HP-UX AAA Server A.08.02.10Administrator's GuideHP-UX 11i v3
HP Part Number: T1428-90093Published: November 2013Edition: 13
© Copyright 2002, 2013 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license required from HP for possession, use or copying. Consistent with FAR 12.211 and 12.212, CommercialComputer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government undervendor’s standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the expresswarranty statements accompanying such products and services. Nothing herein should be construed as constituting additional warranty. HP shallnot be liable for technical or editorial errors or omissions contained herein.
UNIX is a registered trademark of The Open Group.
Oracle and Java are registered trademarks of Oracle and/or its affiliates.
Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.
OpenLDAP ® is a registered trademark of the OpenLDAP Foundation
Netscape Navigator ™is a registered trademark of Time Warner, Inc
RED HAT™ is the registered trademark of Red Hat, Inc.
ContentsAbout This Document ..................................................................................16
Intended Audience..................................................................................................................16New and Changed Information in This Edition............................................................................16Document Organization..........................................................................................................16HP Secure Development Lifecycle..............................................................................................17Publishing History...................................................................................................................17Typographic Conventions.........................................................................................................18HP-UX Release Name and Release Identifier...............................................................................18Related Information.................................................................................................................18HP Encourages Your Comments................................................................................................18
I Introduction...............................................................................................201 Overview: The HP-UX AAA Server ..........................................................23
RADIUS Topology .............................................................................................................23Establishing a RADIUS Session............................................................................................24Product Structure................................................................................................................25
HP-UX AAA Server Daemon, Libraries, and Utilities ...........................................................25HP-UX AAA Server Manager Program .............................................................................25Documentation..............................................................................................................25
HP-UX AAA Server Architecture ...........................................................................................26Configuration Files .......................................................................................................26AATV Plug-Ins ..............................................................................................................27The Software Engine: Finite State Machine ......................................................................27
HP-UX AAA Server Commands, Utilities and Daemons............................................................27Handling an Access Request...............................................................................................27
Authentication to Verify the Client and User .....................................................................28Authorization to Control Sessions and Access to Services ...................................................30
Authorization Steps ..................................................................................................31Session Logs For Accounting ...............................................................................................33IPv6 Support for External Services........................................................................................33
HP-UX AAA Server as a Client........................................................................................332 Upgrading to Version A.08.02.10...........................................................34
The HP-UX AAA Server Upgrade Process..............................................................................34Upgrading from Versions A.07.00, A.06.02, A.06.01, or A.07.01 to Version A.08.02.10.............34Upgrading from Version A.06.00.x to Version A.08.02.10......................................................35Upgrading from Version A.05.x to Version A.08.02.10...........................................................37Merging the Dictionary File.................................................................................................37Merging the radius.fsm File.................................................................................................37Merging the vendors File....................................................................................................37
3 Installing and Securing the HP-UX AAA Server..........................................38Acquiring the HP-UX AAA Server Software............................................................................38Installing and Uninstalling the HP-UX AAA Server...................................................................38
To Install the HP-UX AAA Server......................................................................................38To Uninstall the HP-UX AAA Server Software.....................................................................39
HP-UX AAA Server File Locations ........................................................................................39Securing the HP-UX AAA Server...........................................................................................43
Changing the Default HP-UX AAA Server Settings .............................................................43Changing the Default Tomcat User Name and Password................................................43Changing the Default RMI Objects Secret....................................................................43Changing the Default test_user Settings.......................................................................44
Contents 3
Changing the Default localhost Proxy Settings..............................................................44Environment Specific Security Procedures .........................................................................44
Using Secure Socket Layer (SSL) for Secured Remote Server Manager Administration.........44Creating a Tomcat Identity Specifically for the HP-UX AAA Server ..................................45Running the HP-UX AAA Server on Hosts with System Hardening Software.......................46Running the HP-UX AAA Server as a Non-Root User......................................................46Setting Up the HP-UX AAA Server to Start as Non-Root User After Reboot........................47
4 Enabling the HP-UX AAA Server for GUI-based Administration....................49Accessing the Server Manager............................................................................................49
Starting and Stopping the RMI Objects............................................................................49Starting and Stopping Tomcat.........................................................................................50
Testing the Installation ........................................................................................................50To Test the Installation....................................................................................................50
Starting HP-UX AAA Servers Using Server Manager...............................................................51AAA Server Start Options..............................................................................................52Server Manager’s Reload Feature....................................................................................53
Starting HP-UX AAA Servers From the Command Line.............................................................53Configuring the HP-UX AAA Server to Start Automatically Upon System Reboot ....................56
Stopping or Restarting HP-UX AAA Servers............................................................................56Using Server Manager...................................................................................................56From the Command Line.................................................................................................56
Adding an HP-UX AAA Server to Your Network.....................................................................56II Configuring the HP-UX AAA Server Manager Using the Server Manager GUI.................................................................................................................58
5 The HP-UX AAA Server Manager Interface...............................................61Commonly Used Icons in the GUI.........................................................................................61
