-
HP-UX AAA Server A.08.02.10Administrator's GuideHP-UX 11i v3
HP Part Number: T1428-90093Published: November 2013Edition:
13
-
© Copyright 2002, 2013 Hewlett-Packard Development Company,
L.P.
Confidential computer software. Valid license required from HP
for possession, use or copying. Consistent with FAR 12.211 and
12.212, CommercialComputer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed
to the U.S. Government undervendor’s standard commercial
license.
The information contained herein is subject to change without
notice. The only warranties for HP products and services are set
forth in the expresswarranty statements accompanying such products
and services. Nothing herein should be construed as constituting
additional warranty. HP shallnot be liable for technical or
editorial errors or omissions contained herein.
UNIX is a registered trademark of The Open Group.
Oracle and Java are registered trademarks of Oracle and/or its
affiliates.
Microsoft® and Windows® are U.S. registered trademarks of
Microsoft Corporation.
OpenLDAP ® is a registered trademark of the OpenLDAP
Foundation
Netscape Navigator ™is a registered trademark of Time Warner,
Inc
RED HAT™ is the registered trademark of Red Hat, Inc.
-
ContentsAbout This Document
..................................................................................16
Intended
Audience..................................................................................................................16New
and Changed Information in This
Edition............................................................................16Document
Organization..........................................................................................................16HP
Secure Development
Lifecycle..............................................................................................17Publishing
History...................................................................................................................17Typographic
Conventions.........................................................................................................18HP-UX
Release Name and Release
Identifier...............................................................................18Related
Information.................................................................................................................18HP
Encourages Your
Comments................................................................................................18
I
Introduction...............................................................................................201
Overview: The HP-UX AAA Server
..........................................................23
RADIUS Topology
.............................................................................................................23Establishing
a RADIUS
Session............................................................................................24Product
Structure................................................................................................................25
HP-UX AAA Server Daemon, Libraries, and Utilities
...........................................................25HP-UX
AAA Server Manager Program
.............................................................................25Documentation..............................................................................................................25
HP-UX AAA Server Architecture
...........................................................................................26Configuration
Files
.......................................................................................................26AATV
Plug-Ins
..............................................................................................................27The
Software Engine: Finite State Machine
......................................................................27
HP-UX AAA Server Commands, Utilities and
Daemons............................................................27Handling
an Access
Request...............................................................................................27
Authentication to Verify the Client and User
.....................................................................28Authorization
to Control Sessions and Access to Services
...................................................30
Authorization Steps
..................................................................................................31Session
Logs For Accounting
...............................................................................................33IPv6
Support for External
Services........................................................................................33
HP-UX AAA Server as a
Client........................................................................................332
Upgrading to Version
A.08.02.10...........................................................34
The HP-UX AAA Server Upgrade
Process..............................................................................34Upgrading
from Versions A.07.00, A.06.02, A.06.01, or A.07.01 to Version
A.08.02.10.............34Upgrading from Version A.06.00.x to
Version
A.08.02.10......................................................35Upgrading
from Version A.05.x to Version
A.08.02.10...........................................................37Merging
the Dictionary
File.................................................................................................37Merging
the radius.fsm
File.................................................................................................37Merging
the vendors
File....................................................................................................37
3 Installing and Securing the HP-UX AAA
Server..........................................38Acquiring the
HP-UX AAA Server
Software............................................................................38Installing
and Uninstalling the HP-UX AAA
Server...................................................................38
To Install the HP-UX AAA
Server......................................................................................38To
Uninstall the HP-UX AAA Server
Software.....................................................................39
HP-UX AAA Server File Locations
........................................................................................39Securing
the HP-UX AAA
Server...........................................................................................43
Changing the Default HP-UX AAA Server Settings
.............................................................43Changing
the Default Tomcat User Name and
Password................................................43Changing
the Default RMI Objects
Secret....................................................................43Changing
the Default test_user
Settings.......................................................................44
Contents 3
-
Changing the Default localhost Proxy
Settings..............................................................44Environment
Specific Security Procedures
.........................................................................44
Using Secure Socket Layer (SSL) for Secured Remote Server
Manager Administration.........44Creating a Tomcat Identity
Specifically for the HP-UX AAA Server
..................................45Running the HP-UX AAA Server on
Hosts with System Hardening
Software.......................46Running the HP-UX AAA Server as a
Non-Root
User......................................................46Setting
Up the HP-UX AAA Server to Start as Non-Root User After
Reboot........................47
4 Enabling the HP-UX AAA Server for GUI-based
Administration....................49Accessing the Server
Manager............................................................................................49
Starting and Stopping the RMI
Objects............................................................................49Starting
and Stopping
Tomcat.........................................................................................50
Testing the Installation
........................................................................................................50To
Test the
Installation....................................................................................................50
Starting HP-UX AAA Servers Using Server
Manager...............................................................51AAA
Server Start
Options..............................................................................................52Server
Manager’s Reload
Feature....................................................................................53
Starting HP-UX AAA Servers From the Command
Line.............................................................53Configuring
the HP-UX AAA Server to Start Automatically Upon System Reboot
....................56
Stopping or Restarting HP-UX AAA
Servers............................................................................56Using
Server
Manager...................................................................................................56From
the Command
Line.................................................................................................56
Adding an HP-UX AAA Server to Your
Network.....................................................................56II
Configuring the HP-UX AAA Server Manager Using the Server Manager
GUI.................................................................................................................58
5 The HP-UX AAA Server Manager
Interface...............................................61Commonly
Used Icons in the
GUI.........................................................................................61
6 Managing HP-UX AAA
Servers...............................................................63Using
the Server Connections
Screen....................................................................................63Adding
a New Server
Connection.......................................................................................63Modifying
Connection
Attributes..........................................................................................64Deleting
a Server
Connection..............................................................................................65Managing
Multiple
Servers.................................................................................................65Loading
and Saving Your
Configuration................................................................................66
Loading and Saving Your Configuration Using RMI
Server..................................................66Enhancing
Loading and Saving Performance Using Secure Copy
Protocol.............................67Setting up Key-Based
Authentication................................................................................68
Creating a Public-Private key set with
ssh-keygen...........................................................68Sharing
the Public key with Remote
Hosts.....................................................................68
Verifying Key-Based
Authentication..................................................................................697
Configuring RADIUS Clients Using the Access Devices
Screen.....................70
Navigating the Access Devices
Screen..................................................................................70Adding
a RADIUS
Client.....................................................................................................70Modifying
a RADIUS Client’s
