HP-UX AAA Server A.06.00
Getting Started Guide
HP-UX 11.0, 11i v1
Manufacturing Part Number: T1428-90026
E0403
U.S.A.
© Copyright 2003 Hewlett-Packard Company. .
Legal Notices
The information in this document is subject to change without notice.Hewlett-Packard makes
no warranty of any kind with regard to this manual, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not
be held liable for errors contained herein or direct, indirect, special, incidental or
consequential damages in connection with the furnishing, performance, or use of this
material.
Warranty. A copy of the specific warranty terms applicable to your Hewlett- Packard product
and replacement parts can be obtained from your local Sales and Service Office.
Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject
to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and
Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c)
(1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR
52.227-19 for other agencies.
HEWLETT-PACKARD COMPANY
3000 Hanover Street
Palo Alto, California 94304 U.S.A.
Use of this manual and flexible disk(s) or tape cartridge(s) supplied for this pack is restricted
to this product only.
Trademark Notices. UNIX is a registered trademark of The Open Group.
MC/ServiceGuard® is a registered trademark of Hewlett-Packard Company. ProLDAP™ is a
trademark of Interlink Networks, Inc. Microsoft is a U.S. registered trademark of Microsoft
Corporation.
Copyright Notices. ©copyright 1983-2003 Hewlett-Packard Company, all rights reserved.
Reproduction, adaptation, or translation of this document without prior written permission is
prohibited, except as allowed under the copyright laws. Parts of this document originally
published by Interlink Networks.
2003 Interlink Networks, Inc. All Rights Reserved. This document is copyrighted by
Interlink Networks Incorporated (Interlink Networks). The information contained within this
document is subject to change without notice. Interlink Networks does not guarantee the
accuracy of the information.
Interlink Networks, Inc.
5405 Data Court, Suite 300
Ann Arbor, MI 48108
www.interlinknetworks.com
ii
Contents
About This Document
1. Introduction to AAA Server
RADIUS Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
RADIUS Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Establishing a RADIUS Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Supported Authentication Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
RADIUS Data Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Shared Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Product Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
AAA Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
AAA Server Manager Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Accessing the Server Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
AAA Server Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
AATV Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
The Software Engine: Finite State Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
HP-UX AAA Server Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Authorization Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Accounting Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Admin and Debug Tools/Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2. Installation
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
NAS Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
LAN Access Device Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Obtaining the HP-UX AAA Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Product Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Installation and Start-Up Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Installation and Start-Up Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Running Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Starting and Stopping the RMI Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Starting and Stopping Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Changing Server Manager User Name and Password . . . . . . . . . . . . . . . . . . . . . . . 27
UnInstalling the HP-UX AAA Server Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Installation Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
iii
Contents
Commands, Utilities, & Daemons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Testing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3. Basic Configuration Tasks
Storing User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Storing User Profiles in the Default Users File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Storing Wireless User Profiles Locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Grouping Users by Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Adding and Modifying Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Session Logging and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Viewing User Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Viewing Server Logfiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Viewing Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4. Glossary of Terms
iv
About This Document
This document provides an overview of the HP-UX AAA Server product
and explains how to install it. The document also provides basic
configuration steps to beginning tasks.
The document printing date and part number indicate the document’s
current edition. The printing date and part number will change when a
new edition is printed. Minor changes may be made at reprint without
changing the printing date. The document part number will change
when extensive changes are made.
Document updates may be issued between editions to correct errors or
document product changes. To ensure that you receive the updated or
new editions, you should subscribe to the appropriate product support
service. See your HP sales representative for details.
The latest version of this document can be found at
http://docs.hp.com on the Internet and Security Solutions page.
Intended Audience
This Getting Started Guide is designed for first-time and beginning
users of the HP-UX AAA Server. Its objective is to allow you to quickly
familiarize yourself with the basic functions of the product. Users should
be familiar with the HP-UX operating system before using this guide.
New and Changed Documentation in This
Edition
• The new product dependency is documented in this guide. The
HP-UX AAA Server now uses the HP-UX Tomcat-Based Serverlet
Engine component, as opposed to previously using the entire HP-UX
Apache Web Server product. The product number for the HP-UX
Tomcat-Based Serverlet Engine component is HPUXWST100001.
Download the HP-UX Tomcat-Based Serverlet Engine at
http://software.hp.com. See “Product Dependencies” for more
information.
• New steps for starting the Server Manager GUI. See “Installation
and Start-Up Procedure” for more information.
v
• “About This Document” content was removed from Chapter 1 in the
previous version of this guide, and now resides in the preface of this
guide.
Publishing History
The following table shows the printing history of this document. The first
entry in the table corresponds to this document, while previous releases
are listed in descending order.
Table 1 Getting Started Guide Printing History
Document
Part
Number
T1428-90026 0403 A.06.00.08 HP-UX 11.00, 11i v1
T1428-90015 0203 A.06.00.07 HP-UX 11.00, 11i v1
T1428-90002 0602 A.05.01.01 HP-UX 11.00, 11i v1
Document
Release Date
(month/year)
Supports
Software
Version
Supported OS
What’s in This Document
• Chapter 1, Introduction to AAA Server, contains an overview of
product features and basic information about using the server and
using it in AAA applications.
• Chapter 2, Installation, leads you through server installation,
testing the installation, and starting the Server Manager GUI.
• Chapter 3, Basic Configuration Tasks, contains procedures that lead
you through basic configuration and testing tasks.
Typographical Conventions
monospace Identifies files, daemons, or any other item that may
appear on screen
vi
italics Identifies titles of books, chapters, or sections
Document Advisories Different types of notes appear in the text to call
your attention to information of special importance. They are enclosed in
ruling lines with a header that indicates the type of note and its urgency.
NOTE Emphasizes or supplements parts of the text. You can disregard the
information in a note and still complete a task.
IMPORTANT Notes that provide information that are essential to completing a task.
CAUTION Describes an action that must be avoided or followed to prevent a loss of
data.
Related Documents
In addition to this Getting Started Guide, HP released the following
documents to support the HP-UX AAA Server A.06.00:
Table 2 Additional Documents
Document Title
HP-UX AAA Server A.06.00 Administration and
Authentication Guide
HP-UX AAA Server A.06.00.08 Release Notes T1428-90024
The Administration and Authentication Guide, and the Getting Started
are installed with the product at /opt/aaa/share/doc/. You can also
find these documents in the Server Manager’s Help menu. The most
recently released documentation for the HP-UX AAA Server is always
available at http://www.docs.hp.com on the Internet and Security
Solutions page.
Document
Part Number
T1428-90025
HP Encourages Your Comments
HP encourages your comments concerning this document. We are truly
committed to providing documentation that meets your needs.
vii
Please send comments to: netinfo_feedback@cup.hp.com
Please include document title, manufacturing part number, and any
comment, error found, or suggestion for improvement you have
concerning this document. Also, please include what we did right so we
can incorporate it into other documents.
viii
1 Introduction to AAA Server
This chapter contains an overview of product features and basic
information about using the HP-UX AAA Server.
Chapter 1 1
Introduction to AAA Server
RADIUS Overview
RADIUS Overview
The Remote Authentication Dial In User Service (RADIUS) protocol is
widely used and implemented to manage access to network services. It
defines a standard for information exchange between a Network Access
Server (NAS) and an authentication, authorization, and accounting
(AAA) server for performing authentication, authorization, and
accounting operations. A RADIUS AAA server can manage user profiles
for authentication (verifying user name and password), configuration
information that specifies the type of service to deliver, and policies to
enforce that may restrict user access.
RADIUS Topology
The RADIUS protocol follows client-server architecture. The client sends
user information to the RADIUS AAA server (in an Access-Request
message) and after receiving a reply from the server acts according to the
returned information. The RADIUS AAA server receives user requests
for access from the client, attempts to authenticate the user, and returns
the configuration information and polices to the client. The RADIUS
AAA server may be configured to authenticate an Access-Request locally
or to act as a proxy client and forward a request to another AAA server.
After forwarding a request, it handles the message exchanges between
the NAS and the remote server. A single server can be configured to
handle some requests locally and to forward proxy requests to remote
servers.