6 Managing HP-UX AAA Servers...............................................................63Using the Server Connections Screen....................................................................................63Adding a New Server Connection.......................................................................................63Modifying Connection Attributes..........................................................................................64Deleting a Server Connection..............................................................................................65Managing Multiple Servers.................................................................................................65Loading and Saving Your Configuration................................................................................66
Loading and Saving Your Configuration Using RMI Server..................................................66Enhancing Loading and Saving Performance Using Secure Copy Protocol.............................67Setting up Key-Based Authentication................................................................................68
Creating a Public-Private key set with ssh-keygen...........................................................68Sharing the Public key with Remote Hosts.....................................................................68
Verifying Key-Based Authentication..................................................................................697 Configuring RADIUS Clients Using the Access Devices Screen.....................70
Navigating the Access Devices Screen..................................................................................70Adding a RADIUS Client.....................................................................................................70Modifying a RADIUS Client’s Properties................................................................................72Deleting a RADIUS Client....................................................................................................72
8 Configuring Realms...............................................................................73Using the Local Realms Screen.............................................................................................73Adding a Realm................................................................................................................73Modifying Realms..............................................................................................................75Special Entries...................................................................................................................76Deleting a Realm...............................................................................................................76Configuring Realms for Authentication using an External Server...............................................77
Configuring Realms for Database Access via SQL..............................................................77
4 Contents
Configuring Realms for LDAP .........................................................................................78Modifying a Directory Configuration...........................................................................80Deleting a Directory Configuration..............................................................................80Tuning the AAA Server to LDAP Server Connection.......................................................80
9 Configuring Proxies...............................................................................82Navigating the Proxy Screen...............................................................................................82Changing the Default localhost Proxy Settings........................................................................82Creating or Modifying a Proxy............................................................................................83
Forwarding Authentication and Dynamic Authorization Requests From a Proxy Server.............85Forwarding Authentication Requests to a Remote Server.....................................................86
Changing RADIUS Port Numbers.........................................................................................86Forwarding Requests to Alternate RADIUS Ports.................................................................86
Forwarding Accounting Requests..........................................................................................86Proxying Authentication and Accounting Messages to the Same Server.....................................87Proxying Accounting Requests to a Central Server..................................................................87Deleting a Proxy................................................................................................................88
10 Configuring Users...............................................................................89Navigating the Users Screen...............................................................................................89Changing the Default test_user Settings.................................................................................89Adding a User Profile ........................................................................................................89
Tabs on the Add Users Screen.........................................................................................91Specifying Attributes Using the Free Attributes Pane.......................................................91
Modifying User Profiles.......................................................................................................91Deleting a User Profile........................................................................................................92
To Delete a User Profile From the Default users File.............................................................92To Delete a User Profile in a Local Realms File...................................................................93
11 Modifying Server Properties..................................................................94Navigating the Server Properties Screen...............................................................................94DHCP Relay Properties.......................................................................................................94DNS Updates Properties.....................................................................................................95Message Handling Properties..............................................................................................95SNMP Properties...............................................................................................................96
Enable SNMP Support...................................................................................................96Tunneling Properties...........................................................................................................96
Tunneling Reply Items (Optional).....................................................................................96Certificate Properties..........................................................................................................97File Size Properties.............................................................................................................97
Maximum Logfile Size....................................................................................................97Miscellaneous Properties.....................................................................................................97
Permit Microsoft Client Authenticate As Computer..............................................................97Local Users File Properties...................................................................................................98ProLDAP Properties.............................................................................................................98AAA Server As A Client Properties.......................................................................................98Client Action Properties.......................................................................................................99
12 Logging and Monitoring ...................................................................100Overview........................................................................................................................100Server Log Files ..............................................................................................................100
Using Server Manager to Retrieve Logfile Information.......................................................100Search Parameters..................................................................................................101Message Types .....................................................................................................101
Using Server Manager to Retrieve Statistics ....................................................................101Accounting Log Files ........................................................................................................102
Using Server Manager to Retrieve Accounting Logfiles.....................................................102
Contents 5