Properties................................................................................72Deleting
a RADIUS
Client....................................................................................................72
8 Configuring
Realms...............................................................................73Using
the Local Realms
Screen.............................................................................................73Adding
a
Realm................................................................................................................73Modifying
Realms..............................................................................................................75Special
Entries...................................................................................................................76Deleting
a
Realm...............................................................................................................76Configuring
Realms for Authentication using an External
Server...............................................77
Configuring Realms for Database Access via
SQL..............................................................77
4 Contents
-
Configuring Realms for LDAP
.........................................................................................78Modifying
a Directory
Configuration...........................................................................80Deleting
a Directory
Configuration..............................................................................80Tuning
the AAA Server to LDAP Server
Connection.......................................................80
9 Configuring
Proxies...............................................................................82Navigating
the Proxy
Screen...............................................................................................82Changing
the Default localhost Proxy
Settings........................................................................82Creating
or Modifying a
Proxy............................................................................................83
Forwarding Authentication and Dynamic Authorization Requests
From a Proxy Server.............85Forwarding Authentication
Requests to a Remote
Server.....................................................86
Changing RADIUS Port
Numbers.........................................................................................86Forwarding
Requests to Alternate RADIUS
Ports.................................................................86
Forwarding Accounting
Requests..........................................................................................86Proxying
Authentication and Accounting Messages to the Same
Server.....................................87Proxying Accounting
Requests to a Central
Server..................................................................87Deleting
a
Proxy................................................................................................................88
10 Configuring
Users...............................................................................89Navigating
the Users
Screen...............................................................................................89Changing
the Default test_user
Settings.................................................................................89Adding
a User Profile
........................................................................................................89
Tabs on the Add Users
Screen.........................................................................................91Specifying
Attributes Using the Free Attributes
Pane.......................................................91
Modifying User
Profiles.......................................................................................................91Deleting
a User
Profile........................................................................................................92
To Delete a User Profile From the Default users
File.............................................................92To
Delete a User Profile in a Local Realms
File...................................................................93
11 Modifying Server
Properties..................................................................94Navigating
the Server Properties
Screen...............................................................................94DHCP
Relay
Properties.......................................................................................................94DNS
Updates
Properties.....................................................................................................95Message
Handling
Properties..............................................................................................95SNMP
Properties...............................................................................................................96
Enable SNMP
Support...................................................................................................96Tunneling
Properties...........................................................................................................96
Tunneling Reply Items
(Optional).....................................................................................96Certificate
Properties..........................................................................................................97File
Size
Properties.............................................................................................................97
Maximum Logfile
Size....................................................................................................97Miscellaneous
Properties.....................................................................................................97
Permit Microsoft Client Authenticate As
Computer..............................................................97Local
Users File
Properties...................................................................................................98ProLDAP
Properties.............................................................................................................98AAA
Server As A Client
Properties.......................................................................................98Client
Action
Properties.......................................................................................................99
12 Logging and Monitoring
...................................................................100Overview........................................................................................................................100Server
Log Files
..............................................................................................................100
Using Server Manager to Retrieve Logfile
Information.......................................................100Search
Parameters..................................................................................................101Message
Types
.....................................................................................................101
Using Server Manager to Retrieve Statistics
....................................................................101Accounting
Log Files
........................................................................................................102
Using Server Manager to Retrieve Accounting
Logfiles.....................................................102
Contents 5
-
Format of Accounting Records in the Default Merit
Style...................................................103Time-Based
Values..................................................................................................104Client
A-V
Pairs......................................................................................................104User
Entry A-V
Pairs................................................................................................104Session
Tracking.....................................................................................................104
Writing Livingston CDR Accounting
Records....................................................................105Livingston
CDR Session Record
Format.......................................................................105
Changing the Accounting Log
Filename.........................................................................106Changing
the Accounting Log Rollover
Interval................................................................106Rolling
Over the Log File and Accounting Stream and Setting the Log
Level.........................106
III Advanced Configuration
Information........................................................10813
Securing LAN Access With
EAP..........................................................113
Overview........................................................................................................................113The
Secure LAN
Advisor..............................................................................................113
Preparing Your LAN
........................................................................................................114Determining
the EAP Authentication Method to
Use..............................................................114Securing
WLANs with the HP-UX AAA
Server......................................................................116Digital
Certificate
Administration........................................................................................116
Using the “Self-Signed” Digital
Certificates.....................................................................117Installing
Your Own Digital Certificates and
Keys.............................................................117
Installing Server Certificates and
Keys.......................................................................118Installing
Client Certificates and
Keys........................................................................118Defining
Certificate Locations on the HP-UX AAA
Server..............................................118
14 Managing
Sessions...........................................................................120Session
Logs....................................................................................................................120
Displaying Session
Attributes........................................................................................120Stopping
a
Session......................................................................................................121
Session
Limits..................................................................................................................121Setting
Limits on a User-by-User
Basis.............................................................................121
Setting Timeout
Values............................................................................................121Establishing
a
Filter.................................................................................................121Limiting
Access Points (NAS-Port, NAS-ID, Calling-Station ID, and
others).......................122Denying Access (Called-Station-ID
and
others)............................................................122Limiting
Simultaneous
Sessions.................................................................................122
Setting Limits for Users on a Global
Basis.......................................................................123Setting
Limits for All User Profiles Grouped by
Realms..................................................123
15 Assigning IP
Addresses......................................................................124Assigning