In Figure 1-1 on page 3 an example ISP uses four AAA servers to handle
user requests. Each user organization represents a logical grouping of
users (defined as a realm). Each user organization dials in to one of the
ISP’s servers through an assigned NAS, some of which are shared by the
same groups or realm. To provide appropriate service to a customer, the
server accesses user and policy information from a repository, which may
be integrated with the server, may be an external application, or a
database that interfaces with the server. For the HP-UX AAA RADIUS
and policy server the repository information may be stored in flat text
files or in an external database, such as an Oracle® database or LDAP
directory server.
Chapter 12
Figure 1-1 Generic AAA Network Topology
A forwarding server sends
proxied Access-Requests
to a remote server
AAA servers and NASs Users dial-in
exchange requests/replies to a NAS
AAA1.ISP.net
location: Ann Arbor
NAS1
Introduction to AAA Server
RADIUS Overview
A User
Organization
Repository
AAA4.ISP.net
location: Detroit
Repository
Repository
Repository
AAA2.ISP.net
location: Flint
AAA3.ISP.net
location: Kalamazoo
NAS2
NAS3
NAS4
B User
Organization
C User
Organization
D User
Organization
E User
Organization
F User
Organization
Chapter 1 3
Introduction to AAA Server
RADIUS Overview
Establishing a RADIUS Session
The handling of a user request is series of message exchanges that
attempts to provide the user with a network service by establishing a
session for the user. This transaction can be described as a series of
actions that exchange data packets containing information related to the
request. Figure 1-2, Client-Server RADIUS Transaction, illustrates the
details of the transaction between a RADIUS AAA server and a client (a
NAS in this example). When the user’s workstation connects to the
client, the client sends an Access-Request RADIUS data packet to the
AAA server.
Figure 1-2 Client-Server RADIUS Transaction
User
User Connects
Client
(NAS)
Access-Request
Access-Reject
AAA Server
User Disconnects
Accounting-Request (Start)
Session Starts
Session Ends
User Disconnected
When the server receives the request, it validates the sending client. If
the client is permitted to send requests to the server, the server will then
take information from the Access-Request and attempt to match the
request to a user profile. The profile will contain a list of requirements
that must be met to successfully authenticate the user. Authentication
usually includes verification of a password, but can also specify other
information, such as the port number of the client or the service type
that has been requested, that must be verified.
Or
Access-Accept
Accounting-Response
Accounting-Request (Stop)
Accounting-Response
Chapter 14
Introduction to AAA Server
RADIUS Overview
If all conditions are met, the server will send an Access-Accept packet to
the client; otherwise, the server will send an Access-Reject. An
Access-Accept data packet often includes authorization information that
specifies what services the user can access and other session
information, such as a timeout value that will indicate when the user
should be disconnected from the system.
When the client receives an Access-Accept packet, it will generate an
Accounting-Request to start the session and send the request to the
server. The Accounting-Request data packet describes the type of service
being delivered and the user that will use the service. The server will
respond with an Accounting-Response to acknowledge that the request
was successfully received and recorded. The user’s session will end when
the client generates an Accounting-Request—triggered by the user, by
the client, or an interruption in service—to stop the session. Again, the
server will acknowledge the Accounting-Request with an
Accounting-Response.
Supported Authentication Methods
The following list describes the authentication methods the HP-UX AAA
Server supports:
• Password Authentication Protocol (PAP) is not a strong
authentication method to establish a connection; passwords are sent
in clear text between the user and client. When used with RADIUS
for authentication, the messages exchanged between the client and
server to establish a PPP connection corresponds to Figure 1-2. This
authentication method is most appropriately used where a plaintext
password must be available to simulate a login at a remote host. In
such use, this method provides a similar level of security to the usual
user login at the remote host.
• Challenge-Handshake Authentication Protocol (CHAP) is a
stronger authentication protocol to establish a connection. When
used with RADIUS for authentication, the messages exchanged
between the client and server to establish a PPP connection is
similar to Figure 1-2. One difference, however, is that a challenge
occurs between the user and NAS before the NAS sends an
Access-Request. The user must respond by encrypting the challenge
(usually a random number) and returning the result. Authorized
users are equipped with special devices, like smart cards or software,
Chapter 1 5
Introduction to AAA Server
RADIUS Overview
which can calculate the correct response. The NAS will then forward
the challenge and the response in the Access-Request, which the
AAA server will use to authenticate the user.
• Microsoft Challenge-Handshake Authentication Protocol
(MS-CHAP) is an implementation of the CHAP protocol that
Microsoft created to authenticate remote Windows workstations. In
most respects, MS-CHAP is identical to CHAP, but there are some
differences. MS-CHAP is based on the encryption and hashing
algorithms used by Windows networks, and the MS-CHAP response
to a challenge is in a format optimized for compatibility with
Windows operating systems.
• Extensible Authentication Protocol (EAP) Like CHAP, EAP is a
more secure authentication protocol to establish a PPP connection
than PAP and offers more flexibility to handle authentication
requests with different encryption algorithms. It allows
authentication by encapsulating various types of authentication
exchanges, such as MD5. These EAP messages can be encapsulated
in the packets of other protocols, such as RADIUS, for compatibility
with a wide range of authentication mechanisms.Thisflexibility also
allows EAP to be implemented in a way (LEAP, for example) that is
more suitable for wireless and mobile environments than other
authentication protocols. EAP allows authentication to take place
directly between the user and server without the intervention by the
access device that occurs with CHAP.
NOTE EAP/TLS and EAP/TTLS functionality is not supported in the
HP-UX AAA Server A.06.00.
RADIUS Data Packets
The Access-Request and other RADIUS data packets contain a header
and a set of attribute-value (A-V) pairs, which are used by the server
during the AAA transaction. The RADIUS RFC 2865 defines how
vendors can extend the protocol. Encapsulation is the RFC defined way
of extending RADIUS. Conflicts can occur when the RFC is not followed.
In those cases, the server can map the attributes to unique internal
values for processing. For a full description of RADIUS attribute-value
pairs, see the Administrator’s Guide.
Chapter 16
Introduction to AAA Server
RADIUS Overview
Shared Secret
Encrypting the transmission of the User-Password in a request is
accomplished by a shared secret. The shared secret is used to sign
RADIUS data packets to ensure they are coming from a trusted source.
The shared secret is also used to encrypt user passwords with certain
authentication methods such as PAP. The HP-UX AAA Server uses the
clients configuration file to associate a secret to each client (or server)
that is authorized to make use of its services.
Chapter 1 7
Introduction to AAA Server
Product Structure
Product Structure
The HP-UX AAA Server, based on a client/server architecture, consists of
three components which may be installed independently:
• HP-UX AAA Server daemon, libraries, and utilities
• The AAA Server Manager is a program that performs administration
and configuration tasks from a client’s browser for one or more AAA
servers.
• AAA Server module for Oracle authentication
• Documentation
The exchange of configuration information between a remote AAA server
and the AAA Server Manager program is validated by a shared secret.
This secret is unique to the Server Manager and a remote AAA server.It
should not be the same secret used by a AAA server and the peers that it
communicates with. The exchange of information between a browser and
the client program is not validated or encrypted by default, although you
can configure HTTPS to secure this communication. Refer to the HP-UX
AAA Server Administration and Authentication Guide for more
information about configuring Server Manager to run over HTTPS.
NOTE To secure the communication between the Server Manager and the
HP-UX AAA Server, install the Server Manager and the HP-UX AAA
Server software inside a secure network.
AAA Servers
AAA server installations include the AAA server, which performs the
authentication, authorization, and accounting functions to process
requests, and RMI objects. The RMI objects establish a connection and
facilitate communication between the AAA server and the HP-UX
Tomcat-based Serverlet Engine.
Chapter 18
Introduction to AAA Server
Product Structure
AAA Server Manager Program
The AAA Server Manager utilizes the HP-UX Tomcat-based Serverlet
Engine to provide a configuration interface between a web browser and
one or more AAA servers. Server Manager is used for starting, stopping,
configuring, and modifying the servers. In addition, the program can
retrieve logged server sessions and accounting information for an
administrator.