Format of Accounting Records in the Default Merit Style...................................................103Time-Based Values..................................................................................................104Client A-V Pairs......................................................................................................104User Entry A-V Pairs................................................................................................104Session Tracking.....................................................................................................104
Writing Livingston CDR Accounting Records....................................................................105Livingston CDR Session Record Format.......................................................................105
Changing the Accounting Log Filename.........................................................................106Changing the Accounting Log Rollover Interval................................................................106Rolling Over the Log File and Accounting Stream and Setting the Log Level.........................106
III Advanced Configuration Information........................................................10813 Securing LAN Access With EAP..........................................................113
Overview........................................................................................................................113The Secure LAN Advisor..............................................................................................113
Preparing Your LAN ........................................................................................................114Determining the EAP Authentication Method to Use..............................................................114Securing WLANs with the HP-UX AAA Server......................................................................116Digital Certificate Administration........................................................................................116
Using the “Self-Signed” Digital Certificates.....................................................................117Installing Your Own Digital Certificates and Keys.............................................................117
Installing Server Certificates and Keys.......................................................................118Installing Client Certificates and Keys........................................................................118Defining Certificate Locations on the HP-UX AAA Server..............................................118
14 Managing Sessions...........................................................................120Session Logs....................................................................................................................120
Displaying Session Attributes........................................................................................120Stopping a Session......................................................................................................121
Session Limits..................................................................................................................121Setting Limits on a User-by-User Basis.............................................................................121
Setting Timeout Values............................................................................................121Establishing a Filter.................................................................................................121Limiting Access Points (NAS-Port, NAS-ID, Calling-Station ID, and others).......................122Denying Access (Called-Station-ID and others)............................................................122Limiting Simultaneous Sessions.................................................................................122
Setting Limits for Users on a Global Basis.......................................................................123Setting Limits for All User Profiles Grouped by Realms..................................................123
15 Assigning IP Addresses......................................................................124Assigning Static IP Addresses............................................................................................124
To Assign a Static IP (IPv4) Address to a Profile in Flat Files...............................................124To Assign a Static IPv6 Address to a Profile in Flat Files....................................................125To Assign Static Traditional IP (IPv4) Addresses to a User Profile in an LDAP LDIF File...........126To Assign Static IPv6 Addresses to a User Profile in an LDAP LDIF File................................126
Assigning Dynamic IP Addresses Using DHCP.....................................................................12716 OATH Standards-Based OTP Authentication..........................................128
OTP and OATH Overview.................................................................................................128HP-UX AAA Server and OATH Support...............................................................................129Supported OTP Functions for RADIUS Standard Password (PAP) and MS-CHAP v2....................130Components Required to Configure OTP Authentication.........................................................131Configuring OTP Authentication on the HP-UX AAA Server ...................................................131
OTP Authentication Configuration Flowchart...................................................................131Basic or Typical Configuration.......................................................................................134Advanced Configuration..............................................................................................135
6 Contents
Advanced OTP Authentication Configuration Concepts................................................135Attributes for Configuring OTP Authentication........................................................138
Advanced Deployment Scenarios..............................................................................143Validating OTP Alone.........................................................................................143Configuring Two-Factor Authentication..................................................................145OTP or Password Validation at External RADIUS Server...........................................151
Predefined Mapping and Conversion Functions...............................................................156Sample Configuration Files...........................................................................................157
The sqlaccess.config Sample File..............................................................................157Sample Policy Files.................................................................................................159
The oath-request-ingress.grp Sample File...............................................................159The oath-reply-egress.grp Sample File...................................................................159The oath-proxy-egress.grp Sample File..................................................................160
17 Configuring EAP-SIM and EAP-AKA Authentication Methods...................161EAP-SIM..........................................................................................................................161
Overview...................................................................................................................161EAP-SIM Authentication Using HP-UX AAA Server............................................................161Features.....................................................................................................................163Benefits......................................................................................................................164Configuring EAP SIM...................................................................................................164
EAP-SIM Client Configuration...................................................................................164EAP-SIM User Credential Lookup Configuration...........................................................164EAP-SIM Realm-Based Configurations........................................................................165
Realm-Based EAP-SIM Configuration Information in authfile.....................................165Realm-Based EAP-SIM Configuration Information in EAP.authfile...............................167
Global EAP-SIM Configuration in aaa.config..............................................................169EAP-AKA........................................................................................................................170
Overview...................................................................................................................170EAP-AKA Authentication Using HP-UX AAA Server...........................................................170Features.....................................................................................................................171Benefits......................................................................................................................172Configuring EAP-AKA..................................................................................................172
EAP-AKA Client Configuration..................................................................................172EAP-AKA User Credential Lookup Configuration..........................................................172EAP-AKA Realm-Based Configurations.......................................................................173