Static IP
Addresses............................................................................................124
To Assign a Static IP (IPv4) Address to a Profile in Flat
Files...............................................124To Assign a
Static IPv6 Address to a Profile in Flat
Files....................................................125To
Assign Static Traditional IP (IPv4) Addresses to a User Profile in
an LDAP LDIF File...........126To Assign Static IPv6 Addresses to a
User Profile in an LDAP LDIF
File................................126
Assigning Dynamic IP Addresses Using
DHCP.....................................................................12716
OATH Standards-Based OTP
Authentication..........................................128
OTP and OATH
Overview.................................................................................................128HP-UX
AAA Server and OATH
Support...............................................................................129Supported
OTP Functions for RADIUS Standard Password (PAP) and MS-CHAP
v2....................130Components Required to Configure OTP
Authentication.........................................................131Configuring
OTP Authentication on the HP-UX AAA Server
...................................................131
OTP Authentication Configuration
Flowchart...................................................................131Basic
or Typical
Configuration.......................................................................................134Advanced
Configuration..............................................................................................135
6 Contents
-
Advanced OTP Authentication Configuration
Concepts................................................135Attributes
for Configuring OTP
Authentication........................................................138
Advanced Deployment
Scenarios..............................................................................143Validating
OTP
Alone.........................................................................................143Configuring
Two-Factor
Authentication..................................................................145OTP
or Password Validation at External RADIUS
Server...........................................151
Predefined Mapping and Conversion
Functions...............................................................156Sample
Configuration
Files...........................................................................................157
The sqlaccess.config Sample
File..............................................................................157Sample
Policy
Files.................................................................................................159
The oath-request-ingress.grp Sample
File...............................................................159The
oath-reply-egress.grp Sample
File...................................................................159The
oath-proxy-egress.grp Sample
File..................................................................160
17 Configuring EAP-SIM and EAP-AKA Authentication
Methods...................161EAP-SIM..........................................................................................................................161
Overview...................................................................................................................161EAP-SIM
Authentication Using HP-UX AAA
Server............................................................161Features.....................................................................................................................163Benefits......................................................................................................................164Configuring
EAP
SIM...................................................................................................164
EAP-SIM Client
Configuration...................................................................................164EAP-SIM
User Credential Lookup
Configuration...........................................................164EAP-SIM
Realm-Based
Configurations........................................................................165
Realm-Based EAP-SIM Configuration Information in
authfile.....................................165Realm-Based EAP-SIM
Configuration Information in
EAP.authfile...............................167
Global EAP-SIM Configuration in
aaa.config..............................................................169EAP-AKA........................................................................................................................170
Overview...................................................................................................................170EAP-AKA
Authentication Using HP-UX AAA
Server...........................................................170Features.....................................................................................................................171Benefits......................................................................................................................172Configuring
EAP-AKA..................................................................................................172
EAP-AKA Client
Configuration..................................................................................172EAP-AKA
User Credential Lookup
Configuration..........................................................172EAP-AKA
Realm-Based
Configurations.......................................................................173
Realm-Based EAP-AKA Configuration Information in
authfile....................................173Realm-Based EAP-AKA
Configuration Information in
EAP.authfile..............................174
Global EAP-AKA Configuration in
aaa.config.............................................................178Fast
Re-Authentication.......................................................................................................179
Configuring for Fast
Re-Authentication............................................................................179Configuring
for Fast Re-Authentication in
EAP.authfile..................................................180
Sample EAP.authfile Configuration for Fast
Re-authentication....................................181Configuring
for Fast Re-Authentication in aaa.config
File..............................................181
Sample aaa.config Configuration for Fast
Re-authentication.....................................182Guidelines
to Write EAP-SIM and EAP-AKA Fast Re-Authentication Database
AATVs.............182
Fast Re-Authentication Database Update
AATV...........................................................183Update
AATV
Inputs...........................................................................................183Update
AATV
Outputs........................................................................................183AATV
Functionality and Return
Events...................................................................183
Fast Re-Authentication Database Lookup
AATV...........................................................184Lookup
AATV
Inputs...........................................................................................184Lookup
AATV
Outputs........................................................................................184Lookup
AATV Functionality and Return
Events........................................................185
Pseudonym
Identities........................................................................................................185
Contents 7
-
Random
Pseudonyms...................................................................................................185Algorithm-Based
Pseudonyms........................................................................................185Configuring
for Pseudonym Identity
Support....................................................................187
Sample EAP.authfile Configuration for Random Pseudonym Identity
Support...................188Sample EAP.authfile Configuration for
Algorithm-based Pseudonym Identity Support........189Sample
aaa.config Configuration for Algorithm-based Pseudonym Identity
Support.........190
Guidelines to Write EAP-SIM and EAP-AKA Pseudonym Database
AATVs...........................190Pseudonym Database Update
AATV..........................................................................191
Update AATV
Inputs...........................................................................................191Update
AATV
Outputs........................................................................................191AATV
Functionality and Return
Events...................................................................191
Pseudonym Database Lookup
AATV..........................................................................192Lookup
AATV
Inputs...........................................................................................192Lookup
AATV
Outputs........................................................................................192Lookup
AATV Functionality and Return
Events........................................................194
Generating Authentication Vectors Using A3, A8, and AKA
Algorithms..................................1943GPP Milenage A3,
A8, and AKA
Algorithm.................................................................195
18 Configuring HP-UX AAA Server for Scalability and
High-Availability
.......198Overview........................................................................................................................198Scalability
and High-Availability
Concepts..........................................................................198
Grouping HP-UX AAA
Servers.......................................................................................198HP-UX
AAA Server
Attributes........................................................................................199
HP-UX AAA Server Deployment for Scalability and
High-Availability.......................................199Managing
Multiple HP-UX AAA Servers For Scalability and
High-Availability..........................200
Administering HP-UX AAA Servers Using HP-UX AAA Server
Manager...............................200Logging
In.............................................................................................................201Adding
a
Group....................................................................................................201Modifying
a
Group................................................................................................202Deleting
a
Group...................................................................................................202Adding
a
Server.....................................................................................................202Modifying
a
Server.................................................................................................205Deleting
a
Server...................................................................................................206Cloning
a
Server....................................................................................................206
Administering HP-UX AAA Servers Using HP-UX AAA Server Admin
Tool (Command Line)....208rad_admin
Syntax..................................................................................................208Examples
of Administering Multiple HP-UX AAA
Servers..............................................208Administering
HP-UX AAA Servers Using Interactive User
Interface................................209
