by the FSM.

40 Overview: The HP-UX AAA Server

Figure 1-6 Authorization Steps

Authorization Steps

1. The server receives the Access-Request.

2. The server evaluates the request-ingress policy. This is the first step in the FSM, before the request is despatched for processing. The request ingress policy can be used to alter the request in one of the following ways:

• A-V pairs may be added, changed, or removed.

• The request classification may be altered.

• The request may be rejected immediately.

• The request may be dropped entirely, and no reply is sent.

If the request-ingress policy is evaluated successfully, the HP-UX AAA Server continues with the authorization process.

3. If a request is being proxied, then the HP-UX AAA Server evaluates the proxy-egress and proxy-ingress policies. The HP-UX AAA Server applies the proxy-egress policy before the RADIUS proxy request message is created and sent. The proxy-ingress policy is applied after the proxy response is received. Table 1-2 discusses how these policies are used to alter requests.

Handling an Access Request 41

Table 1-2 How Requests are Altered Using the proxy-egress and proxy-ingress Policies

Use of the proxy-ingress PolicyUse of the proxy-egress Policy

A-V pairs can be added, modified, or removed.A-V pairs can be added, modified, or removed.

The reply type may be altered.The request may be rejected immediately.

The request may be dropped entirely and no reply is sent.

The request may be rejected immediately.The proxy target host may be changed.

4. Check Items. After authentication each check item in the user profile is processed or matched against the request's corresponding Attribute-Value (A-V) pairs.

• If all the check and deny items associated with User-Name are satisfied, the

CHK_DNY action returns an ACK value to the FSM.

• If any check or deny item, including the user's password, is not matched

correctly, the authentication module returns a NAK value to the FSM. The request fails, and an Access-Reject message is returned to the client.

5. User Policy. All requests are subjected to user policy after authentication. The user policy is applied only after successful authentication. A user policy can be specified in a Policy-Pointer attribute on the request as either a check item or a reply item. If the Policy-Pointer attribute is found in the check items, then the HP-UX AAA Server does not look for one in the reply items. The value of the Policy-Pointer attribute should specify the URL for the decision file to be evaluated. If a request contains a Policy-Pointer attribute, as either a check item or a reply item, the specified policy is applied. If the request does not contain a Policy-Pointer, then no user policy is applied. In this case the POLICY action returns an ACK event to the FSM.

Some policies that can be implemented include:

• Dialed Number Identification Service (DNIS)-routing requests according to

the number called from or called;

• Grouping users by NAS addresses or ports;

• Control session duration, concurrent usage, or delivered services by logical

groupings defined by the contents of specified A-V pairs;

• Control access according to any time-based criteria.

6. Local Authorization Server (LAS). The LAS refers to the routines and code in the server that handles authorization. LAS and POSTLAS actions are part of the LAS. Session control with LAS is based on realms. Local Session tracking must be explicitly enabled for a realm via the Server Manager or the /etc/opt/aaa/ las.conf file. If the realm is not listed, LAS does not enforce any session control for users from that realm. When the LAS handles an Access-Request for a user in

42 Overview: The HP-UX AAA Server

a local realm configured in the las.conf file, the LAS module performs the following actions:

• Checks the user profile for a Simultaneous-Session attribute-value pair, which

determines the maximum number of active sessions the user can have. Default value is 1.

• Authorizes or denies service based on Service-Class.

The POSTLAS action performs Simultaneous Access Token (SAT) control, which is used to implement realm-based simultaneous session control.

NOTE: HP recommends not to enable local session tracking for any realms

utilizing session management via SQL Access.

7. Reply items refer to the generation of an Access-Accept or Access-Reject message

by the ReplyPrep action. By adding reply items to a user's profile or through policy decisions, ReplyPrep can provide a NAS with provisioning information in an Access-Accept data packet. Depending on the capabilities of the NAS, the reply items can be used to control a user's session. For example, the following user entry limits the length of the session and the hosts that can be accessed:

guest@library.org Password = "public" Filter = "library", Session-Timeout = 3600

Users can authenticate as guest@example.org using password public to connect for one hour (3600 seconds) to the library hosts that the filter library allows.

The ReplyPrep action also checks for a Service-Type value, equates the value with user entries, and then appends reply items to the request accordingly. The attribute values for these items specify the default values to use when configuring the connection specified by Service-Type. The special user entries are not used for authentication; the reply items for one of these entries are appended to a request from any user requesting the corresponding service type. If duplicate A-V pairs exist, pruning is applied to determine the A-V pair that must be included in the Access-Accept or Access-Reject message.

8. The HP-UX AAA Server evaluates the reply-egress policy just before the RADIUS reply message is created and sent. The reply-egress policy can be used to alter the request in one of the following ways:

• A-V pairs may be added, modified, or removed

• The reply type may be modified

• The request may be dropped entirely and no reply is sent.

Handling an Access Request 43

Session Logs For Accounting

During operation, the HP-UX AAA Server processes information received in an Accounting-Request from the client. By default, session logging information is written to a file following a predefined format, such as Merit or Livingston. You can modify how and where the server generates the logs by editing the log.config file. You can also schedule logging by editing the FSM. In addition, modifying the FSM and configuring SQL Access enables you to use a database to store session log information. For more information, see Chapter 18: “SQL Access” (page 207).

IPv6 Support for External Services

The HP-UX AAA Server can be configured to use IPv6 addresses and support IPv6 attributes for most of the protocols and services it supports. The HP-UX AAA Server currently supports only IPv4 for the following services:

• Dynamic user IP address assignment using DHCP

• Access to Oracle servers via the Oracle authentication module

• Access to RSA SecurID servers

IMPORTANT: The HP-UX AAA Server supports the use of RADIUS IPv6 attributes

with HP-UX 11i v1 (and subsequent releases). RADIUS communication over IPv6 transports is supported with HP-UX 11i v2 (and subsequent releases).

44 Overview: The HP-UX AAA Server

2 Upgrading to Version A.07.01

This chapter explains how to upgrade to the HP-UX AAA Server A.07.01 from previous versions.

The HP-UX AAA Server Upgrade Process

The following process describes the HP-UX AAA Server A.07.01 product installation on a system where a previous version of the HP-UX AAA server is currently installed:

1. The contents of the existing configuration in /etc/opt/aaa/ are copied to /etc/

opt/aaa.old/. If any files with the same names exist in /etc/opt/aaa.old/,

they will be overwritten.

2. The old product binaries are removed and new product binaries are installed.

3. Old unmodified configuration files are replaced with the new default configuration

files in /etc/opt/aaa/.

4. Backup of the default A.07.01 files are installed in /opt/aaa/newconfig/etc/

opt/aaa/ for your reference.

5. Generally, no additional migration is necessary, except as specified in the following

sections:

• “Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01.”

• “Upgrading from Version A.06.00.x to Version A.07.01” (page 46)

• “Upgrading from Version A.05.x to Version A.07.01” (page 48)

NOTE: Contact your HP Supportrepresentative if you are upgrading from version

A.05.x and require assistance.

Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01

No migration is required. If you have modified /etc/opt/aaa/dictionary, and want to use SQL Access, OTP authentication, or use pre-defined policy hooks in the FSM, merge the dictionary file. For information on merging the dictionary file, see

“Merging the Dictionary File” (page 48).

If you have modified the radius.fsm file, and you want to use OTP authentication or usepre-defined policy hooks in the FSM, merge the radius.fsm file. For information on merging the radius.fsm file, see “Merging the radius.fsm File” (page 48).

If you have configured realms with LDAP as the back end, and you want to enable CIS search, then you must specify the Filter-Type in the realm configuration in the authfile as follows:

The HP-UX AAA Server Upgrade Process 45

<realm name> -DEFAULT ProLDAP "" { Filter-Type CIS Directory "directory_name" { Host <ldap-server-hostname> Port <ldap-server-port> Administrator <ldap-server-administrator> Password <Password> Searchbase <search-base> Authenticate <auto | search | bind> } }

Additions have been made to the vendors file in this version of the HP-UX AAA Server. If you have modified the vendors file, you must merge the vendors file. For information on merging the vendors file, see“Merging the vendors File” (page 48).

Upgrading from Version A.06.00.x to Version A.07.01

To upgrade the configuration files, complete the following steps:

1. Backup your existing HP-UX AAA server configuration.

2. Install the HP-UX AAA Server A.07.01 without removing your existing HP-UX AAA Server software.

3. Copy the following files from /etc/opt/aaa.old/ to /etc/opt/aaa/. You do not need to modify these files when migrating to A.07.01:

• The clients file

• The las.conf file

• The iaaaAgent.conf file

• The db_srv.opt file

• The engine.config file

• The DAC.grp file and additional policy files

• New or modified certificate files (to be copied from /etc/opt/aaa.old/

security/ to /etc/opt/aaa/security/)

4. Update the following A.07.01 files in /etc/opt/aaa/ to include any modifications you made for your legacy configuration. Perform this step to include your legacy configuration in the new A.07.01 file format. Refer to the copy of your legacy files in /etc/opt/aaa.old/ and update the corresponding A.07.01 files listed below:

• The vendors file

• The log.config file

• The radius.fsm file

• The dictionary file

• The aaa.config file

46 Upgrading to Version A.07.01

5. Copy your legacy users files from /etc/opt/aaa.old/ to /etc/opt/aaa/

(including the default users file and all files with the .users extension). Update the users files as follows:

• Remove all DEFAULT, dumbuser, pppuser, and slipuser entries. The

following shows example entries for each:

DEFAULT DEFAULT Authentication-Type = Realm

Filter-Id = "unlim"

dumbuser dumbuser Authentication-Type = None

Service-Type = Login, Login-Service = Telnet, Login-IP-Host = 255.255.255.255

pppuser pppuser Authentication-Type = None

Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP

slipuser slipuser Authentication-Type = None

Service-Type = Framed, Framed-Protocol = SLIP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP

• Remove all Authentication-Type=Realm and

Authentication-Type=File strings from the remaining user entries. The following is a sample sed command you can modify to remove these entries:

$ sed -e ’s/Authentication-Type[ ]*=[ ]*Realm[ ,,]*//g’-e

’s/Authentication-Type[ ]*=[ ]*File[ ,,]*//g’ <users or *.users file name>

6. Use Server Manager to re-configure all of your legacy realm and outbound proxy

entries on A.07.01. Refer to your legacy authfile at /etc/opt/aaa.old/ authfile:

• Use Server Manager’s Proxies link to re-configure entries in /etc/opt/

aaa.old/authfile with the following syntax:

realm.com RADIUS <Realm_host_name>

• Use Server Manager’s Local Realms link to re-configure the realm entries as

they appear in /etc/opt/aaa.old/authfile.