Realm-Based EAP-AKA Configuration Information in authfile....................................173Realm-Based EAP-AKA Configuration Information in EAP.authfile..............................174
Global EAP-AKA Configuration in aaa.config.............................................................178Fast Re-Authentication.......................................................................................................179
Configuring for Fast Re-Authentication............................................................................179Configuring for Fast Re-Authentication in EAP.authfile..................................................180
Sample EAP.authfile Configuration for Fast Re-authentication....................................181Configuring for Fast Re-Authentication in aaa.config File..............................................181
Sample aaa.config Configuration for Fast Re-authentication.....................................182Guidelines to Write EAP-SIM and EAP-AKA Fast Re-Authentication Database AATVs.............182
Fast Re-Authentication Database Update AATV...........................................................183Update AATV Inputs...........................................................................................183Update AATV Outputs........................................................................................183AATV Functionality and Return Events...................................................................183
Fast Re-Authentication Database Lookup AATV...........................................................184Lookup AATV Inputs...........................................................................................184Lookup AATV Outputs........................................................................................184Lookup AATV Functionality and Return Events........................................................185
Pseudonym Identities........................................................................................................185
Contents 7
Random Pseudonyms...................................................................................................185Algorithm-Based Pseudonyms........................................................................................185Configuring for Pseudonym Identity Support....................................................................187
Sample EAP.authfile Configuration for Random Pseudonym Identity Support...................188Sample EAP.authfile Configuration for Algorithm-based Pseudonym Identity Support........189Sample aaa.config Configuration for Algorithm-based Pseudonym Identity Support.........190
Guidelines to Write EAP-SIM and EAP-AKA Pseudonym Database AATVs...........................190Pseudonym Database Update AATV..........................................................................191
Update AATV Inputs...........................................................................................191Update AATV Outputs........................................................................................191AATV Functionality and Return Events...................................................................191
Pseudonym Database Lookup AATV..........................................................................192Lookup AATV Inputs...........................................................................................192Lookup AATV Outputs........................................................................................192Lookup AATV Functionality and Return Events........................................................194
Generating Authentication Vectors Using A3, A8, and AKA Algorithms..................................1943GPP Milenage A3, A8, and AKA Algorithm.................................................................195
18 Configuring HP-UX AAA Server for Scalability and High-Availability .......198Overview........................................................................................................................198Scalability and High-Availability Concepts..........................................................................198
Grouping HP-UX AAA Servers.......................................................................................198HP-UX AAA Server Attributes........................................................................................199
HP-UX AAA Server Deployment for Scalability and High-Availability.......................................199Managing Multiple HP-UX AAA Servers For Scalability and High-Availability..........................200
Administering HP-UX AAA Servers Using HP-UX AAA Server Manager...............................200Logging In.............................................................................................................201Adding a Group....................................................................................................201Modifying a Group................................................................................................202Deleting a Group...................................................................................................202Adding a Server.....................................................................................................202Modifying a Server.................................................................................................205Deleting a Server...................................................................................................206Cloning a Server....................................................................................................206
Administering HP-UX AAA Servers Using HP-UX AAA Server Admin Tool (Command Line)....208rad_admin Syntax..................................................................................................208Examples of Administering Multiple HP-UX AAA Servers..............................................208Administering HP-UX AAA Servers Using Interactive User Interface................................209
Disaster Recovery of the HP-UX AAA Server Manager...........................................................20919 Configuring the HP-UX AAA Server for Client Functionality .....................211
Overview........................................................................................................................211CLIENT AATV..................................................................................................................211
Configuring CLIENT AATV............................................................................................211Working of the CLIENT AATV.......................................................................................212
Supported APIs................................................................................................................213Internal Attributes and Mapping Functions...........................................................................213
20 Configuring the HP-UX AAA Server for Dynamic Authorization................215Dynamic Authorization Overview.......................................................................................215HP-UX AAA Server and Dynamic Authorization....................................................................215Processing of Dynamic Authorization Requests.....................................................................216Configuring for Dynamic Authorization...............................................................................217
Basic Configuration.....................................................................................................218Advanced Configuration..............................................................................................218
Migrating Existing SQL Access Deployments for Dynamic Authorization.........................219
8 Contents
Configuring Multiple HP-UX AAA Servers as a Group..................................................220Configuring for Disconnect and CoA Request Processing.........................................222Dedicated HP-UX AAA Servers for Dynamic Authorization.......................................225
Dynamic Authorization in Authorize Only Mode.........................................................230Configuring for Dynamic Authorization in Authorize Only Mode..............................230
Configuring for Proxy Functionality............................................................................232Configuring for Dynamic Authorization Proxy Functionality......................................233
Configuring for Failover...........................................................................................233Security Consideration in Dynamic Authorization........................................................234
Replay Protection...............................................................................................234Message-Authenticator.......................................................................................235Reverse Path Forwarding Check for Proxies............................................................236