Disaster Recovery of the HP-UX AAA Server
Manager...........................................................20919
Configuring the HP-UX AAA Server for Client Functionality
.....................211
Overview........................................................................................................................211CLIENT
AATV..................................................................................................................211
Configuring CLIENT
AATV............................................................................................211Working
of the CLIENT
AATV.......................................................................................212
Supported
APIs................................................................................................................213Internal
Attributes and Mapping
Functions...........................................................................213
20 Configuring the HP-UX AAA Server for Dynamic
Authorization................215Dynamic Authorization
Overview.......................................................................................215HP-UX
AAA Server and Dynamic
Authorization....................................................................215Processing
of Dynamic Authorization
Requests.....................................................................216Configuring
for Dynamic
Authorization...............................................................................217
Basic
Configuration.....................................................................................................218Advanced
Configuration..............................................................................................218
Migrating Existing SQL Access Deployments for Dynamic
Authorization.........................219
8 Contents
-
Configuring Multiple HP-UX AAA Servers as a
Group..................................................220Configuring
for Disconnect and CoA Request
Processing.........................................222Dedicated
HP-UX AAA Servers for Dynamic
Authorization.......................................225
Dynamic Authorization in Authorize Only
Mode.........................................................230Configuring
for Dynamic Authorization in Authorize Only
Mode..............................230
Configuring for Proxy
Functionality............................................................................232Configuring
for Dynamic Authorization Proxy
Functionality......................................233
Configuring for
Failover...........................................................................................233Security
Consideration in Dynamic
Authorization........................................................234
Replay
Protection...............................................................................................234Message-Authenticator.......................................................................................235Reverse
Path Forwarding Check for
Proxies............................................................236
Sample Configuration
Files................................................................................................237The
client-request-init.grp.dynauth Sample
File.................................................................237The
client-reply-ingress.grp.dynauth Sample
File...............................................................238The
sqlaccess.config.dynauth Sample
File.......................................................................238The
sqlaccess.config.dynauth_server_group Sample
File...................................................239The
dbsetup.sql.dynauth_server_group Sample
File..........................................................240
IV Integrating the HP-UX AAA Server With External
Services...........................24221 LDAP
Authentication..........................................................................245
LDAP Server Compatibility
...............................................................................................245Related
LDAP Documentation
............................................................................................245Authentication
with LDAP
.................................................................................................245
Configuring the LDAP Server
........................................................................................245The
HP-UX AAA Server LDAP
Schema.......................................................................245To
Configure Netscape Directory Server
v6................................................................246To
Configure iPlanet Directory Server
v5....................................................................246To
Configure OpenLDAP
2.0.x.................................................................................246
22 SQL
Access......................................................................................248SQL
Access
Overview......................................................................................................248
SQL Access
Concepts..................................................................................................249RADIUS
Attribute to SQL Statement
Mapping.............................................................249Mapping
Functions.................................................................................................250Conversion
Functions..............................................................................................250SQL
Action Processing and Result
Handling...............................................................251
Implementing SQL
Access.................................................................................................251Sample
Implementation
Files.........................................................................................251
sqlaccess.config Sample
File....................................................................................251dbsetup.sql
Sample
File...........................................................................................253Finite
State Machine
Sample....................................................................................254
Pre-requisites for SQL
Access........................................................................................254Database
Server and
Schema..................................................................................254
Database
Security..............................................................................................254High
Availability................................................................................................255
Database
Client.....................................................................................................255Shared
Library Path
Configuration........................................................................255
Database Client Connector
Libraries.........................................................................255SQL
Access Implementation
Details................................................................................255sqlaccess.config
File
Configuration................................................................................256
Database Connection
Definition...............................................................................257SQL
Actions...........................................................................................................258Mapping
Syntax.....................................................................................................259
RAD
Mapping...................................................................................................260
Contents 9
-
DBC
Mapping...................................................................................................261DBP
Mapping...................................................................................................262RET
Mapping....................................................................................................263Mapping
Functions............................................................................................263Conversion
Functions..........................................................................................264
SQL
Statement.......................................................................................................265SQL
Result
Mapping...............................................................................................267
Result Handling for Retrieval
Requests...................................................................268Global
Definitions..................................................................................................270
Advanced SQL Mapping
Configuration..........................................................................270Developing
Custom
Functions...................................................................................270Null
SQL
Statements...............................................................................................271Null
Source and Target
Mapping.............................................................................271Time
Synchronization..............................................................................................271Finite
State Table Configuration in the
FSM................................................................272Stored
Procedures...................................................................................................272
Administering Users and Tokens Stored in an SQL
Database..................................................274Managing
Users.........................................................................................................274
Adding Users to an SQL
Database...........................................................................275Modifying
User
Credentials.....................................................................................276
Managing Users Using OTP to
Authenticate....................................................................277Importing
Tokens into the
Database..........................................................................277Assigning
Tokens to
Users........................................................................................277
Assigning a Specific Token to a
User....................................................................277Allocating
Any Available Tokens to a
User............................................................278
Enrolling Tokens (Procedure for
Users).......................................................................278Synchronizing
Tokens (Procedure for
Users)................................................................279Terminating
Tokens.................................................................................................280
Viewing User and Token
Statistics..................................................................................280Valid
Token Status
Values.............................................................................................281Invoking
the User Database Administration Manager Interface from Server
Manager...........281
Multi-Row Support For SQL
Access.....................................................................................28223
Simple Network Management Protocol (SNMP)
Support........................283
Setting Up SNMP to Monitor the HP-UX AAA
Server.............................................................28324
VPN
Tunneling.................................................................................285