7. If you are using a Netscape Directory server, update the RADIUS schema file for

the directory server. Copy /opt/aaa/examples/proldap/ 55iaaa-radius.ldif to the Netscape Directory server. Stop and restart slapd after copying the schema file to the Netscape server.

Upgrading from Version A.06.00.x to Version A.07.01 47

8. If you are using an OpenLDAP server, update the RADIUS schema file for the

directory server. Copy /opt/aaa/examples/proldap/iaaa-radius.ldif to the OpenLDAP server. Stop and restart slapd after copying the schema file to the OpenLDAP server.

Upgrading from Version A.05.x to Version A.07.01

Contact your HP Support representative if you are upgrading from Version A.05.x to Version A.07.01 or if you need assistance with your migration.

Merging the Dictionary File

To merge the legacy dictionary file changes to the new A.07.01 dictionary file, complete the following steps:

1. Copy the new dictionary file from /opt/aaa/newconfig/etc/opt/aaa/ to /etc/opt/aaa/.

2. Update the /etc/opt/aaa/dictionary file to include any modification you made for your legacy dictionary file.

Refer to the copy of your legacy dictionary file in /etc/opt/aaa.old/.

Merging the radius.fsm File

To merge the legacy radius.fsm file changes to the new A.07.01 radius.fsm file, complete the following steps:

1. Copy the new radius.fsm file from /opt/aaa/newconfig/etc/opt/aaa/ to /etc/opt/aaa/.

2. Update the /etc/opt/aaa/radius.fsm file to include any modification you made for your legacy radius.fsm file.

Refer to the copy of your legacy radius.fsm file in /etc/opt/aaa.old/

Merging the vendors File

To merge the legacy vendors file changes to the new A.07.01 vendors file, complete the following steps:

1. Copy the new vendors file from /opt/aaa/newconfig/etc/opt/aaa/ to /etc/opt/aaa/.

2. Update the /etc/opt/aaa/vendors file to include any modification you made for your legacy vendors file.

48 Upgrading to Version A.07.01

3 Installing and Securing the HP-UX AAA Server

This chapter explains how to acquire, install, and secure the HP-UX AAA Server product. Always refer to the HP-UX AAA Server Release Notes for important information specific to each version of the product, including requirements and dependencies.

Acquiring the HP-UX AAA Server Software

You can get the most recent version of the HP-UX AAA Server product at the HP Software Depot: http://www.hp.com/go/softwaredepot.

IMPORTANT: Be sure to review the HP-UX AAA Server Release Notes before

installation. The Release Notes list the requirements for each release, including: installation, patch, and browser requirements.

You can access the Release Notes online at:

http://docs.hp.com/en/internet.html#HP-UX%20AAA%20Server%20%28RADIUS%29)

Installing and Uninstalling the HP-UX AAA Server

The following components are installed when you install the HP-UX AAA Server:

• AAA Server binaries, libraries, and utilities

• RMI objects that facilitate communication from the AAA server to Server Manager

• AAA server AATV modules

To Install the HP-UX AAA Server

Complete the following steps to install the HP-UX AAA Server:

1. Log in to your system as root.

2. Verify that the product dependencies are installed:

# export PATH=$PATH:/usr/sbin # swlist |egrep “hpuxwsTomcat|hpuxwsApache|T1456AA”

IMPORTANT: Be sure you have the correct versions of the product dependencies

installed -- refer to the HP-UX AAA Server Release Notes.

3. Verify that the patch dependencies are installed. Skip this step if you are installing the HP-UX AAA Server on an HP–UX 11i v2 or HP-UX 11i v3 operating system.

# swlist -l product | grep aC

Review the patch requirements in the product Release Notes if the following value is not returned:

HP aC++ -AA runtime libraries (aCC A.03.37)

Acquiring the HP-UX AAA Server Software 49

NOTE: Check the Release Notes for the HP-UX AAA Server version you are

installing to verify patch requirements.

4. Download the AAA Server depot file from http://www.software.hp.com and move it to /tmp

5. Verify that you have downloaded the file correctly:

# swlist -d -s /tmp/<AAA Server>.depot

6. Stop any active Tomcat processes:

/opt/hpws/tomcat/bin/shutdown.sh

7. Install the AAA Server:

# swinstall -s /tmp/<AAA Server>.depot HPUX-AAAServer

NOTE: If the installation is not successful, an error message is displayed. The

cause of the failure will appear at the end of /var/adm/sw/swagent.log file.

8. After installing the product,add the following entries to the /etc/services file:

# RADIUS protocol radius 1812/udp radacct 1813/udp

NOTE: These RADIUS values are the server’s defaults and are specified in the

RADIUS RFC 2865.

To Uninstall the HP-UX AAA Server Software

Complete the following steps to uninstall the HP-UX AAA Server:

1. From the navigation tree, click Administration.

2. Verify the AAA server you want to stop is selected in the Server Status Frame.

3. Click Stop to stop the server.

4. From the command line, stop the RMI objects and Tomcat. See “Starting and

Stopping the RMI Objects” (page 62) and “Starting and Stopping Tomcat” (page 62)

for more information.

NOTE: Enter the following command if you have not done it already:

# export JAVA_HOME=/opt/java1.4

5. Check if db_srv is running:

$ ps -ef |grep db_srv

6. If db_srv is running, stop it with the /opt/aaa/bin/stop_db_srv.sh script.

50 Installing and Securing the HP-UX AAA Server

7. Remove all files residing in the /var/opt/aaa/ and /opt/hpws/tomcat/webapps/aaa/aaalog/ subdirectories.

8. Logout anyone using HP-UX AAA Server administrator login “aaa”.

9. As root user, enter swremove HPUX-AAAServer or swremove at the command prompt to invoke the standard HP-UX GUI to select HPUX-AAAServer bundle for removal. Refer the swremove manpage for more information on this command.

HP-UX AAA Server File Locations

Although HP-UX AAA Server can be run as root user, HP recommends running it as a non-root user.

A user and group, both named aaa, is created during installation. The HP-UX AAA Server can be run as non-root user, using the default aaa user created during installation, or any other user who is part of the aaa group.

IMPORTANT: Do not remove the default login aaa and group aaa created during

installation, even if you prefer not to use them.

Table 3-1 File Locations Upon Installation

FileDirectory

/opt/aaa/aatv

/opt/aaa/bin

Server modules and plug-ins

Server daemons and utilities:

• db_srv: Oracle client daemon for the ORACLE

authentication module

• las.test.sh: script to create simulated sessions for

testing

• radcheck: AAA Server test utility (like the ping

command)

• raddbginc: controls server debug output

• radsignal: controlsserverdebug output androlls over

the server log file and accounting stream

• radiusd: AAA Server executable

• radpwtst: AAA test client utility

• start_db_srv.sh: script to start the Oracle client

daemon

• stop_db_srv.sh: script to stop the Oracle client

daemon

HP-UX AAA Server File Locations 51

Table 3-1 File Locations Upon Installation (continued)

FileDirectory

/opt/aaa/examples/config

/opt/aaa/examples/sqlaccess/mysql-1

Finite state machine, sample policy files:

• *.fsm: Sample FSM tables

• sqlaccess-acct.fsm: Sample FSM required to

implement accounting without session management using SQL Access

• sqlaccess-acct-sess.fsm: Sample FSM required

to implementaccounting with session management using SQL Access

• *.grp: Sample decision files

• OTP sample reference implementation files:

— oath-request-ingress.grp — oath-reply-ingress.grp — oath-proxy-egress.grp

Configuration files and scripts that enable the HP-UX AAA Server to use an ODBC client to interact with a MySQL database:

• sqlaccess.config: Sample configuration file that

defines database connections, SQL statements, and RADIUS - database mappings

• dbsetup.sql: Scriptthat creates the database tables for

the sample configuration and inserts a test user in a database table

NOTE: Refer to Chapter 18: “SQL Access” (page 207) for

details on using the SQL Access feature.

/opt/aaa/examples/sqlaccess/oracle-1

52 Installing and Securing the HP-UX AAA Server

Configuration file and script that enable the HP-UX AAA Server to use an OCI client to interact with an Oracle database server:

• sqlaccess.config: Sample configuration file that

defines database connections, SQL statements, and RADIUS - database mappings

• dbsetup.sql: Scriptthat creates the database tables for

the sample configuration and inserts a test user in a database table

NOTE: Refer to Chapter 18: “SQL Access” (page 207) for

details on using the SQL Access feature.

Table 3-1 File Locations Upon Installation (continued)

FileDirectory

/opt/aaa/lib/dbcon/alternate

/opt/aaa/examples/oracle

/opt/aaa/examples/proldap

/opt/aaa/lib

Connector libraries that enable HP-UX AAA Server to communicate with supported database clients:

• libdbcon_oci.so: OCI client connector library

• libdbcon_odbc.so: MySQL Unix ODBC client

connector library

NOTE: Refer to Chapter 18: “SQL Access” (page 207) for

details on using the client connector libraries.

Scripts to create and modify tables in the Oracle database used by the ORACLE authentication module:

• create.sql: SQL script to create Oracle users table

• delete.sql: Sample SQL script to delete Oracle user

records

• insert.sql: Sample SQL script to add Oracle user

records

LDAP schema and sample LDIF files

Shared libraries:

• libradlib.sl: Contains functions that interface with

the main server

• librpilib.sl: Contains functions for programs and

utilities

• libjniAgent.sl: Contains functions for Server

Manager.

NOTE: Shared library files have .so file extensions on

HP-UX 11i v2 (B.11.23) and HP-UX 11i v3 (B.11.31).

/opt/aaa/newconfig

/etc/opt/aaa/security/

/opt/aaa/share/man/man5 and ~/man1m

/opt/aaa/share/doc/

Default configuration files. Files residing here are copied to /etc/opt/aaa directory during installation.

Directory containing a unique set of self-signed digital certificates created during installation.

Directories where manpages are installed

Directory containing Administrator’s Guide and product documentation.