Accessing the Server Manager
The Server Manager provides access to the AAA server management
functions and configuration files. From a remote client workstation,
administrators can access the AAA Server Manager interface through a
Web browser. An administrator can create a AAA configuration for
authenticating users and implementing authorization policies. In
addition to creating, modifying, and deleting entries in many of the
server’s configuration files,an administrator may start and stop the AAA
server, access the server’s status and system time, retrieve information
from accounting and session logs, and terminate sessions. You can access
the functions that perform these operations by selecting an item from the
Navigation Tree located in the left frame of the HTML page.
NOTE Some advanced features of the HP-UX AAA Server cannot be configured
through the Server Manager interface. Forexample,ifyouwanttodefine
policy or vendor-specific attributes, you must manually edit the
configuration files. Refer to the HP-UX AAA Server Administration and
Authentication Guide for more information.
Chapter 1 9
Introduction to AAA Server
Product Structure
Figure 1-3 The Server Manager User Interface
Browser Requirements for Server Manager
You need one of the following Web browsers to access the Server
Manager:
• Netscape® Navigator 4.76 (or higher)
• Microsoft® Internet Explorer 5.0.5 (or higher)
The browser preferences or Internet options should be set to always
compare loaded pages to cached pages. HP recommends these versions
because of known problems in earlier versions.
Chapter 110
Introduction to AAA Server
AAA Server Architecture
AAA Server Architecture
The HP-UX AAA Server Architecture consists of three primary
components:
• Configuration files. By editing these flat text files, with either the
Server Manager user interface or with a text editor, you can provide
the information necessary for the server to perform authentication,
authorization, and accounting requests for your system.
• AATV plug-ins perform discrete actions; such as initiating an
authentication request, replying to an authentication request, or
logging an accounting record.
• The software engine, which includes the Finite State Machine (FSM)
and some associated routines. At server startup, the finite state
machine reads instructions from a state table—by default the
/etc/opt/aaa/radius.fsm text file. The state table outlines what
AATV actions to call and what order to call them in.
When the server is initialized, it performs a few distinct operations. It
loads and initializes the AATV plug-ins, so that actions can be executed
when called by the finite state machine. It also reads the configuration
files to initialize the data required for the actions to execute according to
the application’s requirements.
Configuration Files
The HP-UX AAA Server reads data from the following configuration files installed
at /etc/opt/aaa/ by default:
Table 1-1 HP-UX AAA Server Configuration Files
File Description
clients Information about all RADIUS clients—name,
address, shared secret, type, etc.—that allows the
server to recognize and communicate with the
clients.
authfile Authentication typeparametersfordefined realms.
Chapter 1 11
Introduction to AAA Server
AAA Server Architecture
Table 1-1 HP-UX AAA Server Configuration Files
File Description
users Information about user IDs, passwords, and
check/deny/reply items.
realm The same information as the users file, but this
user information is associated with a particular
realm. These files are only necessary to perform
File type authentication for a defined realm.
Realms are recognized by the realm component of
the user’s Network Access Identifier, for example:
user@realm.com.
NOTE: This is a user generated file, it does not ship
with the product.
decision Policy information for user authorization and
session control based on any logical group that can
be defined with A-V pairs.
NOTE: This is a user generated file, it does not ship
with the product.
las.conf Defines services for session control based on
realms.
vendors Optional entries for vendor-specific behavior.
dictionary Defines all attributes and values that may be used
to build attribute-value (A-V) pairs that will be
recognizable by the server. These A-V pairs contain
information about requests and responses.This file
also contains definitions for all the authentication
types that the server recognizes.
log.config Specifies the predefined session log formats to use.
aaa.config Calls engine.config.
iaaaAgent.conf Specifies how often the AAA server’s SNMP
subagent will check to see if a master agent is
active.
Chapter 112
Introduction to AAA Server
AAA Server Architecture
Table 1-1 HP-UX AAA Server Configuration Files
File Description
EAP.authfile Used to configure EAP authentication for user
profiles.
db_srv.opt The configuration script for the db_srv
environment variables.
engine.config Called by aaa.conf, this file stores most of the
AAA server properties.
You can find out more information about these files by referring to the
HP-UX AAA Server Administration and Authentication Guide. Each
configuration file also contains comments with examples.
AATV Plug-Ins
Define actions to perform functions, such as authenticating requests,
authorizing,and logging. Built-in actions support authentication of users
from information in different storage methods.
The Software Engine: Finite State Machine
In the Finite State Machine, a request will transition through a series of
states, starting with a state that includes possible starting events. The
first action specified to be called in response to an initial authentication
request would return a value, an event that determines the next state to
transition to. Within each state, the next action is triggered by an event
(based on previous state and action and a value, typically ACK or NAK,
returned by the previous action), which in turn directs the flow of the
request to another state, until an End state is reached.
Chapter 1 13
Introduction to AAA Server
HP-UX AAA Server Features
HP-UX AAA Server Features
General Features
• Compliant with RADIUS protocol RFC 2865 and 2866 standards
• Supports multiple vendor NASs with a single server (multi-vendor
• Configurable dictionary that allows the definition of new vendors and
• Dictionary includes attributes from RFCs 2865, 2866, 2867, 2868,
• Vendor-specific attribute translation
• Configurable attribute-value pruning behavior (based on dictionary
• Various configurable (through aaa.config) internal queue and
dictionary that includes Nortel®, Cisco®, Lucent®, and others)
vendor-specific attributes and values
and 2869
and clients file definitions)
buffer sizes
• Persistent user session table and automatic recovery of session
information after a server reload occurs
• Engine support of loadable plug-in modules
Authentication Features
• Distributed authentication (proxy) by realms (RADIUS type
authentication)
• Support for PAP authentication protocol by all supported
authentication types
• Support for CHAP (clear text password required in the user profile)
• Support for MS-CHAP
• Support for EAP authentication for wireless LAN access points and
switches (including EAP-MD5 and EAP-LEAP)
• Authentication of users with profiles defined in a flat text file that
the server loads into memory (clear text or UNIX-style encrypted
passwords)
Chapter 114
Introduction to AAA Server
HP-UX AAA Server Features
• Authentication of users defined in a /etc/passwd file
• Authentication using multiple sets of user definition and realm
definition files (users and authfile files) keyed by network access
server (NAS)
• Supports multiple user definition (realm) files keyed by realm (File
type authentication)
• Authentication of users defined in an LDAP server (ProLDAP™ type
authentication), including support of {clear} indicator for clear text
passwords
• Authentication of users defined in an ORACLE database
• UNIX bigcrypt() for users defined in a flat file or LDAP directory
• Load balancing and failover when authenticating users stored in an
LDAP directory server or Oracle database
Authorization Features
• Support of simple authorization policy through check and deny
attribute-value pair items specified in users files
• Support for definition of reply item attribute-value pairs in a users
file
• Support of simple authorization policy through check and deny
attribute-value pair items specified in realm files (File type
authentication) or an LDAP directory server (ProLDAP type
authentication)
• Support for definition of reply item attribute-value pairs through
realm files, an LDAP directory server, or an Oracle database
• Support of complex authorization policy construction through
Boolean expressions with attribute-value pair operands
• Supports simultaneous session limitation by user and by realm
Accounting Features
• Generates Merit or Livingston reference accounting detail files
(accounting start and stop RADIUS messages from network access
server (NAS)), known as call detail records (CDR)
Chapter 1 15
Introduction to AAA Server
HP-UX AAA Server Features
• Supports distributed accounting (proxy) by realms (RADIUS type
• Merit format accounting session record reading utility included
Admin and Debug Tools/Features
• Server Manager Graphical User Interface (GUI) for managing
• Support for Simple Network Management Protocol (SNMP)
• Generates server activity logfiles, compressed daily
• Optional debug levels for greater server log output to help debug
• Packaged with a RADIUS protocol client (radpwtst) for testing and
• Packaged with a utility, (radcheck), to check status of server.
• Utility (sesstab) to help review the session table for active sessions
authentication)
(radrecord)
multiple AAA servers
problems
debugging
• Script (stopsession.sh) to terminate specific users sessions that
appear active to the server but are no longer active
• Script (las.test.sh) tests simultaneous session control to aid in
performance of session testing of the server
Chapter 116
2 Installation
This chapter leads you through the steps to install the HP-UX AAA
Server.