Establishing a Tunnel for a
User.........................................................................................28525
Using
DHCP.....................................................................................286
Required DHCP Server
Features.........................................................................................286Recommended
DHCP Server
Features............................................................................286
Defining DHCP Address Pools for Specific
Users...................................................................286To
Associate an Address Pool with a User Profile in AAA Server Flat
Files...........................286To Associate an Address Pool
with a User Profile in an LDAP LDIF
File................................286
Associating Address Pools with Realms and Other
Conditions................................................287V
Customizing the HP-UX AAA
Server..........................................................288
26 Customizing the HP-UX AAA Server Using the Finite State
Machine.........291States
............................................................................................................................291
Using Xstring to call Policy
...........................................................................................293Using
Xstring to Call an Alternate authfile
......................................................................293
Event Names
..................................................................................................................293Predefined
Event Names
.............................................................................................293Creating
New Names
................................................................................................295
Actions
..........................................................................................................................296
10 Contents
-
FSM
Tables................................................................................................................297Custom
State Tables
........................................................................................................298
Tracking Versions
.......................................................................................................298Examples
..................................................................................................................298
Preprocessing Module
............................................................................................298Interim
Logging
..........................................................................................................299Custom
Logging Format
..............................................................................................299Proxy
Accounting
Messages.........................................................................................299
27 Customizing the HP-UX AAA Server Using
Policies.................................301Policy
Overview...............................................................................................................301Defining
a Policy in a Decision
File.....................................................................................302
Action
Commands.......................................................................................................303The
delete
Command..............................................................................................303The
insert
Command...............................................................................................304The
modify
Command.............................................................................................305The
exit
Command.................................................................................................306The
log
Command..................................................................................................307The
if
Command....................................................................................................307
Attribute
Specifications.................................................................................................309Attribute
Names.....................................................................................................310Vendor
Names.......................................................................................................310Attribute
Instance
Specifications................................................................................310
No Instance
Specification...................................................................................310Numeric
Instance
Specification............................................................................310Keyword
Instance
Specification............................................................................310
Attribute
Functions..................................................................................................311The
count Attribute
Function................................................................................311The
length Attribute
Function...............................................................................312The
strcat Attribute
Function.................................................................................312The
substr Attribute
Function................................................................................313The
tolower Attribute
Function..............................................................................316The
toupper Attribute
Function.............................................................................316
Value
Types................................................................................................................316Arithmetic
Expressions.................................................................................................317
Arithmetic Operator Precedence and
Association........................................................317Supported
Boolean
Operators......................................................................................318
Boolean Operator Precedence and
Association..........................................................319Type
Compatibility......................................................................................................320
Invoking a
Policy..............................................................................................................321Invoking
Policies Through Predefined Policy
Hooks...........................................................321
Request Ingress
Policy..............................................................................................321User
Policy............................................................................................................322
Invoking Policy from User
Profiles.........................................................................322Reply
Egress
Policy.................................................................................................323Proxy
Egress
Policy.................................................................................................323Proxy
Ingress
Policy.................................................................................................324
Useful Attributes for Policy
Conditions.............................................................................324Modifying
the FSM for Specific Customizations
..............................................................325
Sample Policy
Implementations..........................................................................................326Dynamic
Access
Control...............................................................................................326
Step 1 – Modifying the Default FSM for
DAC.............................................................326Step
2 – Defining the DAC
Policies............................................................................327
DNIS
Routing.............................................................................................................327Step
1 – Modifying the Default FSM for DNIS
Routing.................................................327
Contents 11
-
Step 2 – Defining the DNIS Routing
Policies...............................................................32828
Customizing the HP-UX AAA Server Using the
SDK...............................329
SDK
Overview.................................................................................................................329Migrating
Plug-ins Created Using Previous Versions of the
SDK..............................................330Prerequisites
for Using the
SDK..........................................................................................330SDK
Directory
Structure.....................................................................................................331SDK
Concepts.................................................................................................................331
Overview of
AATVs.....................................................................................................331AATV
Components......................................................................................................331
The init
Function.....................................................................................................331The
action
Function.................................................................................................331The
timer or callback
Function..................................................................................332The
cleanup
Function..............................................................................................332
Creating
Plug-ins..............................................................................................................332Using
AATVs to Create a
Plug-in...................................................................................333Compiling
and Loading a
Plug-in..................................................................................334Testing
and Debugging a
Plug-in...................................................................................334
Using the GNU Project
Debugger.............................................................................334Using
gdb to Debug Your Software
Module..........................................................334
Creating Plug-ins for
AATVs...............................................................................................335A3
and A8 Algorithm Plug-in for
EAP-SIM.......................................................................335
Creating A3, A8
Plug-ins.........................................................................................336AKA
Algorithm Plug-in for
EAP-AKA...............................................................................337
Creating AKA
Plug-ins.............................................................................................337VI
Troubleshooting.....................................................................................340
29 Troubleshooting
Overview..................................................................343AAA
Environment
Components..........................................................................................343HP-UX
AAA Server
Operation............................................................................................344Probable
Causes for
Failure...............................................................................................345
Configuration