Sample Configuration Files................................................................................................237The client-request-init.grp.dynauth Sample File.................................................................237The client-reply-ingress.grp.dynauth Sample File...............................................................238The sqlaccess.config.dynauth Sample File.......................................................................238The sqlaccess.config.dynauth_server_group Sample File...................................................239The dbsetup.sql.dynauth_server_group Sample File..........................................................240
IV Integrating the HP-UX AAA Server With External Services...........................24221 LDAP Authentication..........................................................................245
LDAP Server Compatibility ...............................................................................................245Related LDAP Documentation ............................................................................................245Authentication with LDAP .................................................................................................245
Configuring the LDAP Server ........................................................................................245The HP-UX AAA Server LDAP Schema.......................................................................245To Configure Netscape Directory Server v6................................................................246To Configure iPlanet Directory Server v5....................................................................246To Configure OpenLDAP 2.0.x.................................................................................246
22 SQL Access......................................................................................248SQL Access Overview......................................................................................................248
SQL Access Concepts..................................................................................................249RADIUS Attribute to SQL Statement Mapping.............................................................249Mapping Functions.................................................................................................250Conversion Functions..............................................................................................250SQL Action Processing and Result Handling...............................................................251
Implementing SQL Access.................................................................................................251Sample Implementation Files.........................................................................................251
sqlaccess.config Sample File....................................................................................251dbsetup.sql Sample File...........................................................................................253Finite State Machine Sample....................................................................................254
Pre-requisites for SQL Access........................................................................................254Database Server and Schema..................................................................................254
Database Security..............................................................................................254High Availability................................................................................................255
Database Client.....................................................................................................255Shared Library Path Configuration........................................................................255
Database Client Connector Libraries.........................................................................255SQL Access Implementation Details................................................................................255sqlaccess.config File Configuration................................................................................256
Database Connection Definition...............................................................................257SQL Actions...........................................................................................................258Mapping Syntax.....................................................................................................259
RAD Mapping...................................................................................................260
Contents 9
DBC Mapping...................................................................................................261DBP Mapping...................................................................................................262RET Mapping....................................................................................................263Mapping Functions............................................................................................263Conversion Functions..........................................................................................264
SQL Statement.......................................................................................................265SQL Result Mapping...............................................................................................267
Result Handling for Retrieval Requests...................................................................268Global Definitions..................................................................................................270
Advanced SQL Mapping Configuration..........................................................................270Developing Custom Functions...................................................................................270Null SQL Statements...............................................................................................271Null Source and Target Mapping.............................................................................271Time Synchronization..............................................................................................271Finite State Table Configuration in the FSM................................................................272Stored Procedures...................................................................................................272
Administering Users and Tokens Stored in an SQL Database..................................................274Managing Users.........................................................................................................274
Adding Users to an SQL Database...........................................................................275Modifying User Credentials.....................................................................................276
Managing Users Using OTP to Authenticate....................................................................277Importing Tokens into the Database..........................................................................277Assigning Tokens to Users........................................................................................277
Assigning a Specific Token to a User....................................................................277Allocating Any Available Tokens to a User............................................................278
Enrolling Tokens (Procedure for Users).......................................................................278Synchronizing Tokens (Procedure for Users)................................................................279Terminating Tokens.................................................................................................280
Viewing User and Token Statistics..................................................................................280Valid Token Status Values.............................................................................................281Invoking the User Database Administration Manager Interface from Server Manager...........281
Multi-Row Support For SQL Access.....................................................................................28223 Simple Network Management Protocol (SNMP) Support........................283
Setting Up SNMP to Monitor the HP-UX AAA Server.............................................................28324 VPN Tunneling.................................................................................285
Establishing a Tunnel for a User.........................................................................................28525 Using DHCP.....................................................................................286
Required DHCP Server Features.........................................................................................286Recommended DHCP Server Features............................................................................286
Defining DHCP Address Pools for Specific Users...................................................................286To Associate an Address Pool with a User Profile in AAA Server Flat Files...........................286To Associate an Address Pool with a User Profile in an LDAP LDIF File................................286
Associating Address Pools with Realms and Other Conditions................................................287V Customizing the HP-UX AAA Server..........................................................288
26 Customizing the HP-UX AAA Server Using the Finite State Machine.........291States ............................................................................................................................291