Chapter 2 17
Installation
System Requirements
System Requirements
To install and use this software, the following system specifications are
recommended:
• HP-UX 11.0 or 11i version 1UNIX operating systems
• Disk space: Operational requirements depend on the amount of
logging information to be maintained online. With a moderate dial-in
load, 1.0 GB should suffice for approximately six months.
• CPU speed: This depends on the frequency of incoming requests. The
transaction load affects what is required.
• Browser Compatibility: To access the Server Manager you need one
of the following Web browsers:
• Netscape® Navigator 4.76 (or higher)
• Microsoft® Internet Explorer 5.0.5 (or higher)
The browser preferences or Internet options should be set to always
compare loaded pages to cached pages.
IMPORTANT HP recommends using the browser versions specified above because
of known defects in earlier versions.
NAS Compatibility
The HP-UX AAA Server should operate with any NAS that adheres to
the RADIUS standard. The HP-UX AAA Server has been used
successfully in configurations with NASs from the following vendors:
• Avail
• Ascend/Lucent
• Bay Networks
• Cisco
• Cisco Aironet (software version 11.10 or higher)
• Computone
Chapter 218
Installation
System Requirements
• Compaq/DEC
• Livingston/Lucent
• Shiva/Intel
• Telebit
• Unisphere
• US Robotics/3COM
LAN Access Device Compatibility
The HP-UX AAA Server supports LAN switches and wireless LAN
Access points that follow the IETF standard for EAP with MD5, as well
as devices supporting the Cisco proprietary LEAP protocol.
Chapter 2 19
Installation
Obtaining the HP-UX AAA Server Software
Obtaining the HP-UX AAA Server Software
You can download the HP-UX AAA Server software at
http://software.hp.com on the Internet and Security Solutions page.
Product Dependencies
The following figure shows the components you must install to use the
HP-UX AAA Server:
Figure 2-1 HP-UX AAA Server Dependencies
Tomcat Serverlet
v 1.0.00.01
Java2 RTE 1.4.0.x
AAA Software
Browser
HTTP or
HTTPS
HP-UX 11.00 or 11i v1 Server
Chapter 220
Installation
Product Dependencies
You must have the following two software dependencies installed on your
system to use the HP-UX AAA Server:
• HP-UX SDK (product #T1456AA) containing Java2 RTE 1.4.0.x
• HP-UX Tomcat-based Serverlet Engine v 1.0.00.01 (product #
HPUXWST100001) or higher
You can get HP-UX SDK with Java2 RTE 1.4.0.x at:
http://www.hp.com/products1/unix/java/index.html
You can get the HP-UX Tomcat-based Serverlet Engine v 1.0.00.01 at:
http://software.hp.com/
IMPORTANT HP-UX AAA Server A.06.00 does not support any other version of Java
or Tomcat. You must use the versions specified above.
Chapter 2 21
Installation
Installation and Start-Up Overview
Installation and Start-Up Overview
The information in this section is to help you understand the sequence of
the installation and start-up steps, and the relationship between the
product dependencies and the HP-UX AAA Server software.
The following steps are an overview of the installation and start-up
procedure:
Step 1. Download and install the HP-UX AAA Server software from the Internet
and Security Solutions page at http://software.hp.com
Step 2. Start the RMI objects to allow the AAA server software to communicate
with Server Manager
Step 3. Configure and start the HP-UX Tomcat-based Serverlet Engine to allow
a web browser to connect to it
Step 4. Point your web browser to the AAA server to administer it using Server
Manager
Chapter 222
Installation and Start-Up Procedure
Installation and Start-Up Procedure
The following components are installed when you install the HP-UX
AAA Server:
• AAA Server binaries, libraries, and utilities
• RMI objects that facilitate communication from the AAA server to
Server Manager
• AAA server AATV module for authentication
Perform the following steps to install and start the HP-UX AAA server:
Step 1. Log in to your HP-UX 11.0 or 11i v1 system as root.
Step 2. Verify the product dependencies are installed:
# swlist |egrep “hpuxwsTomcat|T1456AA”
hpuxwsTomcat A.1.0.00.01 HP-UX Tomcat-based Servlet Engine
T1456AA 1.4.0.01.00 Java2 1.4 SDK for HP-UX
Installation
IMPORTANT Be sure you have the correct versions of the product dependencies
installed.
Step 3. If needed, install HP-UX SDK (product #T1456AA) containing Java2
RTE 1.4.0.x
Step 4. If needed, install the HP-UX Tomcat-based Serverlet Engine v 1.0.00.01
(product # HPUXWST100001) or higher
Step 5. Download the AAA Server depot file from www.software.hp.com and
move it to /tmp
Step 6. Verify you downloaded the file correctly: # swlist -d -s /tmp/<AAA
Server>.depot
Step 7. Stop any active Tomcat processes. Use
/opt/hpws/tomcat/bin/shutdown.sh to stop Tomcat.
Step 8. Install the AAA Server: # swinistall -s /tmp/<AAA Server>.depot
Chapter 2 23
Installation
Installation and Start-Up Procedure
NOTE If the installation is not successful, an error message is displayed. The
cause of the failure will appear at the end of /var/adm/sw/swagent.log
file.
Step 9. After installing the product, you will need to add the following RADIUS
authentication and accounting entries to the /etc/services file of your
server hardware:
# RADIUS protocol
radius 1812/udp
radacct 1813/udp
NOTE These RADIUS values are the server’s defaults and are specified in the
RADIUS RFC 2865.
Step 10. Edit the rmi.config.secret item in
/opt/hpws/tomcat/webapps/aaa/WEB-INF/gui.properties and
/opt/aaa/remotecontrol/rmiserver.properties so the two values
are the same. This matching secret value is for secure exchange of
information between Server Manager and the RMI objects.
IMPORTANT The rmi.config.secret you configure in
/opt/aaa/remotecontrol/rmiserver.properties for all your AAA
servers must be identical to rmi.config.secret in:
/opt/hpws/tomcat/webapps/aaa/WEB-INF/gui.properties
Step 11. Start the RMI Objects by going to the /opt/aaa/remotecontrol
directory and running the rmistart.sh script. See “Starting and
Stopping the RMI Objects” for more information.
Chapter 224
Installation
Installation and Start-Up Procedure
Step 12. Uncomment the following lines in /opt/hpws/tomcat/conf/web.xml:
Commented
<!-- The mapping for the invoker servlet -->
<!- <servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
-->
Uncommented
<!-- The mapping for the invoker servlet -->
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
Step 13. Configure the Server Manager user name and password. Open
/opt/hpws/tomcat/conf/tomcat-users.xml. Add your user name and
password in the following syntax:
<user username="specify" password="specify" roles="tomcat"/>
Enter your values where "specify" is in the previous example. See
“Changing Server Manager User Name and Password” for more
information.
Step 14. Start Server Manager. See “Starting and Stopping Server Manager” for
more information.
IMPORTANT Always restart Server Manager after making changes to any of the
HP-UX Tomcat-based Serverlet Engine configuration files.
Step 15. Point your browser to http://<IP-Address>:8081/aaa and log on to
Server Manager using the user name and password you specified in the
previous steps.
Chapter 2 25
Installation
Running Server Manager
Step 1. Login and cd to the remote control directory
Step 2. Enter /opt/aaa/remotecontrol/rmistart.sh to start the RMI objects
Step 3. Verify the RMI objects are running by checking port 7790 with:
Running Server Manager
The RMI objects must be started from the command line before HP-UX
AAA Servers can be started, stopped, and configured through the Server
Manager interface. Start the RMI objects to allow AAA Servers to
communicate with the Server Manager. Start the Server Manager to
allow the browser to connect to it.
Starting and Stopping the RMI Objects
(/opt/aaa/remotecontrol/).
or /opt/aaa/remotecontrol/rmistop.sh to stop the RMI objects.
$ netstat -a |grep 7790
Starting and Stopping Server Manager
Step 1. cd to /opt/hpws/tomcat/
Step 2. Execute $ export JAVA_HOME=/opt/java1.4
Step 3. Enter ./bin/startup.sh to start the Server Manager or
./bin/shutdown.sh to stop it.
