The HP-UX AAA Server
Architecture consists of three primary components:
Configuration
files. By editing these flat text files, you can provide the information necessary
for the server to perform authentication, authorization, and accounting requests
for your system.
AATV plug-ins perform
discrete actions; such as initiating an authentication request, replying
to an authentication request, or logging an accounting record.
The software
engine, which includes the Finite State Machine (FSM) and some associated routines.
At server startup, the finite state machine
reads instructions from a state table—by
default the /etc/opt/aaa/radius.fsm text file. The state table outlines
what AATV actions to call and what order to call them in.
 |
| |
|
 | NOTE: An SDK is available for the HP-UX AAA Server product.
Contact your HP sales representative for more information. |
|
| |
|
When the server is initialized, it performs a few distinct
operations. It loads and initializes the AATV plug-ins,
so that actions can be executed when called by the finite state
machine. It also reads the configuration files to initialize the
data required for the actions to execute according to the application’s
requirements.
Figure 1-7 “Authentication Process” illustrates the
general process of server initialization and response to an authentication
request.
Configuration
Files |
|
You can find out more information about editing these files
for different server configurations by completing the HP-UX AAA
Server Getting Started Guide and by referring to Chapter 18 “Configuration Files ”.
AATV
Plug-Ins |
|
An AATV plug-in defines the actions that perform
a variety of functions, including authenticating requests, authorization,
and logging. Built-in actions support authentication of
users from information by several different storage methods.
For a brief summary of some built-in actions, refer
to “Actions ”.
The
Software Engine: Finite State Machine |
|
The Finite State Machine controls the step-by-step process
that the server follows to process and respond to an authentication
request. The HP-UX AAA Server’s Finite State Machine is configurable,
providing flexibility to customize your server configuration without programming
software modules.
In the Finite State Machine, a request will
transition through a series of states, beginning with a state that
includes possible starting events. The action specified to be called
first in response to an initial authentication request will return
a value, an event that determines the next
state to transition to. Within each state, the next action is
triggered by an event (based on previous state and action and a
value, typically ACK or NAK, returned by the previous action), which
in turn directs the flow of the request to another state, until
an End state is reached.
Figure 1-8 “Default FSM State Transitions” shows
at a high level the process that occurs, as the result of a request,
in the finite state machine. The actions triggered during this process
read information from the server's configuration and from stored
user profiles and
policy, and then based
on this information they perform the server's authentication, authorization,
and accounting functions.
The server may be set up to do a variety of different functions
by modifying existing or creating new FSM state tables. For example,
interim accounting messages may be logged by calling the appropriate
module at a certain point in the authentication process.
More details of the Finite State Machine, including the syntax
that defines states and the event-action relationships,
are discussed in Chapter 17 “The Finite State
Machine (FSM) ”.
HP-UX AAA
Server Commands, Utilities & Daemons |
|
The following table provides an overview to the HP-UX AAA
Server commands, utilities and daemons. For more information, see Chapter 19 “Command Line Utilities”.
Table 1-3 Commands, Utilities, & Daemons
| Command | Description |
|---|
| db_srv | The db_srv daemon performs Oracle database
access operations for authentication on behalf of one or more remote
HP-UX AAA Servers. |
| radcheck | Sends a RADIUS status and protocol requests
to a AAA server and display the replies. Receiving the reply confirms
that the HP-UX AAA Server is operational. radcheck can be invoked
on any host by any user, however the HP-UX AAA server will return
more information to registered clients. |
| raddbginc | Sets debug logging level for currently running
HP-UX AAA Server. Turn debugging on and off or set the level of
output while the AAA Server is running. |
| radiusd | A daemon process that services user authentication
and accounting requests from RADIUS clients. Authentication and
accounting requests come to radiusd in the form of UDP packets conforming
to the RADIUS protocol. It runs as a daemon that can be started
from the command line or through an inetd service. radiusd determines
the action to take when receiving RADIUS requests based upon a finite state
machine (FSM) loaded into memory when radiusd is started. The FSM
is configurable, but static after startup. |
| radpwtst | A utility used to simulate a RADIUS client
when troubleshooting or validating configuration for the HP-UX AAA
Server. It will prompt for the user password (when not supplied
by the -w option.) If the request to the AAA server succeeds, radpwtst
displays authentication OK on standard output. Otherwise, radpwtst
displays userid authentication failed. |
| start_db_srv.sh | Script to start Oracle authentication client
daemon db_srv. |
| stop_db_srv.sh | Script to stop db_srv daemon and its child
process(es). |
| las.test.sh | Script to create simulated sessions for
testing. |
Printable version
