Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home

HP-UX AAA Server A.07.01 Administrator’s Guide: HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
   
 

HP Part Number: T1428-90068

Edition:  Edition 9

Published: September 2008

Table of Contents

About This Document
Intended Audience
New and Changed Information in This Edition
Document Organization
Publishing History
Typographic Conventions
HP-UX Release Name and Release Identifier
Related Information
HP Encourages Your Comments
I Introduction
1 Overview: The HP-UX AAA Server
RADIUS Topology
Establishing a RADIUS Session
Product Structure
HP-UX AAA Server Daemon, Libraries, and Utilities
HP-UX AAA Server Manager Program
Documentation
HP-UX AAA Server Architecture
Configuration Files
AATV Plug-Ins
The Software Engine: Finite State Machine
HP-UX AAA Server Commands, Utilities and Daemons
Handling an Access Request
Authentication to Verify the Client and User
Authorization to Control Sessions and Access to Services
Session Logs For Accounting
IPv6 Support for External Services
2 Upgrading to Version A.07.01
The HP-UX AAA Server Upgrade Process
Upgrading from Versions A.07.00, A.06.02, or A.06.01 to Version A.07.01
Upgrading from Version A.06.00.x to Version A.07.01
Upgrading from Version A.05.x to Version A.07.01
Merging the Dictionary File
Merging the radius.fsm File
Merging the vendors File
3 Installing and Securing the HP-UX AAA Server
Acquiring the HP-UX AAA Server Software
Installing and Uninstalling the HP-UX AAA Server
To Install the HP-UX AAA Server
To Uninstall the HP-UX AAA Server Software
HP-UX AAA Server File Locations
Securing the HP-UX AAA Server
Changing the Default HP-UX AAA Server Settings
Environment Specific Security Procedures
4 Enabling the HP-UX AAA Server for GUI-based Administration
Accessing the Server Manager
Starting and Stopping the RMI Objects
Starting and Stopping Tomcat
Testing the Installation
To Test the Installation
Starting AAA Servers Using Server Manager
AAA Server Start Options
Server Manager’s Reload Feature
Starting AAA Servers From the Command Line
Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot
Stopping or Restarting HP-UX AAA Servers
Using Server Manager
From the Command Line
Adding an HP-UX AAA Server to Your Network
II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI
5 The HP-UX AAA Server Manager Interface
Commonly Used Icons in the GUI
6 Managing HP-UX AAA Servers
Using the Server Connections Screen
Adding a New Server
Modifying Connection Attributes
Deleting a Server Connection
Managing Multiple Servers
Loading and Saving Your Configuration
7 Configuring RADIUS Clients Using the Access Devices Screen
Navigating the Access Devices Screen
Adding a RADIUS Client
Modifying a RADIUS Client’s Properties
Deleting a RADIUS Client
8 Configuring Realms
Using the Local Realms Screen
Adding a Realm
Modifying Realms
Special Entries
Deleting a Realm
Configuring Realms for Authentication using an External Server
Configuring Realms for Database Access via SQL
Configuring Realms for LDAP
Configuring Realms for Oracle
Configuring a SecurID Realm
9 Configuring Proxies
Navigating the Proxy Screen
Changing the Default localhost Proxy Settings
Creating or Modifying a Proxy
Forwarding Authentication Requests From a Proxy Server
Forwarding Authentication Requests to a Remote Server
Changing RADIUS Port Numbers
Forwarding Requests to Alternate RADIUS Ports
Forwarding Accounting Requests
Proxying Authentication and Accounting Messages to the Same Server
Proxying Accounting Requests to a Central Server
Deleting a Proxy
10 Configuring Users
Navigating the Users Screen
Changing the Default test_user Settings
Adding a User Profile
Tabs on the Add Users Screen
Adding Users for SecurID Authentication
Modifying User Profiles
Deleting a User Profile
To Delete a User Profile From the Default users File
To Delete a User Profile in a Local Realms File
11 Modifying Server Properties