Step 4. Verify Tomcatis running by checking port 8081 (Tomcat’s default port #):
$ netstat -a |grep 8081
When Tomcat is running, an administrator can access the graphic
interface through an Internet browser by entering
http://IP-Address:8081/aaa as the URL (IP-Address is the machine
that hosts the manager) or https://IP-Address:8443/aaa if you have
configured https. See the HP-UX AAA Server Administration and
Authentication Guide, section “Securing Server Manager
Communication with HTTPS” for more information about https).
When prompted by your web browser, enter the user name and password
you configured in /opt/hpws/tomcat/conf/tomcat-users.xml.
Chapter 226
Running Server Manager
Changing Server Manager User Name and Password
You can change the user name or password used to access the Server
Manager graphic interface.
Step 1. Go to /opt/hpws/tomcat/conf/tomcat-users.xml
Step 2. Change the following values to configure different user names and
passwords:
<user name=“New-UserName” password=“New-Password” roles=“tomcat” />
Step 3. Save tomcat-users.xml
Step 4. Restart the Tomcat. Refer to “Starting and Stopping Server Manager” for
more information.
NOTE You will be disconnected from the Server Manager interface if you
restart the Tomcat while logged-on to Server Manager. You will need to
log on to Server Manager again after restarting the Tomcat component.
Installation
Chapter 2 27
Installation
UnInstalling the HP-UX AAA Server Software
UnInstalling the HP-UX AAA Server Software
Use the following steps to uninstall the HP-UX AAA Server:
Step 1. If the radiusd and db_srv servers are running, stop the servers. Use the
following commands to determine if radiusd or db_srv processes are
active:
$ ps -ef |grep radiusd
$ ps -ef |grep db_srv
You can stop radiusd by killing the radiusd process ID
You can stop db_srv servers with the /opt/aaa/bin/stop_db_srv.sh
script.
Step 2. Remove all files residing in /var/opt/aaa subdirectories.
Logout anyone using HP-UX AAA Server administrator login “aaa”.
Step 3. As root user, enter “swremove T1428AA” or “swremove” at the command
prompt to invoke the standard HP-UX GUI to select T1428AA bundle for
removal. See the swremove man page for more information on this
command.
Chapter 228
Installation
Installation Defaults
Installation Defaults
The HP-UX AAA Server can be run as root user,however non-root user is
recommended.
A user and group, both named aaa, will be created during installation.
The HP-UX AAA Server can be run as non-root user, using the default
aaa user created during installation, or any other user who is part of the
aaa group.
IMPORTANT Do not remove the default login aaa and group aaa created during
installation, even if you prefer not to use them.
Table 2-1 File Locations Upon Installation
Directory File
/opt/aaa/aatv Server modules and plug-ins. The directory where the Actions are
placed.
/opt/aaa/bin Server daemons and utilities:
• db_srv: Oracle client daemon for authentication
• las.test.sh: script to create simulated sessions for testing
• radcheck: AAA Server test utility (like the ping command)
• raddbginc: controls server debug output
• radiusd: AAA Server executable
• radpwtst: AAA test client utility
• radrecord: reads and displays AAA Server session log files
• sesstab: print contents of the AAA Server session table file
• start_db_srv: script to start the Oracle client daemon
• stop_db_srv: script to stop the Oracle client daemon
• stopsession.sh: a script to manually stop an accounting
session
Chapter 2 29
Installation
Installation Defaults
Table 2-1 File Locations Upon Installation (Continued)
Directory File
/opt/aaa/examples/
config
/opt/aaa/examples/
oracle
/opt/aaa/examples/
proldap
/opt/aaa/lib Shared libraries:
/opt/aaa/newconfig Default configuration files. Files residing here are copied to
/opt/aaa/share/man
/man5 and ~/man1m
Finite state machine, group policy example files:
• *.fsm: sample finite state machine (FSM) tables
• *.grp: sample decision files
• create.sql: SQL script to create Oracle users table
• delete.sql: Sample SQL script to delete Oracle user records
• insert.sql: Sample SQL script to add Oracle user records
ProLDAP setup example files
• libradlib.sl: contains functions that interface with the
main server
• librpilib.sl: contains functions for programs and utilities,
such as radrecord
• libjniAgents.sl: contains functions for Server Manager.
/etc/opt/aaa directory during installation.
Directories where man pages are installed
Chapter 230
Table 2-1 File Locations Upon Installation (Continued)
Directory File
/etc/opt/aaa Configuration files:
• aaa.config: runtime and tunneling configuration file
• authfile: realm to authentication-type mapping file
• clients: client to shared secret mapping file
• db_srv.opt: configuration script for db_srv environment
variables
• dictionary: definition file required by radiusd
• las.conf: authorization and accounting configuration file
• log.config: session logging configuration file
• radius.fsm: external FSM table for the server
• users: holds user security profiles and reply items
• vendors: holds IANA numbers and other vendor specific
details
Installation
Installation Defaults
• engine.config: Called by aaa.conf, this file stores most of
the AAA server properties
• EAP.authfile: Used to configure EAP authentication for user
profiles
• iaaaAgent.conf: Specifies how often the AAA server’s SNMP
subagent will check to see if a master agent is active
• aaa.config.license: Do not alter this file
• RADIUS-ACC-SERVER-MIB.txt: Text file describing RADIUS
Accounting MIB definitions.
• RADIUS-AUTH-SERVER-MIB.txt: Text file describing RADIUS
Authentication MIB definitions.
Chapter 2 31
Installation
Installation Defaults
The following table lists the files generated during operation and located
in /var/opt/aaa/ by default:
Table 2-2 Files Generated During Operation
Directory File
/acct/session.yyyy-mm-dd.log Default session accounting logs, Merit style
/data/session.las Currently active sessions Session log file
/ipc/*.sm Shared memory files related to the interface used for
some authentication types.
IMPORTANT: Youmust not alter or delete the shared
memory (*.sm) files. The server will not operate
correctly if the files are changed or removed from the
ipc directory.
/logs/logfile The server log file
/logs/logfile.yyyymmdd Compressed daily or weekly log files
/radacct/* For session accounting logs in Livingston call detail
records directory style format (not generated by
default configuration)
/run/radius.pid Contains the process id (pid) for the server, etc.
Chapter 232
Installation
Commands, Utilities, & Daemons
Commands, Utilities, & Daemons
Table 2-3 Commands, Utilities, & Daemons
Command Description
db_srv The db_srv daemon performs Oracle database access operations for
authentication on behalf of one or more remote HP-UX AAA Servers.
radcheck Sends a RADIUS status and protocol requests to a AAA server and
display the replies. Receiving the reply confirms that the HP-UX
AAA Server is operational. radcheck can be invoked on any host by
any user, however the HP-UX AAA server will return more
information to registered clients.
raddbginc Sets debug logging level for currently running HP-UX AAA Server.
Turn debugging on and off or set the level of output while the AAA
Server is running.
radiusd A daemon process that services user authentication and accounting
requests from RADIUS clients. Authentication and accounting
requests come to radiusd in the form of UDP packets conforming to
the RADIUS protocol. It runs as a daemon that can be started from
the command line or through an inetd service. radiusd determines
the action to take when receiving RADIUS requests based upon a
finite state machine (FSM) loaded into memory when radiusd is
started. The FSM is configurable, but static after startup.
radpwtst A utility used to simulate a RADIUS client when troubleshooting or
validating configuration for the HP-UX AAA Server. It will prompt
for the user password (when not supplied by the -w option.) If the
request to the AAA server succeeds, radpwtst displays
authentication OK on standard output. Otherwise, radpwtst
displays userid authentication failed.
radrecord A utility to read and print HP-UX AAA server Merit format session
logs. The accounting information that is displayed includes the user
name, the total session time, the number of sessions, and the average
time per session.
sesstab Displays the currently active sessions for the HP-UX AAA Server.
start_db_srv.sh Script to start Oracle authentication client daemon db_srv.
Chapter 2 33
Installation
Commands, Utilities, & Daemons
Table 2-3 Commands, Utilities, & Daemons (Continued)
Command Description
stop_db_srv.sh Script to stop db_srv daemon and its child process(es).
stopsession.sh Script to manually stop an accounting session.
las.test.sh Script to create simulated sessions for testing.