Using Xstring to call Policy ...........................................................................................293Using Xstring to Call an Alternate authfile ......................................................................293
Event Names ..................................................................................................................293Predefined Event Names .............................................................................................293Creating New Names ................................................................................................295
Actions ..........................................................................................................................296
10 Contents
FSM Tables................................................................................................................297Custom State Tables ........................................................................................................298
Tracking Versions .......................................................................................................298Examples ..................................................................................................................298
Preprocessing Module ............................................................................................298Interim Logging ..........................................................................................................299Custom Logging Format ..............................................................................................299Proxy Accounting Messages.........................................................................................299
27 Customizing the HP-UX AAA Server Using Policies.................................301Policy Overview...............................................................................................................301Defining a Policy in a Decision File.....................................................................................302
Action Commands.......................................................................................................303The delete Command..............................................................................................303The insert Command...............................................................................................304The modify Command.............................................................................................305The exit Command.................................................................................................306The log Command..................................................................................................307The if Command....................................................................................................307
Attribute Specifications.................................................................................................309Attribute Names.....................................................................................................310Vendor Names.......................................................................................................310Attribute Instance Specifications................................................................................310
No Instance Specification...................................................................................310Numeric Instance Specification............................................................................310Keyword Instance Specification............................................................................310
Attribute Functions..................................................................................................311The count Attribute Function................................................................................311The length Attribute Function...............................................................................312The strcat Attribute Function.................................................................................312The substr Attribute Function................................................................................313The tolower Attribute Function..............................................................................316The toupper Attribute Function.............................................................................316
Value Types................................................................................................................316Arithmetic Expressions.................................................................................................317
Arithmetic Operator Precedence and Association........................................................317Supported Boolean Operators......................................................................................318
Boolean Operator Precedence and Association..........................................................319Type Compatibility......................................................................................................320
Invoking a Policy..............................................................................................................321Invoking Policies Through Predefined Policy Hooks...........................................................321
Request Ingress Policy..............................................................................................321User Policy............................................................................................................322
Invoking Policy from User Profiles.........................................................................322Reply Egress Policy.................................................................................................323Proxy Egress Policy.................................................................................................323Proxy Ingress Policy.................................................................................................324
Useful Attributes for Policy Conditions.............................................................................324Modifying the FSM for Specific Customizations ..............................................................325
Sample Policy Implementations..........................................................................................326Dynamic Access Control...............................................................................................326
Step 1 – Modifying the Default FSM for DAC.............................................................326Step 2 – Defining the DAC Policies............................................................................327
DNIS Routing.............................................................................................................327Step 1 – Modifying the Default FSM for DNIS Routing.................................................327
Contents 11
Step 2 – Defining the DNIS Routing Policies...............................................................32828 Customizing the HP-UX AAA Server Using the SDK...............................329
SDK Overview.................................................................................................................329Migrating Plug-ins Created Using Previous Versions of the SDK..............................................330Prerequisites for Using the SDK..........................................................................................330SDK Directory Structure.....................................................................................................331SDK Concepts.................................................................................................................331
Overview of AATVs.....................................................................................................331AATV Components......................................................................................................331
The init Function.....................................................................................................331The action Function.................................................................................................331The timer or callback Function..................................................................................332The cleanup Function..............................................................................................332
Creating Plug-ins..............................................................................................................332Using AATVs to Create a Plug-in...................................................................................333Compiling and Loading a Plug-in..................................................................................334Testing and Debugging a Plug-in...................................................................................334
Using the GNU Project Debugger.............................................................................334Using gdb to Debug Your Software Module..........................................................334
Creating Plug-ins for AATVs...............................................................................................335A3 and A8 Algorithm Plug-in for EAP-SIM.......................................................................335