Navigating the Server Properties Screen
DHCP Relay Properties
DNS Updates Properties
Message Handling Properties
SNMP Properties
Enable SNMP Support
Tunneling Properties
Tunneling Reply Items (Optional)
Certificate Properties
File Size Properties
Maximum Logfile Size
Miscellaneous Properties
Permit Microsoft Client Authenticate As Computer
Local Users File Properties
ProLDAP Properties
12 Logging and Monitoring
Overview
Server Log Files
Using Server Manager to Retrieve Logfile Information
Using Server Manager to Retrieve Statistics
Accounting Log Files
Using Server Manager to Retrieve Accounting Logfiles
Format of Accounting Records in the Default Merit Style
Writing Livingston CDR Accounting Records
Changing the Accounting Log Filename
Changing the Accounting Log Rollover Interval
Rolling Over the Log File and Accounting Stream
III Advanced Configuration Information
13 Securing LAN Access With EAP
Overview
The Secure LAN Advisor
Preparing Your LAN
Determining the EAP Authentication Method to Use
Securing WLANs with the HP-UX AAA Server
Digital Certificate Administration
Using the “Self-Signed” Digital Certificates
Installing Your Own Digital Certificates and Keys
14 Managing Sessions
Session Logs
Displaying Session Attributes
Stopping a Session
Session Limits
Setting Limits on a User-by-User Basis
Setting Limits for Users on a Global Basis
15 Assigning IP Addresses
Assigning Static IP Addresses
To Assign a Static IP (IPv4) Address to a Profile in Flat Files
To Assign a Static IPv6 Address to a Profile in Flat Files
To Assign Static Traditional IP (IPv4) Addresses to a User Profile in an LDAP LDIF File
To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF File
Assigning Dynamic IP Addresses Using DHCP
16 OATH Standards-Based OTP Authentication
OTP and OATH Overview
HP-UX AAA Server and OATH Support
Components Required to Configure OTP Authentication
Configuring OTP Authentication on the HP-UX AAA Server
OTP Authentication Configuration Flowchart
Basic or Typical Configuration
Advanced Configuration
Predefined Mapping and Conversion Functions
Sample Configuration Files
IV Integrating the HP-UX AAA Server With External Services
17 LDAP Authentication
LDAP Server Compatibility
Related LDAP Documentation
Authentication with LDAP
Configuring the LDAP Server
18 SQL Access
SQL Access Overview
SQL Access Concepts
Implementing SQL Access
Sample Implementation Files
Pre-requisites for SQL Access
SQL Access Implementation Details
sqlaccess.config File Configuration
Advanced SQL Mapping Configuration
Administering Users and Tokens Stored in an SQL Database
Managing Users
Managing Users Using OTP to Authenticate
Viewing User and Token Statistics
Valid Token Status Values
Invoking the User Database Administration Manager Interface from Server Manager
19 Oracle Authentication (Supported Using SQL Access)
Related AATV Plug-In Modules And Processes
The db_srv Package
Oracle Compatibility
The Oracle Database Structure
The Oracle Information Model
Configuring the Oracle Database
Table Structure
Modifying the Table Structure
Supported Attributes
20 Simple Network Management Protocol (SNMP) Support
Setting Up SNMP to Monitor the HP-UX AAA Server
21 VPN Tunneling
Establishing a Tunnel for a User
22 Using DHCP
Required DHCP Server Features
Recommended DHCP Server Features
Defining DHCP Address Pools for Specific Users
To Associate an Address Pool with a User Profile in AAA Server Flat Files
To Associate an Address Pool with a User Profile in an LDAP LDIF File
Associating Address Pools with Realms and Other Conditions
23 Using SecurID
Authentication Of Users
Configuring SecurID Authentication
Configuring the AAA Server for RSA SecurID Authentication
Configuring the ACE/Server
Synchronizing the AAA Server with the ACE/Server
Related Documentation
V Customizing the HP-UX AAA Server
24 Customizing the HP-UX AAA Server Using the Finite State Machine
States
Using Xstring to call Policy
Using Xstring to Call an Alternate authfile