HP-UX AAA Server File Locations 53

Table 3-1 File Locations Upon Installation (continued)

FileDirectory

/etc/opt/aaa

Configuration files:

• aaa.config: runtime and tunneling configuration file

• authfile: realm to authentication-type mapping file

• clients: client to shared secret mapping file

• db_srv.opt: configuration script for db_srv

environment variables

• dictionary: definition file required by the radiusd

daemon

• las.conf: authorization and accounting configuration

file

• log.config: session logging configuration file

• radius.fsm: external FSM table for the server

• users: holds user security profiles and reply items

• vendors: holds Internet Assigned Numbers Authority

(IANA) numbers and other vendor specific details

• engine.config: stores most of the AAA server

properties.

• EAP.authfile: configuresEAP authentication for user

profiles

• iaaaAgent.conf: specifieshow often the AAA server ’s

SNMP subagent will check to see if a master agent is active

• aaa.config.license: Do not alter this file

• RADIUS-ACC-SERVER-MIB.txt: describes RADIUS

Accounting MIB definitions.

• RADIUS-AUTH-SERVER-MIB.txt: describes RADIUS

Authentication MIB definitions.

• Default policy files:

— request-ingress.grp — reply-egress.grp — proxy-egress.grp — proxy-ingress.grp

Table 3-2 lists the files generated during operation and located in /var/opt/aaa/ by

default:

Table 3-2 Files Generated During Operation

/acct/session.yyyy-mm-dd.log

/data/session.las

54 Installing and Securing the HP-UX AAA Server

FileDirectory

Default session accounting logs, Merit style

Currently active sessions log file

Table 3-2 Files Generated During Operation (continued)

FileDirectory

/ipc/*.sm

/logs/logfile

/logs/logfile.yyyymmdd

/radacct/*

/run/radius.pid

Shared memory files related to the interface used for some authentication types.

IMPORTANT: You must not alter or delete the shared

memory (*.sm) files. The server does not operate correctly if the files are changed or removed from the ipc directory.

The server log file

Compressed daily or weekly log files

For session accounting logs in Livingston call detail records directory styleformat (notgenerated by default configuration)

Contains the process id (pid) for the server.

Securing the HP-UX AAA Server

Performing the steps in this section increases the security of your HP-UX AAA Server installation. HP recommends all customers perform the steps in“Changing the Default

HP-UX AAA Server Settings ” (page 55). Perform the steps in “Environment Specific Security Procedures ” (page 56) depending on your environment.

Changing the Default HP-UX AAA Server Settings

The following information explains how to increase the security of your HP-UX AAA Server by changing some of the default settings. HP recommends that all customers change the default values.

Changing the Default Tomcat User Name and Password

All Tomcat servers come with the same default user name and password. You must change the user name and password to unique values.

Complete the following steps to change the Tomcat user name and password:

1. Open /opt/hpws/tomcat/conf/tomcat-users.xml.

2. Look for entries with the roles=“tomcat” string. These entries are valid Tomcat user names and passwords.

3. Modify the file to include only the user name and password you want to use. Use the following format:

Changing the Default RMI Objects Secret

HP recommends changing the default RMI Objects secret.

Complete the following steps to change the default RMI objects secret:

Securing the HP-UX AAA Server 55

1. Open/opt/hpws/tomcat/webapps/aaa/WEB-INF/gui.properties.

2. Look for the following entry:

rmi.config.secret = "secret"

3. Change the “secret” portion to a new value

4. Open the /opt/aaa/remotecontrol/rmiserver.properties file.

5. Look for the following entry:

rmi.config.secret = "secret"

6. Change the “secret” portion to the same value configured in Step 3.

IMPORTANT: The rmi.config.secret in /opt/aaa/remotecontrol/

rmiserver.properties and in /opt/hpws/tomcat/webapps/aaa/ WEB-INF/gui.properties must be identical.

Changing the Default test_user Settings

HP recommends changing the default test_users password. This password can be changed only after starting the Server Manager. More information on how to change the default test_users passwordis provided in “Changing the Default test_user Settings”

(page 115)

Changing the Default localhost Proxy Settings

HP recommends changing the default localhost proxy settings. This setting can be changed only after starting the Server Manager. More information on how to change the default localhost proxy settings is provided in “Changing the Default localhost

Proxy Settings” (page 106).

Environment Specific Security Procedures

Depending on your environment needs, you can perform any of the following steps for additional security:

Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration

Use the following steps to configure SSL (HTTPS):

56 Installing and Securing the HP-UX AAA Server

1. Generate a certificate for Tomcat to establish the SSL connection. Use the following steps to create a self-signed certificate with the Java command line keytool utility:

1. Remove $HOME/.keystore if it already exists

2. Enter the following command:

$ export JAVA_HOME=/opt/java1.4

3. Enter the following command:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

4. Enter a password for the key store when prompted.

5. Enter the certificate information (company, contact name, etc.), when

prompted. This information must be accurate because it is displayed to users who attempt to administer Server Manager.

6. Enter a password for the key when prompted. Use the same password you

used for the key store

2. Uncomment the following underlined comments in /opt/hpws/tomcat/conf/

server.xml:

<!-- <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true" useURIValidationHack="false" <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" /> </Connector>

-->

3. Add the keystorePass attribute to the uncommented field in /opt/hpws/ tomcat/conf/server.xml to establish the key store and key password on Tomcat. Add the keystorePass attribute as shown in the following:

IMPORTANT: Replace <password> with the password used to generate the

keystore in Step 1.

4. Stop and start Tomcat:

• Stop -/opt/hpws/tomcat/bin/shutdown.sh

• Start - /opt/hpws/tomcat/bin/startup.sh

5. Point your web browser to:

https://<hostname>:8443/aaa

Securing the HP-UX AAA Server 57

Creating a Tomcat Identity Specifically for the HP-UX AAA Server

If several applications use Tomcat, you can configure Tomcat to have a user name and password specifically for the AAA Server. All other applications using Tomcat will have a different user name and password.

Complete the following steps to create a Tomcat identity specifically for your HP-UX AAA Server:

1. Search for the following line in/opt/hpws/tomcat/conf/server.xml:

Add the following code above this line:

2. Open the /opt/hpws/tomcat/conf/aaa-users.xml file.

3. Replace adminaaa with the new user name and password

4. Enter the following command:

$ export JAVA_HOME=/opt/java1.4

5. Stop Tomcat if it is running:

$ /opt/hpws/tomcat/bin/shutdown.sh

6. Restart Tomcat:

$ /opt/hpws/tomcat/bin/startup.sh

7. Stop the RMI objects if they are running:

$ /opt/aaa/remotecontrol/rmistop.sh

8. Set the shared library path to the OCI client or ODBC driver in the /opt/aaa/ remotecontrol/rmistart.sh script if you are implementing the SQL Access

feature. See the following README files for more information:

• /opt/aaa/examples/sqlaccess/oracle-1/README: for Oracle - OCI

• /opt/aaa/examples/sqlaccess/mysql-1/README: for MySQL -ODBC

See Chapter 18: “SQL Access” (page 207) for more information on the SQL Access feature.

9. Start the RMI objects:

/opt/aaa/remotecontrol/rmistart.sh

10. Point your web browser to:

http://<hostname>:8081/aaa

11. Login with the new AAA Server-specific user name and password

58 Installing and Securing the HP-UX AAA Server

Running the HP-UX AAA Server on Hosts with System Hardening Software

If you are setting up the HP-UX AAA Server on a system that is being hardened using lock-down software such as Bastille, you must ensure thatthe portsused by the HP-UX AAA Server are kept open. The following ports must be kept open if you are running the HP-UX AAA Server:

• Port 1812 (Radius authentication port)

• Port 1813 (Radius accounting port)

• Port 8081 (port used by the Server Manager. Needed only if this host is going to

run the Server Manager)

• Port 2099 (port used by the RMI server. Needed only if the HP-UX AAA Server

on this host needs to be remotely managed from another host.)

• RMI Server ports listed in Table 3-3. By default, these ports change each time the

RMI objects are started.

NOTE: These ports are default ports. However, you can configure these services to

use other ports.

If the HP-UX AAA Server on the host needs to be remotely managed from another host, then some additional ports need to be opened. By default, these ports are chosen randomly and keep changing every time the RMI server is restarted. To make it more convenient to open, these ports can be configured in /opt/aaa/remotecontrol/ rmiserver.properties. Table 3-3 lists the ports that need to be configured and opened for the corresponding remote management functionality required.

Table 3-3 Ports Associated with RMI Objects that must be Configured

• adm.server.port

• conf.server.port

• file.server.port

• stat.server.port

• acct.server.port

• log.server.port

• sess.server.port

Running the HP-UX AAA Server as a Non-Root User

Some organizations require network server processes to run as the non-root user.

Complete the following steps to run the AAA server as a non-root user:

1. Login to the system as the root user.

2. Add the user name www to the aaa group.

3. Use the following command to start the RMI objects as the aaa user:

FunctionalityPort

If you are using the administrative functions

If you are modifying, loading, or saving the configuration

If you are using maintenance features such as accounting, logging, reporting, getting statistics, or session management

Securing the HP-UX AAA Server 59

$ su - aaa -c /opt/aaa/remotecontrol/rmistart.sh

4. Use the following command to start Tomcat as the www user:

$ su - www -c "export JAVA_HOME=/opt/java1.4; /opt/hpws/tomcat/bin/startup.sh"

5. Point your web browser to:

http://<hostname>:8081/aaa

NOTE: Any log files created when the HP-UX AAA server was running as the root

user will not be accessible after performing this procedure. To view these logfiles, change the ownership to match the UID of when the log files were created. For more information, see the chown manpage for more information.

Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot

Complete the following steps to set up the HP-UX AAA Server to start as non-root user after reboot:

1. Set the RADIUSD variable to 1 in the /etc/rc.config.d/radiusd.conf file.

2. Open the /sbin/init.d/radiusd.rc file and look for the following entry:

DAEMONNM=radiusd CONFFILE=$AAAPATH/clients DAEMONEXE=/opt/aaa/bin/${DAEMONNM}

3. Change the DAEMONEXE line to set radiusd to start as the aaa user after reboot:

Change:

DAEMONEXE=/opt/aaa/bin/${DAEMONNM}

To:

DAEMONEXE=”/usr/bin/su - aaa -c /opt/aaa/bin/${DAEMONNM}”

4. Look for the following entry:

echo "$DAEMONNM started with <$retval>" if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1 fi

5. Change the then statement to start the RMI objects as the aaa user after reboot:

Change:

if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then /usr/bin/nohup /opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1 fi

To:

if [[ -x /opt/aaa/remotecontrol/rmistart.sh ]]; then /usr/bin/nohup /usr/bin/su - aaa -c

60 Installing and Securing the HP-UX AAA Server

/opt/aaa/remotecontrol/rmistart.sh >/dev/null 2>&1 fi

6. Look for the following entry:

# stop the daemon!!! if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi

7. Change the then statement to stop the RMI objects as the aaa user during shutdown:

Change:

if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi

To:

if [[ -x /opt/aaa/remotecontrol/rmistop.sh ]]; then /usr/bin/su - aaa -c /opt/aaa/remotecontrol/rmistop.sh >/dev/null 2>&1 fi

8. If you are implementing the SQL Access feature, add the following environment variable settings in the user’s .profiles file in the home directory:

(For ODBC only)

export ODBCINI=path/odbc.ini

(For OCI and ODBC)

export SHLIB_PATH=${SHLIB_PATH}:Path for odbc/oci client libraries

Securing the HP-UX AAA Server 61

4 Enabling the HP-UX AAA Server for GUI-based

Administration

This chapter explains how to enable your HP-UX AAA server software to begin administration.

Accessing the Server Manager

To start the HP-UX AAAServer and the Server Manager graphic user interface,complete the following steps:

1. Enter the following command:

# export JAVA_HOME=/opt/java1.4

2. Start the Remote Method Invocation (RMI) objects to allow the AAA server software to communicate with Server Manager. Use the following command:

# /opt/aaa/remotecontrol/rmistart.sh

3. Start the HP-UX Tomcat-based Servlet Engine. Use the following command:

# /opt/hpws/tomcat/bin/startup.sh

4. Enable the Java Runtime Environment (JRE) and Javascript for the browser, so that the browser can run the Server Manager applets and execute Javascripts.

5. Point your web browser to the following URL to manage the HP-UX AAA Server with the Server Manager interface:

http://<IP-Address or FQDN>:8081/aaa

6. To access the Server Manager, enter your user name and password.

NOTE: The default Server Manager username is tomcat. The default Server

Manager password is tomcat.

Starting and Stopping the RMI Objects

To start and stop the RMI objects, use the following commands:

• To start: /opt/aaa/remotecontrol/rmistart.sh

• To stop: /opt/aaa/remotecontrol/rmistop.sh

• Status: netstat -a | grep 7790

Starting and Stopping Tomcat

To start and stop Tomcat, use the following commands:

• To start: /opt/hpws/tomcat/bin/startup.sh

• To stop: /opt/hpws/tomcat/bin/shutdown.sh

• Status: netstat -a | grep 8081

62 Enabling the HP-UX AAA Server for GUI-based Administration

Testing the Installation

To test the server installation quickly, perform the following procedure using Server Manager:

• Add a loopback connection to a AAA server

• Start the AAA server

• Check the status for a response

To Test the Installation

Complete the following steps to test the server installation:

1. Connect to Server Manager and start the AAA server. See “Accessing the Server

Manager” (page 62).

2. From the navigation tree, click the Server Connections link and then click the Connect to Server link.

3. In the Add Connection screen that opens, enter the values for you server as shown in the following format:

Name The identifying string of a remote server. Domain Name or IP Address The IP address (traditional IPv4 address in

dotted-quad notation, or IPv6 address in IPv6 literal format notation), or valid Domain Name System (DNS) host name of the AAA server that the connection maps to.

Example: IPv4 address- 192.0.2.0

IPv6 addressfedc:ba98:7654:3210:fedc:ba98:7654:3210

Domain Name- example.org

4. Click Create.

5. Verify the server is listed and selected in the Server Status frame.

6. From the navigation tree, click Administration.

7. Click Start.

8. Verify the server has started. A green “GO” icon in the Server Status frame indicates the server is running.

9. Verify the server is selected in the Server Status frame and then select the Status option.

10. Check Server Manager’s Message Frame for the status reply. The following reply at the bottom of the Message Frame indicates the server is running correctly:

“<server name> (port#)” is responding

Testing the Installation 63

11. Verify that your HP-UX AAA Server is installed and operating correctly by using

the testinguser (named test_user) created during installation. After test_user is authenticated and the AAA server sends an Access-Accept, the client sends an Accounting-Request to start the session. After the session is terminated, the client sends an Accounting-Request stop message to stop the session logging and the AAA server writes the session information to a file.

a. Enter the following command:

# /opt/aaa/bin/radpwtst -s localhost -i 192.0.2.0 -l test_user

This command simulates an Access-Request from port 1 of a NAS with an IP address of 192.0.2.0. When prompted for a password, enter: password. The command must return the following output:

’test_user’ authentication OK

b. Enter the following command:

# /opt/aaa/bin/radpwtst -c 4 -s localhost -i 192.0.2.0 -l 1 -u ppp -:Acct-Status-Type=Start test_user

This command simulates an Accounting-Request start message, activating the users’s PPP session. The command must return the following output:

Accounting Response received

c. Enter the following command:

# /opt/aaa/bin/radpwtst -c 4 -s localhost -i 192.0.2.0 -l 1 -u ppp -:Acct-Status-Type=Stop test_user

This command simulates an Accounting-Request stop message, terminating the users’s session. The command must return the following output:

Accounting Response received

d. View the session logs for test_user’s start and stop accounting messages

by selecting Accounting in Server Manager’s navigation tree and clicking Display.

IMPORTANT: HP recommends removing test_user or changing it’s default

password before deploying the HP-UX AAA Server in a production environment. See

“Securing the HP-UX AAA Server” (page 55) for more information.

Starting AAA Servers Using Server Manager

To start AAA servers using Server Manager, complete the following steps:

1. From the navigation tree, click Administration.

2. Select the servers you want to start in the Server Status frame.

64 Enabling the HP-UX AAA Server for GUI-based Administration

NOTE: Server commands will only be executed on servers selected in the Server

Status frame.

3. Click Start.

Figure 4-1 shows the return value in Server Manager’s message frame when a server

is successfully started.

Figure 4-1 Return Value After Successfully Starting a AAA Server

AAA Server Start Options

Select the Start button’s corresponding icon to display the Start Options screen shown in Figure 4-2. Table 4-1 describes the start options you can use.

Figure 4-2 Server Manager’s Start Options Screen

Starting AAA Servers Using Server Manager 65

Table 4-1 Server Start Options

DescriptionOption

Port number to listen to authentication requestsAuthentication

Port number to listen to accounting requests.Accounting

Authentication Relay

Accounting Relay

Debug Level

Reset Session Table

Port number to relay authentication requests. This option is useful when proxying requests to a AAA server that is not listening on the default port.

Port number to relay accounting requests. This option is useful when proxying requests to a AAA server that is not listening on the default port.

Specifies the debug level. Higher levels write more information to the radius.debug file. Increasing thisvalue can cause performance todecline.

Empties the logfile and debug file when the server is started.Reset Logfile

Empties stored session table at server startup.

IMPORTANT: This option is only intended for experimental use or testing

and not for a live production server. If you reset a production server, the server loses track of the sessions that are still active.

NOTE: All options specified when the server is started are written to the server’s

logfile.

IMPORTANT: Modified start options will not take effect until the server is stopped

(by selecting the stop button) and then restarted.

Server Manager’s Reload Feature

The Reload button signals the HP-UX AAA Server to reload specific configuration information while the server is running. The result of the command will be displayed in the Message frame. The HP-UX AAA server will reload the following files after you select Reload:

• users

• clients

• authfile

• aaa.config

• engine.config (all values except the certificate properties, which require you

to stop and restart the server to be refreshed)

• las.conf

• EAP.authfile

• aaa.config.license

• sqlaccess.config

66 Enabling the HP-UX AAA Server for GUI-based Administration

• request-ingress.grp

• reply-egress.grp

• proxy-egress.grp

• proxy-ingress.grp

In order for other configuration changes to take effect, you must stop and restart the server.

IMPORTANT: Save the configuration before reloading the configuration information.

Starting AAA Servers From the Command Line

The radiusd daemon is a process that services user authentication and accounting requests from RADIUS clients. Authentication and accounting requests come to the radiusd daemon in the form of UDP packets conforming to the RADIUS protocol. You can start the radiusd daemon from the Server Manager GUI, command line, or through an inetd service.

radiusd Syntax

radiusd [-c workdir] [-C] [-d configdir] [-da aatvdir] [-dl logdir] [-di ipcdir] [-dr rundir] [-dd datadir] [-dm meritdir] [-p authport] [-q acctport] [-f fsm] [-l [-n] [-pp authproxy] [-qq acctproxy] [-g logtype] [-h] [-s] [-t timeout] [-v] [-z] [-x] [-x] [-x] [-x]

Table 4-2 describes all the radiusd options.

Table 4-2 radiusd Options

-c Working-directory

-C tokcachedir

-d Config-directory

-da AATV-directory

-dl Logfile-directory

-di IPC-directory

-dr Run-directory

DescriptionOption

Sets current working directory. This optioncan beuseful for determining the location of system generated files, such as core files.

Enables token caching.

Specifies the directory where the configuration files are located. If omitted, the default directory is /etc/opt/aaa.

Specifies thedirectory where the AATV libraries are located. If omitted, the default directory is /opt/aaa/aatv.

Specifies the directory where the log and debug files are located. If omitted, the default directory is /var/opt/aaa/logs.

Specifies the directory where the files generated for shared memory operation are located. If omitted, the default directory is /var/opt/ aaa/ipc.

Specifies the directory wherethe server's process id file (radiusd.pid) is located. If omitted, the default directory is /var/opt/aaa/run.

Starting AAA Servers From the Command Line 67

Table 4-2 radiusd Options (continued)

DescriptionOption

-dd Data-directory

-dm Accounting-directory

-p Authentication-port

-q Accounting-port

-f FSM

-l Log-format

-n

Specifies the directory where the active session file (session.las) is located. If omitted, the default directory is /var/opt/aaa/data.

Specifies the directory where Merit style accounting log files (session logs) are located. If omitted, the default directory is /var/opt/aaa/ acct.

Specifies the UDP port number to listen to auth requests. If omitted, the local host services will be queried for the RADIUS port (see services(4)). If unable to obtain the port from host services, the RADIUS standard default of 1812 will be used.

Specifies the UDP port number to listen for acct requests. If omitted, the local host services will be queried to obtain the radacct port (see services(4)). If unable to obtain the port from host services, the RADIUS standard default of 1813 will be used.