Creating A3, A8 Plug-ins.........................................................................................336AKA Algorithm Plug-in for EAP-AKA...............................................................................337
Creating AKA Plug-ins.............................................................................................337VI Troubleshooting.....................................................................................340
29 Troubleshooting Overview..................................................................343AAA Environment Components..........................................................................................343HP-UX AAA Server Operation............................................................................................344Probable Causes for Failure...............................................................................................345
Configuration Problems................................................................................................345External Service Problems.............................................................................................345Protocol Limitations......................................................................................................345RADIUS Client and Supplicant Considerations................................................................346
30 Troubleshooting Procedures................................................................347Troubleshooting Flowchart.................................................................................................347
Troubleshooting Flowchart Process.................................................................................348Troubleshooting the Server Manager Administration Utility....................................................350
Common Problems With the Server Manager.................................................................350Troubleshooting Server Manager Launch Problems......................................................352Troubleshooting Remote Management Problems..........................................................353
Troubleshooting the HP-UX AAA Server...............................................................................354Troubleshooting HP-UX AAA Server Startup Problems.......................................................354
Common Problems with HP-UX AAA Server Startup.....................................................354Troubleshooting Bind Errors at HP-UX AAA Server Startup.......................................356
Troubleshooting an Unresponsive HP-UX AAA Server.......................................................357Troubleshooting Common Configuration Problems.......................................................357Troubleshooting External Services.............................................................................360
Identifying External Service Failures using Logfile Error Messages.............................360Identifying Unrecorded External Datastore Failures.................................................363Identifying Proxy Server Failures..........................................................................363Identifying Unrecorded DHCP Failures..................................................................364
Troubleshooting Access-Rejects from the HP-UX AAA Server..............................................364Common Authentication Failure Problems..................................................................364
12 Contents
EAP Problems.............................................................................................................369Troubleshooting Provisioning Errors................................................................................371Troubleshooting the HP-UX AAA Server Admin Utility.......................................................372
31 Troubleshooting Resources..................................................................374HP-UX AAA Server Troubleshooting Utilities.........................................................................374
The radcheck Utility: For Checking the Server Status........................................................374The radpwtst Utility: For Testing Authentication................................................................374The raddbginc Utility: For Setting Debug Output Levels.....................................................375The radsignal Utility: For Rolling Over the Debug Output to New Files................................375
The HP-UX AAA Server Logfile and Debug File.....................................................................375The HP-UX AAA Server Logfile......................................................................................376The HP-UX AAA Server Debug File................................................................................376
32 Reporting Problems...........................................................................377Server Set Up Information.................................................................................................377Server Manager Related Information..................................................................................377External Components........................................................................................................378
External Databases......................................................................................................378SNMP Servers............................................................................................................378DHCP Servers.............................................................................................................378OpenSSL....................................................................................................................378
EAP Related Information....................................................................................................378Clients.......................................................................................................................378Access Points..............................................................................................................378
VII Reference.............................................................................................37933 Configuration Files ...........................................................................382
HUP Processing...............................................................................................................382The aaa.config File..........................................................................................................383
Variables in the aaa.config File.....................................................................................383The vsa_integer_sign Variable..................................................................................383The strict_duplicate_check Variable...........................................................................383The aatv.ProLDAP Property.......................................................................................383The iaaa.SNMP Property.........................................................................................384The log_threshold_limit and suppression_interval Variables..........................................384The list_copy_limit Variable......................................................................................385The localUsersFile.FilterType Property.........................................................................385The default_users_file_cis_search Property..................................................................385The log_forwarding Variable....................................................................................385The log_generated_request Variable.........................................................................385The ourhostname Variable.......................................................................................385The packet_log Variable..........................................................................................386The radius_log_fmt Variable.....................................................................................386The reply_check Variable.........................................................................................386
OTP Authentication-Related Configuration Items...............................................................387Dynamic Authorization-Related Configuration Items..........................................................387
The clients File.................................................................................................................387Prefixed Users and authfile...........................................................................................388Wildcard Support for IPv4 and IPv6..............................................................................388
The users File ..................................................................................................................389Syntax of a User Entry ................................................................................................389Syntax of IPv6 Attributes...............................................................................................389
NAS-IPv6-Address..................................................................................................389Framed-Interface-Id.................................................................................................389Framed-IPv6-Prefix..................................................................................................390