Event Names
Predefined Event Names
Creating New Names
Actions
FSM Tables
Custom State Tables
Tracking Versions
Examples
Interim Logging
Custom Logging Format
Proxy Accounting Messages
25 Customizing the HP-UX AAA Server Using Policies
Policy Overview
Defining a Policy in a Decision File
Action Commands
Attribute Specifications
Value Types
Supported Operators
Type Compatibility
Invoking a Policy
Invoking Policies Through Predefined Policy Hooks
Useful Attributes for Policy Conditions
Modifying the FSM for Specific Customizations
Sample Policy Implementations
Dynamic Access Control
DNIS Routing
26 Customizing the HP-UX AAA Server Using the SDK
SDK Overview
Migrating Plug-ins Created Using Previous Versions of the SDK
Prerequisites for Using the SDK
SDK Directory Structure
SDK Concepts
Overview of AATVs
AATV Components
Creating Plug-ins
Using AATVs to Create a Plug-in
Compiling and Loading a Plug-in
Testing and Debugging a Plug-in
VI Troubleshooting
27 Troubleshooting Overview
AAA Environment Components
HP-UX AAA Server Operation
Probable Causes for Failure
Configuration Problems
External Service Problems
Protocol Limitations
RADIUS Client and Supplicant Considerations
28 Troubleshooting Procedures
Troubleshooting Flowchart
Troubleshooting Flowchart Process
Troubleshooting the Server Manager Administration Utility
Common Problems With the Server Manager
Troubleshooting the HP-UX AAA Server
Troubleshooting HP-UX AAA Server Startup Problems
Troubleshooting an Unresponsive HP-UX AAA Server
Troubleshooting Access-Rejects from the HP-UX AAA Server
EAP Problems
Troubleshooting Provisioning Errors
29 Troubleshooting Resources
HP-UX AAA Server Troubleshooting Utilities
The radcheck Utility: For Checking the Server Status
The radpwtst Utility: For Testing Authentication
The raddbginc Utility: For Setting Debug Output Levels
The radsignal Utility: For Rolling Over the Debug Output to New Files
The HP-UX AAA Server Logfile and Debug File
The HP-UX AAA Server Logfile
The HP-UX AAA Server Debug File
30 Reporting Problems
Server Set Up Information
Server Manager Related Information
External Components
External Databases
SNMP Servers
DHCP Servers
OpenSSL
EAP Related Information
Clients
Access Points
VII Reference
31 Configuration Files
HUP Processing
The aaa.config File
Variables in the aaa.config File
OTP Authentication Related Configuration Items
The clients File
Prefixed Users and authfile
Wildcard Support for IPv4 and IPv6
The users File
Syntax of a User Entry
Syntax of IPv6 Attributes
With Tunneling
The dictionary File
Attribute Entries
Pruning Expressions
Value Entries
The las.conf File
LAS Session Timing Parameters
Token Pool Configuration
Realm Configuration
The vendors File
Syntax of a vendors File
The log.config File
Syntax of a Stream Entry
Default Entry
End Entry
Logging Multiple Streams
Examples
32 Attribute-Value Pairs
Specifying Attribute-Value Pairs
Attribute-Value Formats
Examples
Tagged Attributes
Attributes in User Profiles
Configuration Attributes
Check (and Deny) Items
Attributes Concerning the NAS
Policy Attributes
Other Attributes
Reply Items
General Attributes
Attributes Concerning Login Users
Attributes for Framed Users
Tunneling Attributes
Other Attributes
Attributes in Accounting Records
Additional Session Information
33 MIB Objects
MIB Objects
A Supported IETF RFCs
B Supported Authentication Methods
C RADIUS Data Packets
Data Packet Format
Attribute-Value Pair Format
D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK
Header Files and Data Structures in the SDK
APIs in the HP-UX AAA Server SDK
A-V Pair APIs
Authreq APIs
Logging APIs
Asynchronous Event and I/O APIs
Secondary APIs
E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server
Expressions
Specifying Attributes in Group Entries
Dynamic Access Control
Internal Values
Using Indirection
Example Group Entries
DNIS.grp for DNIS Routing
DAC.grp for Dynamic Access Control
Glossary of Terms
Index