Problems................................................................................................345External
Service
Problems.............................................................................................345Protocol
Limitations......................................................................................................345RADIUS
Client and Supplicant
Considerations................................................................346
30 Troubleshooting
Procedures................................................................347Troubleshooting
Flowchart.................................................................................................347
Troubleshooting Flowchart
Process.................................................................................348Troubleshooting
the Server Manager Administration
Utility....................................................350
Common Problems With the Server
Manager.................................................................350Troubleshooting
Server Manager Launch
Problems......................................................352Troubleshooting
Remote Management
Problems..........................................................353
Troubleshooting the HP-UX AAA
Server...............................................................................354Troubleshooting
HP-UX AAA Server Startup
Problems.......................................................354
Common Problems with HP-UX AAA Server
Startup.....................................................354Troubleshooting
Bind Errors at HP-UX AAA Server
Startup.......................................356
Troubleshooting an Unresponsive HP-UX AAA
Server.......................................................357Troubleshooting
Common Configuration
Problems.......................................................357Troubleshooting
External
Services.............................................................................360
Identifying External Service Failures using Logfile Error
Messages.............................360Identifying Unrecorded
External Datastore
Failures.................................................363Identifying
Proxy Server
Failures..........................................................................363Identifying
Unrecorded DHCP
Failures..................................................................364
Troubleshooting Access-Rejects from the HP-UX AAA
Server..............................................364Common
Authentication Failure
Problems..................................................................364
12 Contents
-
EAP
Problems.............................................................................................................369Troubleshooting
Provisioning
Errors................................................................................371Troubleshooting
the HP-UX AAA Server Admin
Utility.......................................................372
31 Troubleshooting
Resources..................................................................374HP-UX
AAA Server Troubleshooting
Utilities.........................................................................374
The radcheck Utility: For Checking the Server
Status........................................................374The
radpwtst Utility: For Testing
Authentication................................................................374The
raddbginc Utility: For Setting Debug Output
Levels.....................................................375The
radsignal Utility: For Rolling Over the Debug Output to New
Files................................375
The HP-UX AAA Server Logfile and Debug
File.....................................................................375The
HP-UX AAA Server
Logfile......................................................................................376The
HP-UX AAA Server Debug
File................................................................................376
32 Reporting
Problems...........................................................................377Server
Set Up
Information.................................................................................................377Server
Manager Related
Information..................................................................................377External
Components........................................................................................................378
External
Databases......................................................................................................378SNMP
Servers............................................................................................................378DHCP
Servers.............................................................................................................378OpenSSL....................................................................................................................378
EAP Related
Information....................................................................................................378Clients.......................................................................................................................378Access
Points..............................................................................................................378
VII
Reference.............................................................................................37933
Configuration Files
...........................................................................382
HUP
Processing...............................................................................................................382The
aaa.config
File..........................................................................................................383
Variables in the aaa.config
File.....................................................................................383The
vsa_integer_sign
Variable..................................................................................383The
strict_duplicate_check
Variable...........................................................................383The
aatv.ProLDAP
Property.......................................................................................383The
iaaa.SNMP
Property.........................................................................................384The
log_threshold_limit and suppression_interval
Variables..........................................384The
list_copy_limit
Variable......................................................................................385The
localUsersFile.FilterType
Property.........................................................................385The
default_users_file_cis_search
Property..................................................................385The
log_forwarding
Variable....................................................................................385The
log_generated_request
Variable.........................................................................385The
ourhostname
Variable.......................................................................................385The
packet_log
Variable..........................................................................................386The
radius_log_fmt
Variable.....................................................................................386The
reply_check
Variable.........................................................................................386
OTP Authentication-Related Configuration
Items...............................................................387Dynamic
Authorization-Related Configuration
Items..........................................................387
The clients
File.................................................................................................................387Prefixed
Users and
authfile...........................................................................................388Wildcard
Support for IPv4 and
IPv6..............................................................................388
The users File
..................................................................................................................389Syntax
of a User Entry
................................................................................................389Syntax
of IPv6
Attributes...............................................................................................389
NAS-IPv6-Address..................................................................................................389Framed-Interface-Id.................................................................................................389Framed-IPv6-Prefix..................................................................................................390
Contents 13
-
Login-IPv6-Host.......................................................................................................390Framed-IPv6-Route..................................................................................................390Framed-IPv6-Pool....................................................................................................390
With Tunneling
..........................................................................................................391The
dictionary File
...........................................................................................................391
Attribute Entries
..........................................................................................................392Pruning
Expressions
....................................................................................................392Value
Entries
..............................................................................................................393
The las.conf File
..............................................................................................................394LAS
Session Timing Parameters
....................................................................................394Token
Pool Configuration
.............................................................................................395Realm
Configuration
...................................................................................................395
The vendors File
..............................................................................................................396Syntax
of a vendors
File...............................................................................................396
The log.config File
...........................................................................................................397Syntax
of a Stream
Entry..............................................................................................397Default
Entry
..............................................................................................................398End
Entry
..................................................................................................................398Logging
Multiple Streams
............................................................................................398
Values Logged by
Default........................................................................................399Examples...................................................................................................................399
Livingston Call Detail Record (CDR)
Format................................................................399Multiple
Logging Streams
.......................................................................................400Logging
Based on