Chapter 234
Installation
Testing the Installation
Testing the Installation
To quickly test the server installation, you will use Server Manager to
add a loopback connection to a AAA server, start the server, and then
check its status for a response. Use the following steps to test the server
installation:
Step 1. Follow the directions for “Running Server Manager” to start Server
Manager after installing the HP-UX AAA Server software.
Step 2. Select the Server Connections link from the Navigation Tree and then
select the Connect to Server link.
Step 3. Enter the values for your server in the Add Connection screen that
appears and select Create:
Name The identifying string of a remote server.
Domain Name or IP Address
The IP address (in dotted-quad notation) or valid
Domain Name System (DNS) host name of the AAA
server that the connection maps to.
Step 4. Verify the server is listed and selected in the Server Status frame.
Step 5. Select the Administration link from the Navigation Tree.
Step 6. Select the Start option.
Step 7. Verify the server started. A green “GO” icon in the Server Status frame
indicates the server is running.
Step 8. Verify the server is selected in the Server Status frame and then select
the Status option.
Step 9. Check Server Manager’s Message Frame for the status reply. The
following reply at the bottom of the Message Frame indicates the server
is running correctly:
“<server name> (port#)” is responding
If you did not receive this message, refer to the Troubleshooting chapter
in HP-UX AAA Server Administration and Authentication Guide. You
can also use this guide to learn different methods for testing your HP-UX
AAA Servers.
Chapter 2 35
Installation
Testing the Installation
Chapter 236
3 Basic Configuration Tasks
This chapter explains a few basic configuration tasks. Refer to the
HP-UX AAA Server Administration and Authentication Guide for
complete information on configuring the HP-UX AAA Server.
Chapter 3 37
Basic Configuration Tasks
Storing User Profiles
Step 1. Access the Server Manager.
Storing User Profiles
The user information that determines how an access request is
authenticated and authorized is configured in a profile as a set of A-V
pairs. These user profiles are grouped by realm and may be stored in flat
text files or an external source such as an Oracle database or and LDAP
server. Realms are recognized by the realm component of a user’s
Network Access Identifier. If you have a small AAA deployment without
several realm-specific configurations, you can define a default realm and
store it in the users file.
Storing User Profiles in the Default Users File
When the AAA server receives a request, before it checks for profiles
grouped by realms, it first checks the default users file for a matching
profile. Use the following steps to store user profiles in the default users
file:
Step 2. Load the configuration from the appropriate AAA server by selecting the
Load Configuration link from the Navigation Tree.
Step 3. Select the Users link from the Navigation Tree.
Step 4. Select the New User link.
Step 5. The User Attributes screen will appear. In the User Name text box, enter
the name of the user profile.
Step 6. In the Password text box, enter the value to match to the value to
compare to the Password attribute value in the request.
Step 7. You may enter values in the remaining fields to control the users session.
These fields are optional and correspond to RADIUS A-V pairs that are
explained in more detail in the HP-UX AAA Server Administration and
Authentication Guide.
Step 8. Select the Create button.
Step 9. Select Save Configuration from the Navigation Frame. If you have
multiple remote servers, you will prompted to select and confirm which
servers you wish to add the access device entry to.
Chapter 338
Basic Configuration Tasks
Storing User Profiles
CAUTION Save Configuration will save the entire server configuration (access
devices, proxies, local realms, users, and server properties) to the servers
you specify.
Storing Wireless User Profiles Locally
If you want to authenticate users with EAP, you will need to identify the
wireless access point (WAP), the users' realms, and the user profiles. For
more information about EAP, refer to the HP-UX AAA Server
Administration and Authentication Guide. Use the following steps to
store wireless user profiles locally:
Step 1. Select the Access Devices link
Step 2. Select the New access device link from the Access Device screen. The
Access Device Attributes screen appears.
Step 3. In the Name field identify the IP address or DNS name of the WAP.
Step 4. In the Shared secret field identify the encryption key, or shared secret,
between the WAP and the AAA server.
Step 5. From the Vendor drop-down list, select Generic or the WAP vendor if the
vendor appears in the vendors file.
Step 6. Select any of the Options check boxes to define additional instructions to
handle the Access-Request.
Step 7. Select the Create button.
Step 8. For each individual user that will be authenticated through EAP, you
will need to add a user profile to the RADIUS server. Select the Users
link.
Step 9. Select the New User link from the Users screen. The Users Attributes
screen appears.
Step 10. In the User Name field identify the user profile by user name and the
users realm (user@realm).
Step 11. From the Authentication Type drop-down list, select Realm.
Chapter 3 39
Basic Configuration Tasks
Storing User Profiles
Step 12. Complete any of the remaining optional fields as necessary for your
Step 13. Select the Create button.
Step 14. Repeat steps 8 to 13 for each user profile that you need to configure.
Step 15. For each realm using EAP, you must associate the realm name with the
Step 16. Select the New local realm link from the Local Realms screen. The Local
Step 17. In the Name field identify the name of the realm that will use EAP.
Step 18. From the Authentication Type drop-down list, select EAP as the
Step 19. From Extended Parameters select the EAP type(s) to use.
Step 20. Complete any of the remaining optional fields as necessary for your
Step 21. Select the Create button.
configuration.
type of EAP to perform. Select the Local Realms link.
Realm Attributes screen appears.
authentication type. The extended parameters for EAP will appear
configuration.
Step 22. Repeat steps 15 to 21 as necessary for your configuration.
Step 23. Select the Save Configuration link from the Navigation Frame. If you
have multiple remote servers, you will prompted to select and confirm
which servers you wish to add the access device entry to.
CAUTION Save Configuration will save the entire server configuration (access
devices, proxies, local realms, users, and server properties) to the servers
you specify.
Chapter 340
Basic Configuration Tasks
Storing User Profiles
Grouping Users by Realm
While the HP-UX AAA Server can authenticate an individual user, you
may want to authenticate and provision a group of users according to a
common criteria, like an authentication type. One method of grouping
users is according to the realm that they belong to. A realm is derived
from a user’s Network Access Identifier, for example: name@sample.com
where sample.com is the realm. Use the following steps to store user
profiles in a flat text file grouped by realm:
Step 1. Access Server Manager.
Step 2. Select the Local Realms link from the Navigation Tree and then select
the New local realm link
Step 3. In the Name field, enter the users realm.
Step 4. From the Authentication Type drop-down list, select File.
Step 5. In the DNS or filename text box, enter a name for the file that will store
the profiles. If the file does not already exist, it will automatically be
created when you save the realm definition.
NOTE You can configure different realms to save users profiles in the same file.
Step 6. Select the Create button.
Step 7. Return to the Local Realms screen to add user profiles to the realm.
Step 8. From the Local Realms screen, select the following icon for the realm
that you wish to add user profiles for:
Step 9. From the Users screen select the New User link.
Step 10. In the User Name text box, enter the name of the users profile.
Step 11. In the Password text box, enter the value to match to the value to
compare to the Password attribute value in the request.
Chapter 3 41
Basic Configuration Tasks
Storing User Profiles
Step 12. Youmay enter values in the remaining fields to control the users session.
These fields are optional and correspond to RADIUS A-V pairs that are
explained in more detail in the “A-V Pairs” chapter of HP-UX AAA Server
Administration and Authentication Guide.
Step 13. Select the Create button in the User Attributes screen.
Step 14. Repeat steps 9 to 13 for each user profile you wish to add to the realm.
Step 15. Repeat these steps to add additional realms and groups of users.
Step 16. Select Save Configuration from the Navigation Frame. If you have
multiple remote servers, you will prompted to select and confirm which
servers you wish to add the access device entry to.
CAUTION Save Configuration will save the entire server configuration (access
devices, proxies, local realms, users, and server properties) to the servers
you specify.
Chapter 342
Adding and Modifying Users
User profiles associate information with a user name for authentication
and authorization. This information is defined by attribute-value pairs.
The server configuration must include profiles for all the users that can
access services through the AAA server. If a user profile is not included
in the configuration, the server will reject the users access request.
Profiles may be stored in flat text files or an external source. The Users
screen allows you to add a new user,modify an existing user, or delete an
existing user from a text file. This screen is accessed by selecting the
Users link from the graphic interfaces Navigation Tree.