List of Figures

1-1 Typical AAA Network Topology
1-2 Client-Server RADIUS Transaction
1-3 Authentication Process
1-4 Default Action Sequence
1-5 Authentication Steps
1-6 Authorization Steps
4-1 Return Value After Successfully Starting a AAA Server
4-2 Server Manager’s Start Options Screen
4-3 Algorithm for Determining Which FSM to Load
5-1 The HP-UX AAA Server Manager User Interface
6-1 Server Manager’s Connected Server Screen
6-2  The Add Connection Screen
6-3 The Modify Connection Screen
6-4 The Delete Server Connections Screen
6-5 Server Manager’s Server Status Frame
6-6 Server Manager’s Load Configuration Screen
6-7 Server Manager’s Save Configuration Screen
7-1 Server Manager’s Access Device Screen
7-2  Server Manager’s Access Device Attributes Screen
7-3 The Delete Access Device Screen
8-1 Server Manager’s Local Realms Screen
8-2 Server Manager’s Local Realm Attributes Screen
8-3 The Delete Local Realm Screen
8-4 User Storage Parameters for Database Access via SQL
8-5 New Oracle Server Screen
9-1 Proxy Configuration
9-2 Server Manager’s Proxy Screen
9-3 Server Manager’s Proxy Attributes Screen
9-4 The Delete Proxy Screen
10-1 Server Manager’s Users Screen
10-2 The Add Users Screen
10-3 The Modify Users Screen
10-4 The Delete Users Screen
11-1 Server Manager’s Server Properties Screen
12-1 Server Manager’s Logfile Screen
12-2 Server Manager’s Statistics Screen
12-3 AAA Server Statistics Example
12-4 Accounting Logfile Search Screen in Server Manager
12-5 Detailed Accounting Record for a Selected User
13-1 The Secure LAN Advisor For Securing WLANs
13-2  Server Manager’s Certificate Properties Screen
14-1 Sessions Search Filter Screen
14-2 Example Return for a Sessions Search
14-3 Example of a Session’s Attributes
15-1 The Users Screen
15-2 The Framed User Attributes Form
15-3 The Users Screen
15-4 The Framed User Attributes Form
16-1 OATH Standards-Based OTP Authentication Flow and the HP-UX AAA Server.
16-2 OTP Authentication Configuration Flowchart
16-3 Usage of Bit Masks to set OTP Authentication Actions
18-1 SQL Access Components
18-2 RADIUS Attribute to SQL Statement Mapping
18-3 The User Database Administration Manager
18-4 The Add User Screen
18-5 The Token Validate Screen
18-6 The Enroll Token Screen
18-7 The Synchronize Token Screen
18-8 The User Statistics Screen
19-1 Authentication Process with Oracle
19-2 Oracle Database Table Format
23-1 SecurID Add Client Screen
23-2 SecurID Edit Client Screen
24-1 Default FSM State Transitions
25-1 Flow of the Request Ingress Policy
25-2 Flow of the User Policy
25-3 Flow of the Reply Egress Policy
25-4 Flow of the Proxy Egress Policy
25-5 Flow of the Proxy Ingress Policy
26-1 SDK Plug-in Example
27-1 AAA Environment Components
27-2 HP-UX AAA Server Operation
28-1 Troubleshooting Flowchart
C-1 RADIUS Request/Reply Message Format
C-2 Attribute-Value Pair Format