attributes.....................................................................................400Accounting
Log Based on Attribute
Value...................................................................401Changing
the Accounting Log Rollover
Interval...........................................................402
34 Attribute-Value
Pairs..........................................................................403Specifying
Attribute-Value
Pairs..........................................................................................403
Attribute-Value
Formats................................................................................................403Examples...................................................................................................................403Tagged
Attributes
.......................................................................................................404
Attributes in User
Profiles...................................................................................................404Configuration
Attributes...............................................................................................404
Local Authorization Service (LAS)
Configuration..........................................................406Simultaneous-Use
Attribute..................................................................................406Attributes
Concerning OTP
Authentication.............................................................406
Check (and Deny)
Items....................................................................................................406Attributes
Concerning the
NAS.....................................................................................406Policy
Attributes...........................................................................................................407Other
Attributes..........................................................................................................407
Reply
Items......................................................................................................................408General
Attributes.......................................................................................................409Attributes
Concerning Login
Users.................................................................................410Attributes
for Framed
Users...........................................................................................410Tunneling
Attributes.....................................................................................................411Other
Attributes..........................................................................................................413
Attributes in Accounting
Records........................................................................................414Additional
Session
Information......................................................................................414
35 MIB
Objects.....................................................................................418MIB
Objects....................................................................................................................418
14 Contents
-
A Supported IETF
RFCs..............................................................................424B
Supported Authentication
Methods...........................................................426C
RADIUS Data
Packets..............................................................................428
Data Packet
Format...............................................................................................................428Attribute-Value
Pair Format
...............................................................................................428
D Header Files, Data Structures, and APIs in the HP-UX AAA
Server SDK..........430Header Files and Data Structures in the
SDK............................................................................430APIs
in the HP-UX AAA Server
SDK.........................................................................................430
A-V Pair
APIs...................................................................................................................430sdk_avp_t
*sdk_avp_allocate().....................................................................................430void
sdk_avp_free().....................................................................................................431int
sdk_get_avp_info()..................................................................................................431int
sdk_set_avp().........................................................................................................431int
sdk_set_vend_avp().................................................................................................432
Authreq
APIs...................................................................................................................432sdk_avp_t
*sdk_find_avp()...........................................................................................432sdk_avp_t
*sdk_find_vend_avp()...................................................................................433int
sdk_del_avp().........................................................................................................434int
sdk_insert_avp()......................................................................................................434int
sdk_get_authreq_info()............................................................................................435
Logging
APIs...................................................................................................................436int
sdk_logit()..............................................................................................................436int
sdk_log_debug().....................................................................................................437
Asynchronous Event and I/O
APIs......................................................................................438int
sdk_pollfd_register()................................................................................................438int
sdk_pollfd_unregister().............................................................................................438int
sdk_schedule_event()...............................................................................................438
Secondary
APIs...............................................................................................................439sdk_authreq_t
*sdk_get_authreq_by_id()........................................................................439char
*sdk_get_config_dir()...........................................................................................439int
sdk_set_authreq_info...............................................................................................439int
sdk_get_client_info()................................................................................................440int
sdk_decrypt_passwd().............................................................................................441int
sdk_encrypt_passwd()..............................................................................................441sdk_authreq_t
*
sdk_authreq_allocate............................................................................441void
sdk_authreq_free..................................................................................................442int
sdk_enqueue_authreq..............................................................................................442
E Syntax of the Decision Files in Earlier Versions of the HP-UX
AAA Server........443Expressions
.........................................................................................................................443Specifying
Attributes in Group Entries
.....................................................................................444
Dynamic Access Control
..................................................................................................444Internal
Values
................................................................................................................444
Using Indirection
.................................................................................................................444Example
Group Entries
.........................................................................................................445
DNIS.grp for DNIS
Routing...............................................................................................445DAC.grp
for Dynamic Access
Control.................................................................................446
Glossary of
Terms......................................................................................448Index.......................................................................................................453
Contents 15
-
About This DocumentThis document provides an overview of the
HP-UX AAA Server and describes how to configure,administer, and
troubleshoot the product. This document does not cover installing
the product.The document printing date and part number on the cover
indicate the document’s current edition.The printing date and part
number changes when a new edition is printed. Minor changes canbe
made at reprint without changing the printing date. The document
part number will changewhen extensive changes are made.Document
updates may be issued between editions to correct errors or
document product changes.To ensure that you receive the updated or
new editions, subscribe to the appropriate productsupport service.
Contact your HP sales representative for details.The latest version
of this document is available at: http://
www.hp.com/go/hpux-security-docs.(Select HP-UX AAA Server (RADIUS)
Software.)
Intended AudienceThis document is intended for HP-UX AAA Server
administrators who understand the HP-UX operatingsystem.
New and Changed Information in This EditionThe following
additions and changes are made for edition 11:
• Includes support for EAP-MS-CHAPv2 for OTP authentication. For
more information, see “OATHStandards-Based OTP Authentication”
(page 128)
• Includes support for Common Logfile for multiple instance of
the HP-UX AAA server. For moreinformation, see “Administering HP-UX
AAA Servers Using HP-UX AAA Server Manager”(page 200)
Other minor changes have been made throughout the document, as
required.
Document OrganizationThe HP-UX AAA Server A.08.02.10
Administrator's Guide is organized as follows:
• Part I — Introduction provides general information about the
HP-UX AAA Server product andthe RADIUS protocol. It also describes
how to secure your HP-UX AAA Server installation.
• Part II — Configuring the HP-UX AAA Server Manager Using the
Server Manager GUIdescribes how to use the Server Manager to
administer your AAA environment.
• Part III — Advanced Configuration Information provides
information on advanced topics, suchas securing LAN access using
EAP, session management, assigning IP addresses, configuringOTP and
two-factor authentication, configuring for EAP-SIM and EAP-AKA
authenticationmethods, configuring for scalability and
high-availability, configuring for the client functionality,and
configuring for the dynamic authorization capability of the HP-UX
AAA Server.
• Part IV — Integrating the HP-UX AAA Server With External
Services describes how to integratethe HP-UX AAA Server with
external services such as Lightweight Directory Access
Protocol(LDAP), SQL Access, Dynamic Host Configuration Protocol
(DHCP), Simple NetworkManagement Protocol (SNMP), and Virtual
Private Network (VPN).