When adding a new user profile to the server configuration or modifying
an existing entry, you supply values for the user profile attributes
through a form’s fields. This form is tabbed according to groups of
attribute-value pairs. Initially, the General tab is active.
Figure 3-1 Server Manager’s General User Attributes
Basic Configuration Tasks
Adding and Modifying Users
Chapter 3 43
Basic Configuration Tasks
Adding and Modifying Users
User Name: Value to compare to the User-Name attribute value in
The remaining fields and tabs in Define Users screen allow you to specify
three types of user profile attributes: configuration items, check items,
and reply items.
Configuration Items:
Check Items: An optional list of zero or more attribute-value pairs,
the request. It must be less than 64 characters. &, “, ~,
\, /,%, $, ‘, and space characters may not be used.
These items indicate various AAA server-specific
attributes that the server can use to perform
authentication or authorization functions. A user
profile must include either the Password attribute or
the Authentication-Type and Server-Name attributes
(Server-Name is only required for some authentication
types and should be listed as a check item under the
Free tab.) Additional items are optional.
delimited by white space. These items indicate various
attribute values that the server will compare to the
corresponding attribute values in the Access-Request.
Reply Items: Reply items generally get returned to configure the
client for the user’s session. They include information
like PPP configuration values, the name of the host
that the user wishes to connect to, or an optional
packet filter name.
Each of the fields on the first four tabs (General, NAS/Login, Framed,
and Others) corresponds to an attribute that can be used in a user profile
as a check or reply item. When specifying attribute values through these
tabs, all A-V pairs that may ordinarily be used as either a check or a
reply item in a server configuration are automatically added as a reply
item, unless the Free tab is used.
There are many more attributes, including vendor-specific attributes,
that can be added to a user profile. The Free tab allows you to enter any
of these attributes in the Check and Reply list boxes.
Chapter 344
Adding and Modifying Users
Figure 3-2 Server Manager’s Free User Attributes Screen
Basic Configuration Tasks
To add attributes to the list boxes, follow the Attribute = Value syntax.
A-V pairs may be listed one per line. When adding a new user profile, you
select the Create button to submit it to the AAA Server Manager. When
modifying an existing profile, you select the Modify button to submit
changes to the user profile. In either case if each field contains a valid
value, the profile will be created or modified; otherwise, an error message
is displayed. You can always select the Cancel button and return to the
Users screen without making any changes to your server configuration.
Chapter 3 45
Basic Configuration Tasks
Session Logging and Monitoring
Session Logging and Monitoring
You can view the log files that record the details of each AAA transaction
or the session logs that record information about each user's session. You
can also access information for active sessions and manually terminate a
session if necessary.
These functions can be accessed by selecting the Maintenance menu
items from the Server Manager Navigation Tree. When you use any of
these functions, you will retrieve information from all servers selected in
the Server Manager’s Server Status section.
Viewing User Session
After a user is successfully authenticated and the AAA server sends an
Access-Accept, the access device will send an Accounting-Request
message to start the session. The AAA server stores information about
the session in an active session record. When the users session is
terminated, the client sends an Accounting-Request message to stop the
session. When a AAA server receives the stop message, it clears its active
record for the session and writes the session information to a file.Use the
following steps to display session information for a particular user:
Step 1. Through the Server Manager interface, select the Sessions link from the
Navigation Tree located in the left frame of the browser
Step 2. Enter search parameters in the Session Filter screen that appears.
Retrieved session will be restricted to the specified search parameters.
Figure 3-3 Sessions Search Filter Screen
Chapter 346
Basic Configuration Tasks
Session Logging and Monitoring
Step 3. Select the Display button. The AAA server manager will display a list of
active sessions.
Step 4. Select a session. The AAA server manager will display the attributes for
the selected session.
Step 5. Select the OK button when you are done reading the session.
Stopping a Session
This procedure is intended for sessions that were terminated on the
access device but are maintained as active by the AAA server.
Step 1. Follow the “Display a Session” procedure.
Step 2. Select the Stop button from the Session Attributes screen. The AAA
server will clear its record of the active session, but no action is taken by
the access device.
Chapter 3 47
Basic Configuration Tasks
Session Logging and Monitoring
Viewing Server Logfiles
The log file of the AAA server contains all the information concerning the
functioning of the server such as: start/stop of the server, all of the
RADIUS requests, and some internal events. The data is automatically
stored each day in a different file. They are available as long as the
corresponding files are still on the disk.
• /var/opt/aaa/logs/logfile: the server log file
• /var/opt/aaa/logs/logfile.yyyymmdd: compressed daily log file
Selecting the Server Logfile link in Server Manager’s Navigation Tree
allows you to retrieve information from log files.
Figure 3-4 Server Manager’s Logfile Screen
Chapter 348
Basic Configuration Tasks
Session Logging and Monitoring
Search Parameters
You can filter what dates and times to retrieve from the logfile.
Table 3-1 Filter Parameters for Searching Logfiles
Option Description
Begin (server time) The date and time of the session to begin retrieving data from.
End (server time) The date and time of the last session to retrieve data from.
User Limits the result of the search command to messages related to a
specific user. For example, you may wish to find why a user is not
able to authenticate.
Number of Messages Limits the result of the search command to the specified number of
messages.
NOTE You can filter what data to retrieve according to the type of messages. For
each message type, you indicate whether the message type should or
should not be retrieved by selecting the Yes or No radio buttons. Refer to
the HP-UX AAA Server Administration and Authentication Guide for
more information.
Chapter 3 49
Basic Configuration Tasks
Session Logging and Monitoring
Viewing Server Statistics
Selecting the Statistics link from Server Manager’s Navigation Tree
allows you to retrieve a count of events that occurred on the AAA server
within a time range. The statistics are displayed using a bar graph.
Figure 3-5 Server Manager’s Statistics Screen
Table 3-2 Statistic Search Parameters
Option Description
Begin (server time) The date and time of the session to begin retrieving data from.
End (server time) The date and time of the last session to retrieve data from.
Chapter 350
4 Glossary of Terms
AAA
Abbreviation for Authentication, Authorization, and
Accounting.
AAA Server
A software application that performs authentication,
authorization, and accounting functions.
Accounting
Logging session and usage information for session
control and billing purposes
Access-Accept
The AAA server returns an Access-Accept to the client
when an Access-Request is valid. The Access-Accept
will contain A-V pairs that specify what services the
authenticated user is authorized to use.
Glossary of Terms
Access-Challenge
The AAA server returns an Access-Challenge to the
client when it is necessary to issue a challenge that the
user must respond to. The client will resubmit the
request with the user-supplied information to the AAA
server.
Access-Reject
The AAA server returns an Access-Reject to the client
when an Access-Request is invalid.
Access-Request
Created by the client, the Access-Request contains A-V
Pairs,such as the user’s name, password, and ID of the
client. The client submits the Access-Request to an
AAA server. If the server can validate the client, the
server will attempt to match a user entry in its
database with information in the Access-Request to
authenticate the user.
Chapter 4 51
Glossary of Terms
Administrator
Special user, known by the system on which the AAA
server is running and is able to configure and to
manage the AAA server.
Application Service Provider
Third-party entities that manage and distribute
software-based services and solutions to customers
across a wide area network from a central data center,
abbreviated as ASP.
ASP
Application Service Provider.
Attribute-Value Pair
The RADIUS protocol defines things in terms of
attributes. Each attribute may take on one of a set of
values. When a RADIUS packet is exchanged among
clients and servers, one or more attributes and values
are sent pair wise from the client to the server. For the
AAA Server software, all valid attributes and values
are listed in the dictionary file, abbreviated as A-Vpair.
Authentication
The process of identifying and proving the identity of
an entity, for example, a user, a network client, or a
network server.
Authorization
The process of determining what types of activities is
permitted. Usually, authorization is in the context of
authentication; once users are authenticated, they may
be authorized different types of access or activity.
A-V Pair
Attribute-value pair.
Challenge Handshake Authentication Protocol
Log-in security procedure for dial-in access. Rather
than send an unencrypted password, a random number
is sent to the client as a challenge. The challenge is
one-way hashed with the password, and the result is
Chapter 452
sent back to the server. The server does the same with
its copy of the password and verifies that it gets the
same result to authenticate the user, abbreviated as
CHAP.