Allows the user to specify an alternate Finite State Machine (FSM) table file instead of the default radius.fsmfile. Thedefault FSM file (/etc/

opt/aaa/radius.fsm) follows Merit style accounting behavior.

strftime(3) format for naming logfiles. The -l option specifies the

logfile name format withtimestamp precision and dictates whena logfile must start logging. For example, the following specifies the logging to start every hour:

$ ./radiusd -l logfile.%Y%m%d%H

Resets the session table. If omitted, the default is to restore the session table from a previous run.

-pp Authentication-proxy

-qq Accounting-proxy

-h

-t Timeout

-v

-x

68 Enabling the HP-UX AAA Server for GUI-based Administration

Specifies the UDP port number to forward (proxy) authentication requests.

Specifies theUDP port number to forward (proxy)accounting requests.

Selects logfile, syslog, or stderr logging.-g Logtype

Displays help message

Single process (non-spawning) mode-s

Inactivity timeoutvalue (minutes) whenthe radiusddaemon is started through inetd.

Displays AAA server version.

Empties the logfile and the debug file if -x option is used.-z

Adds to debug flag value.

NOTE: The radiusd daemon determines what action must be taken when receiving

requests based upon an FSM that it loads into memory when the server is started. The FSM can be configured, but it is static after server startup. The server uses the algorithm shown in Figure 4-3 to determine which FSM must be loaded into memory:

Figure 4-3 Algorithm for Determining Which FSM to Load

IMPORTANT: When started by the inetd service, radiusd times out if it does not

receive a message in 15 minutes. With the -t Timeout option, you can override this value. If the value is set to 0, it waits indefinitely without timing out.

Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot

You can configure the HP-UX AAA Server (radiusd) and RMI objects to start automatically after a system reboot.

• Set the RADIUSD variable in/etc/rc.config.d/radiusd.conf to 1. The default setting is 0.

CAUTION: Modifying the content in the /sbin/init.d/radiusd.rc file other

than radiusd options can disallow booting of the system.

NOTE: You can also start the Server Manager interface after reboot. In the /etc/

rc.config.d/hpws_tomcatconf file, set HPWS_TOMCAT_START to 1, and set JAVA_HOME to/opt/java1.4.

Stopping or Restarting HP-UX AAA Servers

You must stop or restart AAA servers to update configuration changes.

Stopping or Restarting HP-UX AAA Servers 69

CAUTION: Do not stop a live server in production as it interrupts services to users.

Using Server Manager

1. From the navigation tree, click Administration.

2. Select the servers you want to stop in the Server Status frame.

NOTE: Server commands will only be executed on servers selected in the Server

Status frame.

3. Click Stop.

A message prompt enables you to confirm whether you wish to stop the server. If the server cannot be stopped, the administrator is notified of the problem in the message frame.

From the Command Line

Enter the following command at the prompt to stop radiusd:

kill `cat /var/opt/aaa/run/radiusd.pid|awk '{print$1}'`

Enter the following command at the prompt to restart radiusd:

kill `cat /var/opt/aaa/run/radiusd.pid|awk '{print$1}'`;/opt/aaa/bin/radiusd

Adding an HP-UX AAA Server to Your Network

Multiple servers can be configured and run using the AAA Server Manager graphic interface. You must establish at least one connection before you begin configuration. Only one connection can be local to the Server Manager program.

You can install a server to any machine that meets the system requirements and that can establish a UDP connection to the machine hosting the Server Manager.

To add an HP-UX AAA Server to your network, complete the following steps:

1. From the navigation tree, click the Server Connections link and then click the Connect to AAA Server link.

2. On the Create New Server Connection screen that appears, enter values as shown in Table 4-3.

Table 4-3 New Server Connection Screen Fields

Value to EnterField

An identifying string for a server running the AAA softwareName

70 Enabling the HP-UX AAA Server for GUI-based Administration

Table 4-3 New Server Connection Screen Fields (continued)

Value to EnterField

Domain or IP Address

Full DNS name or IP address (traditional IPv4 or IPv6 address) of an HP-UX AAA server

Examples: IPv4 address- 192.0.2.0

IPv6 address- fedc:ba98:7654:3210:fedc:ba98:7654:3210

Domain name- example.org

3. Click Create.

If the client program successfully connects to the server, the name you specified must appear in the Status Frame displayed in the lowerleft corner of the programs interface.

Adding an HP-UX AAA Server to Your Network 71

Part II Configuring the HP-UX AAA Server Manager Using

the Server Manager GUI

This part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:

• Chapter 5: “The HP-UX AAA Server Manager Interface” (page 76)

• Chapter 6: “Managing HP-UX AAA Servers” (page 78)

• Chapter 7: “Configuring RADIUS Clients Using the Access Devices Screen” (page 84)

• Chapter 8: “Configuring Realms” (page 89)

• Chapter 9: “Configuring Proxies” (page 105)

• Chapter 10: “Configuring Users” (page 115)

• Chapter 11: “Modifying Server Properties” (page 122)

• Chapter 12: “Logging and Monitoring ” (page 129)

Table of Contents

5 The HP-UX AAA Server Manager Interface..................................................................................76

Commonly Used Icons in the GUI......................................................................................77

6 Managing HP-UX AAA Servers..................................................................................................78

Using the Server Connections Screen.................................................................................78

Adding a New Server ........................................................................................................78

Modifying Connection Attributes......................................................................................79

Deleting a Server Connection.............................................................................................80

Managing Multiple Servers................................................................................................81

Loading and Saving Your Configuration...........................................................................82

7 Configuring RADIUS Clients Using the Access Devices Screen.......................................................84

Navigating the Access Devices Screen...............................................................................84

Adding a RADIUS Client...................................................................................................84

Modifying a RADIUS Client’s Properties...........................................................................87

Deleting a RADIUS Client..................................................................................................88

8 Configuring Realms..................................................................................................................89

Using the Local Realms Screen...........................................................................................89

Adding a Realm..................................................................................................................89

Modifying Realms..............................................................................................................92

Special Entries.....................................................................................................................92

Deleting a Realm.................................................................................................................93

Configuring Realms for Authentication using an External Server....................................94

Configuring Realms for Database Access via SQL.......................................................94

Configuring Realms for LDAP .....................................................................................96

Modifying a Directory Configuration......................................................................98

Deleting a Directory Configuration.........................................................................98

Tuning the AAA Server to LDAP Server Connection..............................................99

Configuring Realms for Oracle.....................................................................................99

Configuring the HP-UX AAA Server Using Server Manager...............................100

To Configure and Run the db_srv Daemon ...................................................101

Scripts to Start and Stop the HP-UX AAA Server Oracle Daemon..................103

Configuring a SecurID Realm.....................................................................................103

9 Configuring Proxies................................................................................................................105

Navigating the Proxy Screen............................................................................................105

Changing the Default localhost Proxy Settings................................................................106

Creating or Modifying a Proxy.........................................................................................106

Forwarding Authentication Requests From a Proxy Server.......................................109

Forwarding Authentication Requests to a Remote Server..........................................110

Changing RADIUS Port Numbers....................................................................................111

Forwarding Requests to Alternate RADIUS Ports......................................................111

Forwarding Accounting Requests....................................................................................111

Table of Contents 73

Proxying Authentication and Accounting Messages to the Same Server........................112

Proxying Accounting Requests to a Central Server..........................................................113

Deleting a Proxy................................................................................................................113

10 Configuring Users.................................................................................................................115

Navigating the Users Screen.............................................................................................115

Changing the Default test_user Settings..........................................................................115

Adding a User Profile ......................................................................................................116

Tabs on the Add Users Screen.....................................................................................118

Specifying Attributes Using the Free Attributes Pane...........................................118

Adding Users for SecurID Authentication.......................................................................119

Modifying User Profiles....................................................................................................119

Deleting a User Profile......................................................................................................120

To Delete a User Profile From the Default users File................................................120

To Delete a User Profile in a Local Realms File...........................................................121

11 Modifying Server Properties...................................................................................................122

Navigating the Server Properties Screen..........................................................................122

DHCP Relay Properties....................................................................................................122

DNS Updates Properties...................................................................................................123

Message Handling Properties...........................................................................................124

SNMP Properties..............................................................................................................125

Enable SNMP Support.................................................................................................125

Tunneling Properties.........................................................................................................125

Tunneling Reply Items (Optional)...............................................................................126

Certificate Properties........................................................................................................126

File Size Properties............................................................................................................127

Maximum Logfile Size.................................................................................................127

Miscellaneous Properties..................................................................................................127

Permit Microsoft Client Authenticate As Computer...................................................127

Local Users File Properties...............................................................................................128

ProLDAP Properties.........................................................................................................128

12 Logging and Monitoring .......................................................................................................129

Overview...........................................................................................................................129

Server Log Files ................................................................................................................129

Using Server Manager to Retrieve Logfile Information..............................................129

Search Parameters..................................................................................................130

Message Types .......................................................................................................131

Using Server Manager to Retrieve Statistics ...............................................................131

Accounting Log Files .......................................................................................................132

Using Server Manager to Retrieve Accounting Logfiles.............................................133

Format of Accounting Records in the Default Merit Style..........................................134

Time-Based Values.................................................................................................134

Client A-V Pairs......................................................................................................135

User Entry A-V Pairs..............................................................................................135

74 Table of Contents

Session Tracking.....................................................................................................135

Writing Livingston CDR Accounting Records............................................................136

Livingston CDR Session Record Format................................................................137

Changing the Accounting Log Filename.....................................................................137

Changing the Accounting Log Rollover Interval........................................................138

Rolling Over the Log File and Accounting Stream.....................................................138

Table of Contents 75

5 The HP-UX AAA Server Manager Interface

HP-UX AAA Server Manager (Server Manager) is a browser-based application. It uses the HP-UX Tomcat-based Servlet Engine to provide a configuration interface between a web browser and one or more AAA servers. The Server Manager is used to start, stop, configure, and modify the servers. In addition, Server Manager can retrieve information about logged server sessions and accounting information for an administrator.

Figure 5-1 shows the various parts of the Server Manager interface.

The Server Manager user interface consists of the following three sections:

• The navigation tree- Click on links in the navigation tree to open the corresponding

section in the Main Screen.

• The Main Screen- Configure the HP-UX AAA Server on this screen.

• HP-UX AAA Server Status Frame-View the status of your servers on this screen.