List of Tables

HP-UX AAA Server Administrator’s Guide Printing History
HP-UX 11i Releases
1-1 Commands, Utilities, and Daemons
1-2 How Requests are Altered Using the proxy-egress and proxy-ingress Policies
3-1 File Locations Upon Installation
3-2 Files Generated During Operation
3-3 Ports Associated with RMI Objects that must be Configured
4-1 Server Start Options
4-2 radiusd Options
4-3 New Server Connection Screen Fields
6-1 Fields in the Connection Attributes Form
6-2 Icons in Server Manager’s Server Status Frame
7-1 Add Access Device Configuration Form Options
8-1 Fields in the Local Realm Attributes Form
8-2 Special Entries
8-3 Values for Configuring Realms for LDAP
8-4 Options
9-1 Proxy Configuration Options
9-2 Options for Forwarding Requests
9-3 Accounting Logging Options
10-1 General Attributes in the Add User Screen
11-1 DHCP Relay Properties
11-2 DNS Update Properties
11-3 Message Handling Properties
11-4 Certificate Path Properties
11-5 ProLDAP Properties
12-1 Filter Parameters for Searching Logfiles
12-2 Statistic Search Parameters
12-3 Accounting Logfile Search Parameters
12-4 Reasons Why The Record Was Generated
13-1 LAN Configuration Items
13-2 Supported EAP Methods and Their Features
16-1 Bit Masks to Configure OTP Authentication Tasks
16-2 Common OTP Authentication Actions
16-3 Attributes for Configuring OTP Authentication
16-4 System-Wide OTP Configuration Items
16-5 SQL actions and Stored Procedures that Support OTP Authentication
17-1 The HP-UX AAA Server LDAP Schema
18-1 The sqlaccess.config Sample File
18-2 Database Access Parameters
18-3 Input Mapping Data Types and Syntax
18-4 Output Mapping Data Types and Syntax
18-5 RAD Mapping Parameters
18-6 DBC Mapping Parameters
18-7 DBP Mapping Parameters
18-8 Pre-defined Mapping Functions
18-9 Pre-defined Conversion Functions
18-10 Fields in the Add Users Form
18-11 Fields in the Enroll Token Device Form
18-12 Fields in the Synchronize Token Form
18-13 Valid Token Status Values
19-1 Files Related to db_srv
19-2 AUTH_NET_USERS Table
24-1 Predefined Event Names
24-2 Available Actions
24-3 Predefined FSM Tables
25-1 Examples Illustrating the Use of the delete Command
25-2 Behavior of the insert Command in Various Scenarios
25-3 Examples Illustrating the Use of the insert Command
25-4 Examples Illustrating the Use of the modify Command
25-5 A-V Pair Expression Operators
25-6 Compatible Attribute Types
25-7 Attributes Typically Used in Policy Group Conditions and Replies
25-8 Interlink-specific Attributes Used by DAC
28-1 Common Problems with the Server Manager
28-2 Common Problems with HP-UX AAA Server Startup
28-3 Common Configuration Problems
28-4 External Service Failure Problems
28-5 Common Authentication Failure Problems
28-6 EAP Problems
29-1 Debugging Levels in the HP-UX AAA Server
31-1 Default LAS Session Timing Parameters
31-2 Information Recorded by LOG_V2_o
32-1 Reply Item Attributes
32-2 Session Termination Causes
33-1 MIB Objects and Definitions
A-1 Supported IETF RFCs
A-2 Additional IETF RFCs Supported by HP-UX AAA Server
A-3 AAA RFCs Supported by HP-UX AAA Server
C-1 RADIUS Request/Reply Message Format Description
C-2 Attribute Value Pair Format Description
D-1 Actions Performed as a Result of the loc_avp A-V Pair
D-2 Information Types
D-3 HP-UX AAA Server Debug Levels
D-4 Possible Values of the infotype Parameter
E-1 A-V Pair Expression Operators
E-2 A-V Pair Expression Examples

List of Examples

18-1 Define the Oracle Database Connection Parameters
18-2 Define the MySQL Database Connection Parameters
18-3 User and Password Input and Output Mappings
18-4 SQL Statement to Delete a Row
18-5 SQL Statement with Result Mapping - OCI
18-6 SQL Action with Null Source and Target Mappings
18-7 Timestamp Synchronization
18-8 FSM with Accounting Log via SQL Access
18-9 Remove Session Stored Procedure Definition
25-1 An example of a policy file that restricts Session-Timeout to one hour for guests, removes unwanted attributes, and provides administrative privileges to administrators
25-2 Examples Illustrating the Use of the if Command
25-3 Examples Illustrating the Use of the offset Keyword
25-4 Examples Illustrating the Use of the before Keyword
25-5 Examples Illustrating the Use of the after Keyword
25-6 Examples Illustrating Precedence Rules
26-1 Example of a Pre-Paid Billing Application Using a Plug-in Created Using the HP-UX AAA Server SDK
31-1 Examples of NAS-IPv6-Address Attribute Syntax
31-2 Examples of Framed-Interface-Id Attribute Syntax
31-3 Examples of Framed-IPv6-Prefix Attribute Syntax
31-4 Examples of Login-IPv6-Host Attribute Syntax
31-5 Example of a Framed-IPv6-Route Attribute Syntax
31-6 Example of a Framed-IPv6-Pool Attribute Syntax
   


About This Document  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.