CHAP
See Challenge Handshake Authentication Protocol.
Client
NAS, proxy server, or other networking device that
uses the AAA server services to authenticate and
authorize users.
Common Open Policy Service
A query and response protocol that can be used to
exchange policy information between a policy server
(Policy Decision Point or PDP) and its clients (Policy
Enforcement Points or PEPs, such as a router),
abbreviated as COPS.
COPS
Glossary of Terms
See Common Open Policy Service.
Dialed Number Identification Service
Each request is authenticated locally or forwarded to a
remote server according to the number called to access
a network service.
DNIS
See Dialed Number Identification Service.
EAP
Extensible Authentication Protocol. Described in RFC
2284.
Finite State Machine
The Finite State Machine is the component of the AAA
Server software that controls the flow of access request
authentication and accounting request handling,
abbreviated as FSM.
Forwarding Server
Chapter 4 53
Glossary of Terms
The AAA server that receives an Access-Request from a
client and forwards that request to another AAA server
for authentication.
FSM
See Finite State Machine.
Hint
When a user requests access to a service of a specific
configuration, a client may provide this information in
an Access-Request as a hint to the AAA server. The
server may reject the request based on the hints or
supply the service as specified by the hints, by the
server’s configuration, or by a combination of the hints
and the server’s configuration.
IETF
See Internet Engineering Task Force.
Integrated Services Digital Network
A digital internet access line using copper phone lines.
Interlink
Used to connect multiple AAA servers in a fabric with
SLAs and to establish policies among them.
Internet Engineering Task Force
Internet standards setting organization.
Internet Protocol
A Layer 3 (network layer) protocol that contains
addressing information and some control information
that allows packets to be routed, abbreviated as IP.
Internet Research Task Force
A group associated with IETF focusing on research
rather than standards.
Internet Service Provider
Chapter 454
IP
IRTF
ISP
ISDN
LAS
Glossary of Terms
Communications service company that provides
Internet access and services to its customers. ISPs
range in size from small independents serving a local
calling area to large, established telecommunications
companies, abbreviated as ISP.
See Internet Protocol.
See Internet Research Task Force.
Internet service provider.
See Integrated Services Digital Network.
See Local Authorization Server.
LDAP
See Lightweight Directory Access Protocol.
Lightweight Directory Access Protocol
Used for directories providing naming, location,
management, security, and other services for Internet
networking, abbreviated as LDAP.
Lightweight Extensible Authentication Protocol
Supports and manages the dynamic Wired Equivalent
Privacy (WEP) key exchange between Cisco Aironet
802.11x wireless LAN clients and access points,
abbreviated as LEAP.
LEAP
See Lightweight Extensible Authentication Protocol.
Local Authorization Server
A local authorization server is the HP-UX SERVER
code that authorizes, accounts, and bill users based on
realms, abbreviated as LAS.
Chapter 4 55
Glossary of Terms
Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)
An implementation of the CHAP protocol that
Microsoft created to authenticate remote Windows
workstations. In most respects, MS-CHAP is identical
to CHAP, but there are a few differences. MS-CHAP is
based on the encryption and hashing algorithms used
by Windows networks, and the MS-CHAP response to a
challenge is in a format optimized for compatibility
with Windows operating systems.
NAS
See Network Access Server.
Navigation Tree
Refers to the navigation links on the left side of the
Server Manager GUI.
Network Access Server
A device that interfaces telephony circuits to the
network, abbreviated as NAS.
PAP
See Password Authentication Protocol.
Password Authentication Protocol
A simple password protocol that transmits a user name
and password across the network, unencrypted,
abbreviated as PAP.
Point-to-Point Protocol
The standard protocol for dial-up networking. The
family of standards covers many aspects including
authentication, encryption, compression, addressing,
multi-protocols, etc., abbreviated as PPP.
Policy
A very broadly used term. To the AAA server, it means
the conditionally applicable set of attribute-value pairs
that an AAA protocol, such as RADIUS, may support.
HP-UX SERVER policies are simple or complex
Chapter 456
PPP
Protocol
Proxy
Glossary of Terms
decisions that control the authentication,
authorization, and accounting process for a user's
access request.
See Point-to-Point Protocol.
A set of rules established between two devices to allow
communications to occur.
The mechanism that allows one system to mediate
between two other systems in response to protocol
requests. A RADIUS server can act as a proxy client
and forward an Access-Request to another AAA server
for authentication. As a proxy client, the server would
mediate the requests and replies between the client
where the Access-Request originated from and the
server that the request was forwarded to.
RADIUS
See Remote Access Dial In User Service.
RADIUS Client
A NAS or other device that sends requests to an AAA
server.
RAS
See Remote Access Server.
Realm
A realm is a logical group of users, who usually can be
authenticated using one particular method. Grouping
users into realms simplifies the management of those
users in a distributed environment. For example, an
ISP’s users may be from different organizations located
in different cities. Each organization already has one
way or another to authenticate its users and each
corresponds to a realm. Each realm would be
responsible for managing its users, providing
authentication and authorization for their access
Chapter 4 57
Glossary of Terms
requests.
A realm has a name that looks very much like a
domain name, but they bear different meanings.
Realms are only used by the AAA Server to determine
where an authentication request should be sent and
what kind of authentication to request, etc. Naming a
realm with its domain name simplifies things for the
users, since their access ids will then look the same as
their e-mail addresses. A realm may also have multiple
aliases, providing a way to shorten long realm names.
Remote Access Dial In User Service
An authentication and accounting protocol defined by
the IETF in a series of RFCs, abbreviated as RADIUS.
Remote Access Server
A service that allows remote clients running Microsoft
Windows or Windows NT to dial in to a network,
abbreviated as RAS.
Remote Server
In the context of a proxy Access-Request, the remote
server is the AAA server that receives the request from
the forwarding server.The remote server authenticates
the request and sends a reply to the forwarding server.
Request For Comment
The basis for an IETF standard, abbreviated as RFC.
RFC
See Request For Comment.
SAT
See Simultaneous Access Token.
Server Manager
A Web-based graphical user interface which provides
an interface between an administrator and the AAA
servers.In addition to creating,modifying, and deleting
entries in many of the server’s configuration files, an
administrator may start and stop the AAA server,
Chapter 458
Service
Glossary of Terms
access the server’s status and system time, retrieve
information from accounting and session logs, and
terminate sessions.
The RADIUS client provides a service to the dial-in
user, such as PPP or Telnet.
Chapter 4 59
Glossary of Terms
Session
Each service provided by the client to a dial-in user
constitutes a session, with the beginning of the session
defined as the point where service is first provided and
the end of the session defined as the point where
service is ended. A user may have multiple sessions in
parallel or series if the RADIUS client supports that
feature.
Simple Network Management Protocol (SNMP)
Provides a mechanism for a centrally located
management workstation to monitor the activity of
remote computers and network services.
Simultaneous Access Token
The concept of token helps define and enforce policies
in regard to modem pool sharing among various
participating institutions. A simultaneous access token
is required when a user accesses a non-priority modem.
Tokens are allocated to realms and are grouped into
pools. The total number of tokens a realm has is
defined by the HP-UX Server so that the LAS may
control simultaneous use, abbreviated as SAT.
SLA
SLS
Token
Token Pool
Tunneling
Service Level Agreement.
Service Level Specification.
See Simultaneous Access Token.
A token pool contains a number of tokens belonging to
some organization and having a given name. These
tokens may be shared among one or more realms.
A secure connection between a client workstation and
an intranet or other network, that provides a VPN to a
user. This connection may be a voluntary tunnel
Chapter 460
initiated by the client or a compulsory tunnel initiated
during authentication by a server or other dedicated
network equipment.
Users
Individuals whom the AAA server must authenticate
and authorize before by they can access an
organization’s service, such as Internet access through
an ISP.
VPN
See Virtual Private Network.
Virtual Private Network
A network service offered by public carriers in which
the user is provided a network that in many ways
appears as if it is a private network (user-unique
addressing, network management capabilities,
dynamic reconfiguration, etc.) but which, in fact, is
provided over the carrier's public network facilities,
abbreviated as VPN.
Glossary of Terms
Chapter 4 61
Glossary of Terms
Chapter 462
Loading...