Figure 5-1 The HP-UX AAA Server Manager User Interface

76 The HP-UX AAA Server Manager Interface

Commonly Used Icons in the GUI

• Click to add new servers, realms, or users.

• Click to delete the corresponding entry.

• Click to display a context-sensitive Help screen.

• Click to edit the corresponding entry.

• indicates that the configuration file cannot be modified using the Server

Manager. Edit the configuration file manually using a command line editor.

Commonly Used Icons in the GUI 77

6 Managing HP-UX AAA Servers

Your server configuration can be synchronized and controlled across one or more server installations. These server installations can be on the same machine as the Server Manager program, or on different machines. Server Manager identifies each AAA installation as a server connection and maps a hostname to the IP address (both traditional IPv4, and IPv6 address formats are supported) or DNS name of a remote machine where a AAA server is installed.

NOTE: Before defining a connection, ensure that the HP-UX Tomcat-based Servlet

Engine is running on the machine.

You cannot configure servers until a server connection is established. All configuration modifications are saved locally and are not associated with any server. A connection named localhost is configured as a server connection by default during installation.

Using the Server Connections Screen

The Server Connections screen shown in Figure 6-1 allows you to add a new server connection, and modify or delete an existing connection.

Figure 6-1 Server Manager’s Connected Server Screen

Adding a New Server

To add a new server, complete the following steps:

78 Managing HP-UX AAA Servers

1. Click to display the Add Server screen.

The Add Connection screen appears as shown in Figure 6-2.

Figure 6-2 The Add Connection Screen

2. In the Server Attributes form, enter your server’s attributes according to the format shown in Table 6-1

Table 6-1 Fields in the Connection Attributes Form

AttributesField Name

The identifying string of a remote serverName

Domain Name or IP Address

The client IP address or DNSname. Both traditional IP (IPv4), and IPv6 address formats are supported. The HP-UX AAA server can resolve the DNS name format entries to both IPv4 and IPv6 addresses.

Enter an IPv4 address in dotted-quad notation. Enter an IPv6 address in IPv6 Literal format notation. For example:

IPv4 address — 192.0.2.0

IPv6 address — fedc:ba98:7654:3210:fedc:ba98:7654:3210

3. Click Create to create the server connection.

Click Cancel to return to the Managed Servers screen without creating a new server connection.

IMPORTANT: When adding a connection to a new remote server, you must start

the RMI objects on that host to allow Server Manager to administer the server. You can start the RMI objects from the command line with the following command:

$ /opt/aaa/remotecontrol/rmistart.sh

Modifying Connection Attributes

In the Server Connections screen, select the icon correspondingto the server whose attributes you wish to modify. The Modify Connection screen appears as shown in

Figure 6-3.

Modifying Connection Attributes 79

Figure 6-3 The Modify Connection Screen

HP-UX AAA Server Properties section of the form includes a list of pathnames that cannot be modified. These pathnames must match the installation directories of the remote server.

IMPORTANT: When setting an option to a given directory, the directory must exist

and be editable on the machine. You must specify the logfile directory to access session logs through the maintenance functions listed in the navigation tree menu.

Deleting a Server Connection

To delete a server connection, complete the following steps:

80 Managing HP-UX AAA Servers

1. In the Server Connections screen, click the icon corresponding to the server connection that you want to delete.

The Delete Server Connections screen appears as shown in Figure 6-4. This screen allows you to preview the properties of the server connection before you confirm deletion.

Figure 6-4 The Delete Server Connections Screen

2. Click Delete to remove the server connection. Click Cancel to return to the Server Connections screen without removing the server connection.

Managing Multiple Servers

The Server Status frame, located in the lower left corner of the Server Manager's interface, provides a list of server connections as shown in Figure 6-5.

Figure 6-5 Server Manager’s Server Status Frame

When your network includes multiple AAA servers, click the check box that precedes each listed connection to specify whether a command applies to the corresponding server.

Managing Multiple Servers 81

When a server command, such as Start, is submitted, it will only be sent to checked servers. When you retrieve server logging, statistics, active sessions, or account information, only information from the checked servers will be displayed.

Table 6-2 displays the icons that can appear in Server Manager’s Server Status frame

and describes them briefly.

Table 6-2 Icons in Server Manager’s Server Status Frame

DefinitionIcon

Running - Indicates the server is connected and running.

Stopped - Indicates that the server is connected but is not currently running.

Failure - Indicates a communication error between the Server Manager and the AAA server.

Loading and Saving Your Configuration

AAA configuration files consist of one or more entries. When accessing these files through the Server Manager interface, the initial screen lists each existing entry and provides controls to open HTML forms. You can add or modify the AAA server’s configuration files by entering values in these forms. You must then submit these values to the program. The fields in the HTML forms include text boxes, drop-down lists, and other form controls. Fields with bold labels require values for a complete configuration.

Server Manager stores changes you make to the server configuration, but does not immediately save them on a remote server. When you select the Load Configuration link from the navigation tree, the interface (shown in Figure 6-6) displays a prompt. You can edit the server configuration settings using this prompt. Information for the access device, proxies, local realms, users, and server properties in the loaded configuration will replace the existing information for all server configuration items.

82 Managing HP-UX AAA Servers

Figure 6-6 Server Manager’s Load Configuration Screen

After you have made changes to the server configuration items, you can save the modified configuration on any server that has an active connection with the Server Manager program. When you click Save Configuration, the Server Manager interface displays a prompt (shown in Figure 6-7). Using this prompt, you can select the servers on which the settings must be saved.

CAUTION: Clicking Save saves the entire server configuration settings (accessdevice,

proxies, local realms, users, and server properties) on the specified servers.

Figure 6-7 Server Manager’s Save Configuration Screen

NOTE: If you do not wish to save changes that have been made, you can revert to

the previous settings by loading the original configuration.

A running server does not recognize configuration modifications. After the changes have been saved on a server, you have to restart the server.

NOTE: More than one administrator cannot edit the same functional area (access

device, proxies, local realms, users, server properties) of a server configuration at the same time. After you access the configuration screens for a functional area, the Server Manager does not allow others to access that functional area until you have moved to a different item.

Loading and Saving Your Configuration 83

7 Configuring RADIUS Clients Using the Access Devices

Screen

The server configuration must include all the clients (NASs, access points and other network devices) that can communicate with the AAA server. If an access device is not included in the configuration, the server will not handle requests from, or send requests to the client. The Access Devices screen allows you to add a new client, and modify, or delete an existing client in the server configuration.

Navigating the Access Devices Screen

The Access Devices screen shown in Figure 7-1 allows you to configure a new RADIUS client, modify, or delete an existing RADIUS client.

Figure 7-1 Server Manager’s Access Device Screen

Adding a RADIUS Client

To add a RADIUS client through the Access Devices screen, complete the following steps:

84 Configuring RADIUS Clients Using the Access Devices Screen

1. In the Access Devices screen, click corresponding to the New Access Device list.

The Add Access Device Screen appears as shown in Figure 7-2.

Figure 7-2 Server Manager’s Access Device Attributes Screen

2. In the Access Device Attributes form, enter information according to the information in Table 7-1.

Adding a RADIUS Client 85

Table 7-1 Add Access Device Configuration Form Options

FunctionOption

Name

Enter the network location of the network device. This may be an IPv4address (in dotted-quad notation), an IPv6 address (in colon-separated notation), or a valid DNS host name. When specifying Name as a DNS host name, you must use the name returned by thehostname command.

Notes:

• Ensure that your DNS is configured correctly (with both forward and

reverse entries) for your AAA server. The AAA server determines the name of the machine that it is running on. If this name does not match with your local DNS servers database, you cannot configure the access device correctly.

• You can use wildcards to provideaccess for alltraditional IP (IPv4) clients

in a particular subnet. Examples of valid IPv4 wildcard patterns are:

192.*

192.0.*

192.0.2.*

• You can use wildcards to provide access for all IPv6 clients in a particular

subnet. The allowed IPv6 wildcard patterns are constructed byappending an ‘*’ to a partial IPv6 address or by specifying a single ‘*’. Examples of valid IPv6 wildcard patterns are:

* fedc:ba98:7654:3210:fe* fedc:ba98:7654:3210:fedc:ba98:*

The special IPv6 syntax of compressing zeroes using "::" is not allowed in IPv6 Wildcard patterns. For example: ‘fedc::ba98:fe*’ is not allowed.

Shared Secret

Secret

86 Configuring RADIUS Clients Using the Access Devices Screen

Enter the shared secret, or the encryption key between the client and the server. The shared secret must be less than 255 characters. A request from a client forwhich the server does nothave a shared secret is silently discarded.

Confirm the secret by typing it again.Confirm Shared

Table 7-1 Add Access Device Configuration Form Options (continued)

FunctionOption

Vendor

Options

Enter the vendor-specific attributes that must be returned to the access device in a reply. In most applications, you can select the hardware vendor of the device or Generic if the device is notlisted. You can make multiple selections by holding down the control key as you select vendor names.

The server prunes vendor-specific attributes for a given vendor if that vendor’s name is not properly defined in the vendors file, and its attributes are not properly defined in the dictionary file.

NOTE: The Generic vendor prunes all vendor-specific attributes before a

message is returned to a NAS. This attribute can be used to help prevent problems that occur if an unencapsulated vendor attribute is not correctly mapped in the vendors file.

IMPORTANT: Todefine a wireless access pointusing the MS-CHAP protocol,

you must select Microsoft as one of the vendor selections.

Select any of the check boxesto specify additional message-handling options. Following are the options:

RAD_RFC Verifies that the Access-Request conforms with the RADIUS

RFC. Nonconforming messages are dropped.

ACCT_RFC Verifies that the Accounting-Request conforms with the

Accounting RFC. Nonconforming messages are dropped.

Debug Dumps packets into the server’s debug output file. No Check Helps enhance server performance. When this option is

checked theHP-UX AAA Server does not check all attributes to determine if the request is a duplicate. Check this option if you know that the client sends standard messages that can easily be detected as duplicates.

No Encaps Does not encapsulate vendor response (if the client requires

unencapsulated A-V pairs)

Old Chap For clients that perform pre-RFC CHAP.

3. Click Createto submit the newRADIUS client to the ServerManager.Click Cancel

to return to the Access Device screen without making any changes to your server configuration.