• Part V — Customizing the HP-UX AAA Server describes how to
customize the HP-UX AAAServer to meet various deployment
scenarios.
• Part VI — Troubleshooting provides guidelines and error
messages to help troubleshoot issueswith the HP-UX AAA Server.
16
http:// www.hp.com/go/hpux-security-docs
-
• Part V — Reference provides information to supplement the
task-based information in theprevious parts of the document. Use
the information in this section to learn more aboutnon-task-based
topics such as configuration files, and attribute-value pairs.
• Appendix A (page 424) lists all the RFCs that are supported by
the HP-UX AAA Server.
• Appendix B (page 426) lists and describes all the
authentication methods that are supportedby the HP-UX AAA
Server.
• Appendix C (page 428) provides information about the RADIUS
data packet format.
• Appendix D (page 430) lists and describes all the header
files, data structures, and APIs includedin the HP-UX AAA Server
SDK.
• Appendix E (page 443) discusses the syntax of decision files
that are supported by previousversions of the HP-UX AAA Server.
HP Secure Development LifecycleStarting with HP-UX 11iv3 March
2013 update release, HP Secure Development Lifecycle providesthe
ability to authenticate HP-UX software. Software delivered through
this web release has beendigitally signed using HP's private key.
You can now verify the authenticity of the software
beforeinstalling the products delivered through Web Release.To
verify software signatures in signed depot, version B.11.31.1303 or
later of Software Distributor(SD) and version A.01.01.07 or later
of HP-UX Whitelisting (WhiteListInf) must be installed on
yoursystem.To verify the signatures, run: swsign -v -s For more
information, see Software Distributor documentation at
http://www.hp.com/go/sd-docsand Ignite-UX documentation at
http://www.hp.com/go/ignite-ux-docs.
Publishing HistoryThe following table shows the printing history
of this document. The first entry in the tablecorresponds to the
current edition, and previous editions are listed in reverse
chronological order.
Table 1 HP-UX AAA Server Administrator’s Guide Printing
History
Supported OSSupports SoftwareVersion
Document Release Date(month/year)
Document Part Number
HP-UX 11i v3A.08.02.1011/13T1428-90093
HP-UX 11i v3A.08.0208/12T1428-90091
HP-UX 11i v2 and HP-UX 11i v3A.08.0105/10T1428-90072
HP-UX 11i v2 and HP-UX 11i v3A.08.0002/09T1428-90071
HP-UX 11i v1, 11i v2, 11i v3A.07.0103/08T1428-90066
HP-UX 11i v1, 11i v2, 11i v3A.07.0009/07T1428–90064
HP-UX 11i v1, 11i v2A.07.0009/065991-6434
HP-UX 11i v1, 11i v2A.06.0211/05T1428-90061
HP-UX 11.00, 11i v1, 11i v2A.06.01.x01/04T1428-90050
HP-UX 11.00, 11i v1A.06.01.x10/03T1428-90042
HP-UX 11.00, 11i v1A.06.00.0804/03T1428-90025
HP-UX 11.00, 11i v1A.06.00.0702/03T1428-90014
HP-UX 11.00, 11i v1A.05.01.0106/02T1428-90001
HP Secure Development Lifecycle 17
http://www.hp.com/go/sd-docshttp://www.hp.com/go/ignite-ux-docs
-
Typographic ConventionsThis document uses the following
typographical conventions:audit(5) An HP-UX manpage. In this
example, audit is the name and 5 is the section in
the HP-UX Reference. On the web and on the Instant Information
CD, it may bea link to the manpage itself. From the HP-UX command
line, you can enter “manaudit” or “man 5 audit” to view the
manpage. See man( 1).
Book Title The title of a book. On the web and on the Instant
Information CD, it may bea link to the book itself.
KeyCap The name of a keyboard key. Note that Return and Enter
both refer to the samekey.
Emphasis Text that is emphasized.Emphasis Text that is strongly
emphasized.Term The defined use of an important word or
phrase.ComputerOut Text displayed by the computer.UserInput
Commands and other text that you type.Command A command name or
qualified command phrase.Variable The name of a variable that you
may replace in a command or function or
information in a display that represents several possible
values.[ ] The contents are optional in formats and command
descriptions. If the contents
are a list separated by |, you can choose one of the items.{ }
The contents are required in formats and command descriptions. If
the contents
are a list separated by |, you can choose one of the items....
The preceding element can be repeated an arbitrary number of
times.| Separates items in a list of choices.
HP-UX Release Name and Release IdentifierEach HP-UX 11i release
has an associated release name and release identifier. The
uname(1)command with the -r option returns the release identifier.
The following table lists the releasesavailable for HP-UX 11i.
Table 2 HP-UX 11i Releases
Release NameRelease Identifier
HP-UX 11i v1B.11.11
HP-UX 11i v2B.11.23
HP-UX 11i v3B.11.31
Related InformationIn addition to this document, additional
information about the HP-UX AAA server can be found inthe Internet
and Security Solutions collection under AAA Server (RADIUS)
at:http:// www.hp.com/go/hpux-security-docs. (Select HP-UX AAA
Server (RADIUS) Software.)
HP Encourages Your CommentsHP encourages your comments
concerning this document. We are committed to
providingdocumentation that meets your needs.Send your comments to:
[email protected]
18
http://
www.hp.com/go/hpux-security-docsmailto:[email protected]:
[email protected]
-
Include the document title, manufacturing part number, and any
comment, error found, or suggestionfor improvement you have
concerning this document.
HP Encourages Your Comments 19
-
Part I IntroductionThis part of the HP-UX AAA Server
Administrator’s Guide contains the following chapters:• Chapter 1:
“Overview: The HP-UX AAA Server ” (page 23)
• Chapter 2: “Upgrading to Version A.08.02.10” (page 34)
• Chapter 3: “Installing and Securin