Modifying a RADIUS Client’s Properties

To modify the properties of an existing RADIUS client, complete the following steps:

1. In the Access Device screen, click correspondingto the client whose properties you want to edit.

The Modify Access Device screen appears similar to the one shown in Figure 7-2.

2. Edit the fields in the Access Device Attributes form. See Table 7-1 for more information on how to fill the form.

Modifying a RADIUS Client’s Properties 87

3. Click Modify to save changes.

Click Cancel to return to the Access Devices screen without saving any changes.

Deleting a RADIUS Client

To delete a RADIUS client, complete the following steps:

1. In the Access Device screen, click the icon corresponding to the RADIUS client you want to delete.

The Delete Access Device screen appears as shown in Figure 7-3. This screen allows you to preview the access device entry before you confirm deletion.

Figure 7-3 The Delete Access Device Screen

2. Click Delete to delete the RADIUS client. Click Cancel to return to the Access Devices screen without deleting the RADIUS client.

88 Configuring RADIUS Clients Using the Access Devices Screen

8 Configuring Realms

A realm is a group of users who share a common characteristic, such as being customers of the same Internet Service Provider (ISP). All users of a given realm are handled in the same way, either proxied to a remote server or locally authenticated using a specified method according to the authentication type assigned to the realm.

Using the Local Realms Screen

The Local Realms screen (shown in Figure 7-1) allows you to configure realms for the HP-UX AAARADIUS server by adding a new realm, modifying, or deleting an existing realm in the server’s authfile.

Figure 8-1 Server Manager’s Local Realms Screen

Adding a Realm

To add a realm entry, complete the following steps:

1. From the navigation tree, click Local Realms.

The Local Realms screen appears as shown in Figure 8-1.

2. To add a new realm, click the icon.

The Add Local Realm screen appears as shown in Figure 8-2.

Using the Local Realms Screen 89

Figure 8-2 Server Manager’s Local Realm Attributes Screen

3. Complete the form on the Local Realm Attributes screen according to the information given in Table 8-1.

Table 8-1 Fields in the Local Realm Attributes Form

Name

90 Configuring Realms

FunctionOption

Name of the realm that must be mapped. This name does not have to be a DNS host name. However HP recommends that the realm name match a domain name.The user willthen be able to recognize the user@realmsyntax that resembles their email address.

Table 8-1 Fields in the Local Realm Attributes Form (continued)

FunctionOption

Identifies the authentication method used for the realm:User

Authentication

Storage

• Enable EAP: Select this option if user authentication by an EAP challenge

is required. Select one or more EAP types.At least one authentication method must be selected. For PEAP (EAP-GTC), you must configure the NULL realm.

The PEAP version ‘0’ only checkbox is displayed if you select PEAP(EAP-GTC), PEAP(EAP-MSCHAP), or PEAP(EAP-MD5). Select this checkbox if your supplicant uses the PEAP version 0 protocol.

• Enable RADIUSStandard: Default. Selectthis option ifuser authentication

via password checking is required.

If Enable EAP and Enable RADIUS Standard are selected, authentication is carried out based on the Authentication-Type configuration attribute set in the RADIUS request.

To indicate the location where the AAA server must retrieve user profiles:User Profile

• users: Choose this option to store user information locally in AAA Server

flat files. Choosing this option allows you to administer user information with Server Manager. Server Manager can administer user information stored locally in the AAA Server flat files only.

• Database Access via SQL, LDAP, Oracle, or SecurID/ACE Server: Choose

this option if the user profile information is stored in an external database. See the individual chapters for more information.

• OS SecurityDatabase: HP-UX operating system HP-UXoperating systems

use a number of repositories or “databases” to store information about hosts, users, passwords, etc. User password lookup is performed through the name-service switch configured in /etc/nsswitch.conf. See the nsswitch.conf man page for more information.

• No Store: EAP-TLS Certificates: Choose this option if you are using TLS

and do not want to store user information. If you are using TLS, you are not required to store user information because the TLS certificates provide the user information needed for authentication.

• No Store: Allow All Users: Choose this option to allow all requests from a

realm.

• No Store: Deny All Users: Choose this option to deny all requests from a

realm.

User Storage Parameters

Alias

Identifies the location, access, and policy parameters for the selected User Profile Storage.

Optional. A paranthesized list of one or more aliases, delimited by commas. Each realm alias is equivalent to the realm name. An alias is provided for user convenience or other purposes, such as to save typing when logging on to your network. Aliases are allowed on wild card entries and are interpreted as meaning *.alias.

Adding a Realm 91

Table 8-1 Fields in the Local Realm Attributes Form (continued)

FunctionOption

Filter ID

Session Tracking

4. To add a new realm, click Create to submit the new realm to the Server Manager.

To return to the Realms screen without making any changes to your server configuration, click Cancel.

Modifying Realms

To modify the properties of an existing realm, complete the following steps:

1. From the navigation tree, click Local Realms.

The Local Realms screen appears as shown in Figure 8-1.

2. Click the icon corresponding to the realm whose properties you want to modify.

The Modify Local Realm screen appears similar to the screen shown in Figure 8-2.

3. Modify the properties on the Local Realm Attributes screen according to the information given in Table 8-1.

4. To submit changes to the realm entry to the Server Manager, click Modify.

To return to the Realms screen without making any changes to your server configuration, click Cancel.

Optional. Allows the specification of a packet filtername tobe associatedwith authentication through this realm name. It overrides any explicit filter name specified in a user profile.

Optional. Determines if session tracking is enabled for a realm. When you enable session tracking, accounting records are generated for a realm and active sessions can be searched using the Session option on the navigation tree.

NOTE: indicates that the configuration file cannot be modified using the Server

Manager. Edit the file manually using a command line editor.

Special Entries

There are a few special entries that you can use while configuring realms. Table 8-2 shows the various special entries you can use.

92 Configuring Realms

Table 8-2 Special Entries

When to UseSpecial Entries

Wildcard Entries

DEFAULT Realm

NULL Realm

Deleting a Realm

Complete the following steps to delete a realm:

When specifying the primary realm for an entry, you can use a wild card syntax such as *.realm. This syntax provides a shorthand for associating several related realms with a single authentication type. For example, a company may have several branches, eastern.company.com, western.company.com, and central.company.com. The wild card entry for that company would define *.company.com as the realm. This notation would include all three realms. HP recommends that any such wild card entry be listed after more specific entries. This order allows the preceding, specific entries to override the wild card entry.

The DEFAULT realm acts as a matching realm entry for all realms. By default, the DEFAULT realm is configured to authenticate against the default set of users. Disable the DEFAULT realm by choosing the No Store - Deny All Users option in the User Profile Storage drop-down list.

The Null realm authenticates users that do not identify their realm when requesting access (for example, the AAA server receives an access request from user, instead of user@organization.com). By default, the NULL realmis disabled with the No Store: Deny All Users setting.

Deleting a Realm 93

1. In the Local Realms screen, click the icon corresponding to the realm you want to delete.

The Delete Local Realm screen appears as shown in Figure 8-3. This screen allows you to preview the realm attributes before you confirm deletion.

Figure 8-3 The Delete Local Realm Screen

2. Click Delete to delete the realm. Click Cancel to return to the Local Realms screen without deleting the realm.

Configuring Realms for Authentication using an External Server

This section discusses how to configure realms for authentication using Database via SQL Access, Lightweight Directory Access Protocol (LDAP), Oracle authentication module, and SecureID/ACE server.

Configuring Realms for Database Access via SQL

A realm can be configured for Database Access via SQL only after setting up the HP-UX AAA Server to connect to the database and configuring the connection parameters and

94 Configuring Realms

SQL actions in sqlaccess.config. See Chapter 18: “SQL Access” (page 207) for details on setting up the HP-UX AAA Server for SQL Access.

Perform the following steps to configure the realm for Database Access via SQL.

1. From the navigation tree, click Local Realms.

2. On the Local Realms screen, click New Local Realm to open the Local Realm

Attributes screen.

3. In the Name field, enter the name of the realm for which the user profiles are stored in a database and accessed using the SQL Access feature.

The name does not have to be a DNS host name. However, HP recommends that you set the realm name to correspond with the domain name. This enables the user@realm syntax to resemble the e-mail address for all theusers in the domain.

4. In the User Profile Storage field, select Database Access via SQL.

The user storage parameters for Database Access via SQL are displayed as shown in.

Figure 8-4 User Storage Parameters for Database Access via SQL

5. In the User Storage Parameters Field, select one of the following options:

• RADIUS Attribute: Specify the RADIUS attribute in the

<vendorID>:<attribute> format. This RADIUS attribute must contain the SQL action used for authentication. If vendorID is not specified, 0 that corresponds to standard RADIUS attribute will be used.

NOTE: The <vendorID> component must be a value that is defined in the

vendors file and the <attribute> component must be a value that is defined

in the dictionary file.

• SQL Action Id: Select the SQL action from the drop-down list.

IMPORTANT: Ensure that the appropriate SQL action is selected from the

drop-down list. Selecting an incorrect SQL action can result in an authentication failure or unintentional changes to the database records.

6. Complete any remaining optional fields as necessary for your configuration.

7. Click Create. If the realm is successfully created, the Local Realms screen will list the new realm.

Configuring Realms for Authentication using an External Server 95

8. From the navigation tree, click Save Configuration

If you have multiple remote servers, you will be prompted to select and confirm the servers where the realm configuration will be applied.

Configuring Realms for LDAP

This sectiondiscusses how to configure realms for Lightweight Directory Access Protocol (LDAP). These realms can be configured only after setting up the LDAP server. See

Chapter 17: “LDAP Authentication” (page 204) for information on setting up an LDAP

server.

To configure each realm using LDAP, you must specify the directory server, search base, and other parameters necessary to find profiles for the users in the realm.

Complete the following steps to configure realms for LDAP:

1. From the navigation tree, click Local Realms.

2. On the Local Realms screen, click New Local Realm to open the Local Realm

Attributes screen.

3. In the Name field, enter the name of the realm to map to the defined LDAP location. This name does not have to be a DNS host name. However HP recommends that the realm name corresponds with the domain name. This way, the user recognizes the user@realm syntax which resembles their e-mail address.

4. In the User Authentication Field, select the authentication methods to authenticate users for the realm. If you are using TTLS-PAP, TTLS-MSCHAP, or TTLS-CHAP, select Enable RADIUS Standard. For all other methods, select Enable EAP and choose at least one EAP method from the drop-down list.

5. In the User Profile Storage field, select LDAP.

The user storage parameters for LDAP appear when you select LDAP from the User Profile Storage drop-down list. These parameters identify a section of the directory tree on one or more LDAP servers where the HP-UX AAA software will attempt to retrieve user profiles.

6. In the User Storage Parameters Field, select New LDAP Directory or the name of an existing LDAP Directory.

7. In the LDAP screen that appears, configure the LDAP directory using the information described in Table 8-3.

Table 8-3 Values for Configuring Realms for LDAP

Directory Name

96 Configuring Realms

DescriptionValue

Start of a directory configuration. Give a name to the directory, which can be an arbitrary string. If the name contains spaces or tabs, the string must be enclosed in single or double quotes.

Table 8-3 Values for Configuring Realms for LDAP (continued)

DescriptionValue

Host

Port (Optional)

Use SSL

Administrator

Password

Search Base

Name of the host on which the LDAP directory server runs. The value must be a fully qualified DNS name, although an IP address also works. Both traditional IP (IPv4) and IPv6 address formats are supported. The HP-UX AAA Server can resolve DNS name format entries to IPv4 and IPv6 addresses.

Enter an IPv4 addressin dotted-quad notation. Enter anIPv6 address in IPv6 Literal format notation. For example:

IPv4 address — 192.0.2.0

IPv6 address — fedc:ba98:7654:3210:fedc:ba98:7654:3210

Port number on which the directory server is running. Default value is 389.

Enables ordisables SSL connections between the HP-UX AAA Server and the LDAP directory. If you are enabling SSL, you must specify the server's CA certificate path or fully qualified file name in the Server Properties -> ProLDAP Properties window.

Special user ID used when an authenticated search is allowed on the LDAP directory server. This administrator does not need to be a real administrator of the LDAP directory server, but must have read access to all the users (and their passwords). Intended to be authenticated by the AAA server.

Password for Administratorto bind (authenticate) itself to the LDAP directory server.

Pointer into the directory where the search for users in a realm starts. Specifying a search base improves server performance by limiting the scope of search operations on user information for a particular realm. A search base contains a list of A-V pairs that trace a path from a location in the directory's schema to the top of the directory. For example, a search base of o=hp, c=US represents a search for one of the users on the following tree:

c=US ____________|_______ | o=hp ____________|____________________ | | | | uid=Joe uid=Bob uid=Dawn uid=Maria

The A-V pairs used depend on the schema of your particular directory server.

NOTE: Itis moreefficient to start your search lower in the directory

structure rather than higher. HP recommends that you eliminate spaces between Search Base components (i.e., instead of ou=abc,o=cde, c=us, use ou=abc,o=cde,c=us).

Configuring Realms for Authentication using an External Server 97

Table 8-3 Values for Configuring Realms for LDAP (continued)

DescriptionValue

Filter

Authentication Type • AUTO performs a search as the configured Administrator

Filter flag allows authentication to be based either on the LDAP uid attribute, which normally is CIS, or on the AAA Server User-Id attribute, which is normally BIN. User-Id is a AAA Server-specific RADIUS attribute. This optional flag defaults to uid.

IMPORTANT: With multiple LDAP directory servers, the Filter

used for lookups must be consistent across all directories specified for a particular realm. Potential filters are uid, User-Id or some other key that uniquely identifies a subject to be authenticated on the system. Currently, the LDAP module does not enforce the use of consistent filters, but using inconsistent filters may produce unpredictable authentication failures.

(searches anonymously if no administrator is configured), anticipating the password is in the result. It binds as the user if the password is not available. This mode makes the AAA server flexible in accommodating LDAP directories. If directories are configured to return passwords with search,AUTO is equivalent to SEARCH.

• BIND binds as the user for authentication.

• SEARCH performsa search as the configured Administrator and

expects the user's password in the search result.

8. In the LDAP screen, click Save.

9. Repeat steps 6 and 7 for each redundant directory you wish to use for failover.

10. Complete any remaining optional fields as necessary for your configuration.

11. Click Create.

12. From the navigation tree, click Save Configuration

If you have multiple remote servers you will be prompted to select and confirm which servers you wish to add the entry to.

Modifying a Directory Configuration

Complete the following steps to modify a directory configuration:

1. On the Local Realms screen, select the name of the directory definition you wish to modify.

2. Change the values if needed.

3. Click Modify.

Deleting a Directory Configuration

Complete the following steps to delete a directory configuration:

98 Configuring Realms

1. On the Local Realms screen, select the name of the directory definition you wish to delete.

2. Click Delete.

Tuning the AAA Server to LDAP Server Connection

The AAA server to LDAP server connection can be modified by adding the following entry to /etc/opt/aaa/aaa.config and then stopping and starting the server:

aatv.ProLDAP { Retry-Interval 60 Retry-Wait 1 Timeout 60 TCP-Timeout 3 Debug 0 }

• Retry-Interval sets the number of seconds for the AAA server to wait before trying

to reconnect to a LDAP directory server when a realm has failover directory servers configured. Default value is 60 seconds.

• Retry-Wait sets the number of seconds that the AAA server will wait before

attempting to connect to the same failover LDAP server. When all failover directory servers configured for a realm are down, the AAA server will try to reconnect to one every time an access request is received. In that situation, this parameter guarantees that the software does not spend too much time in trying to reconnect those directory servers. Default value is 1 second.

• Timeout sets the number of seconds that an LDAP connection will remain open

when the AAA server has not been able to successfully perform any successful LDAP operation. This parameter allows better handling of the situation where the LDAP directory times out client connections.

• TCP-Timeout sets the number of seconds that the AAA server will wait for an

LDAP server when trying to establish the Transmission Control Protocol (TCP) connection.

• Debug determines whether OpenLDAP debug messages should be written to the

AAA server radius.debug file. A value of 0 disables writing these messages; a value of -1 enables writing these messages. The syntax of this property follows a block syntax that is different from the other aaa.config variables.

Configuring Realms for Oracle

This section discusses how to configure realms for Oracle authentication. These realms can be configured only after setting up the Oracle database server. See Chapter 19:

“Oracle Authentication(Supported Using SQL Access)” (page 248) for more information

on setting up the Oracle database server for Oracle authentication.

To authenticate users stored in an Oracle database, you must configure the AAA server, run the db_srv daemon on each Oracle host machine, and configure one or more

Configuring Realms for Authentication using an External Server 99

Oracle databases with user information according to your requirements. See

“Configuring the Oracle Database ” (page 251) for information on how to configure

your Oracle database.

Configuring the HP-UX AAA Server Using Server Manager

For each realm using Oracle authentication, you must specify the Oracle server.

Complete the following steps to configure the HP-UX AAA Server Manager for Oracle authentication:

1. From the navigation tree, click Local Realms to open the Local Realms screen.

2. Click the New Realm link to open the Realm Attributes screen.

3. In the Name field, enter the name of the realm. This name does not have to be a DNS host name. However, HP recommends that the realm namecorresponds with the domain name. This way, the user recognizes the user@realm syntax that resembles their e-mail address.

4. In the User Profile Storage, select Oracle.

When you select Oracle from the User Profile Storage drop-down list, a drop-down list appears in the User Storage Parameters section of the form. This drop-down list allows you to create and modify Oracle configurations for the realm.

5. In the User Storage Parameters drop-down list, select New Oracle Server, or the name of an existing Oracle server.

6. Complete the Oracle Server screen (shown in Figure 8-5) that appears by specifying the host name or IP address of the Oracle server ( db_srvdaemon), followed by the port number that it uses.

Figure 8-5 New Oracle Server Screen

You can list an unlimited number of Oracle servers. However, in this context, you must use the appropriate number of servers based on the number of requests received, and machine performance. Each listed server must have a unique DNS name and port.

7. Repeat steps 6 and 7 for each redundant directory you wish to use.

100 Configuring Realms

HP HP-UX AAA Administrator's Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

HP-UX AAA Server A.07.01 Administrator’s Guide

Table of Contents

About This Document

Intended Audience

New and Changed Information in This Edition

Document Organization

Publishing History

Typographic Conventions

HP-UX Release Name and Release Identifier

Related Information

HP Encourages Your Comments

Part I Introduction

1 Overview: The HP-UX AAA Server

RADIUS Topology

Establishing a RADIUS Session

Product Structure

HP-UX AAA Server Daemon, Libraries, and Utilities

HP-UX AAA Server Manager Program

Documentation

HP-UX AAA Server Architecture

Configuration Files

AATV Plug-Ins

The Software Engine: Finite State Machine

HP-UX AAA Server Commands, Utilities and Daemons

Handling an Access Request

Authentication to Verify the Client and User

Authorization to Control Sessions and Access to Services

Authorization Steps

Session Logs For Accounting

IPv6 Support for External Services

2 Upgrading to Version A.07.01

The HP-UX AAA Server Upgrade Process

Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01

Upgrading from Version A.06.00.x to Version A.07.01

Upgrading from Version A.05.x to Version A.07.01

Merging the Dictionary File

Merging the radius.fsm File

Merging the vendors File

3 Installing and Securing the HP-UX AAA Server

Acquiring the HP-UX AAA Server Software

Installing and Uninstalling the HP-UX AAA Server

To Install the HP-UX AAA Server

To Uninstall the HP-UX AAA Server Software

HP-UX AAA Server File Locations

Securing the HP-UX AAA Server

Changing the Default HP-UX AAA Server Settings

Changing the Default Tomcat User Name and Password

Changing the Default RMI Objects Secret

Changing the Default test_user Settings

Changing the Default localhost Proxy Settings

Environment Specific Security Procedures

Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration

Creating a Tomcat Identity Specifically for the HP-UX AAA Server

Running the HP-UX AAA Server on Hosts with System Hardening Software

Running the HP-UX AAA Server as a Non-Root User

Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot

Accessing the Server Manager

Starting and Stopping the RMI Objects

Starting and Stopping Tomcat

62 Enabling the HP-UX AAA Server for GUI-based Administration

Testing the Installation

To Test the Installation

Starting AAA Servers Using Server Manager

AAA Server Start Options

Server Manager’s Reload Feature

Starting AAA Servers From the Command Line

Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot

Stopping or Restarting HP-UX AAA Servers

Using Server Manager

From the Command Line

Adding an HP-UX AAA Server to Your Network

5 The HP-UX AAA Server Manager Interface

Commonly Used Icons in the GUI

6 Managing HP-UX AAA Servers

Using the Server Connections Screen

Adding a New Server