Contents 13
Login-IPv6-Host.......................................................................................................390Framed-IPv6-Route..................................................................................................390Framed-IPv6-Pool....................................................................................................390
With Tunneling ..........................................................................................................391The dictionary File ...........................................................................................................391
Attribute Entries ..........................................................................................................392Pruning Expressions ....................................................................................................392Value Entries ..............................................................................................................393
The las.conf File ..............................................................................................................394LAS Session Timing Parameters ....................................................................................394Token Pool Configuration .............................................................................................395Realm Configuration ...................................................................................................395
The vendors File ..............................................................................................................396Syntax of a vendors File...............................................................................................396
The log.config File ...........................................................................................................397Syntax of a Stream Entry..............................................................................................397Default Entry ..............................................................................................................398End Entry ..................................................................................................................398Logging Multiple Streams ............................................................................................398
Values Logged by Default........................................................................................399Examples...................................................................................................................399
Livingston Call Detail Record (CDR) Format................................................................399Multiple Logging Streams .......................................................................................400Logging Based on attributes.....................................................................................400Accounting Log Based on Attribute Value...................................................................401Changing the Accounting Log Rollover Interval...........................................................402
34 Attribute-Value Pairs..........................................................................403Specifying Attribute-Value Pairs..........................................................................................403
Attribute-Value Formats................................................................................................403Examples...................................................................................................................403Tagged Attributes .......................................................................................................404
Attributes in User Profiles...................................................................................................404Configuration Attributes...............................................................................................404
Local Authorization Service (LAS) Configuration..........................................................406Simultaneous-Use Attribute..................................................................................406Attributes Concerning OTP Authentication.............................................................406
Check (and Deny) Items....................................................................................................406Attributes Concerning the NAS.....................................................................................406Policy Attributes...........................................................................................................407Other Attributes..........................................................................................................407
Reply Items......................................................................................................................408General Attributes.......................................................................................................409Attributes Concerning Login Users.................................................................................410Attributes for Framed Users...........................................................................................410Tunneling Attributes.....................................................................................................411Other Attributes..........................................................................................................413
Attributes in Accounting Records........................................................................................414Additional Session Information......................................................................................414
35 MIB Objects.....................................................................................418MIB Objects....................................................................................................................418
14 Contents
A Supported IETF RFCs..............................................................................424B Supported Authentication Methods...........................................................426C RADIUS Data Packets..............................................................................428
Data Packet Format...............................................................................................................428Attribute-Value Pair Format ...............................................................................................428
D Header Files, Data Structures, and APIs in the HP-UX AAA Server SDK..........430Header Files and Data Structures in the SDK............................................................................430APIs in the HP-UX AAA Server SDK.........................................................................................430
A-V Pair APIs...................................................................................................................430sdk_avp_t *sdk_avp_allocate().....................................................................................430void sdk_avp_free().....................................................................................................431int sdk_get_avp_info()..................................................................................................431int sdk_set_avp().........................................................................................................431int sdk_set_vend_avp().................................................................................................432
Authreq APIs...................................................................................................................432sdk_avp_t *sdk_find_avp()...........................................................................................432sdk_avp_t *sdk_find_vend_avp()...................................................................................433int sdk_del_avp().........................................................................................................434int sdk_insert_avp()......................................................................................................434int sdk_get_authreq_info()............................................................................................435
Logging APIs...................................................................................................................436int sdk_logit()..............................................................................................................436int sdk_log_debug().....................................................................................................437
Asynchronous Event and I/O APIs......................................................................................438int sdk_pollfd_register()................................................................................................438int sdk_pollfd_unregister().............................................................................................438int sdk_schedule_event()...............................................................................................438
Secondary APIs...............................................................................................................439sdk_authreq_t *sdk_get_authreq_by_id()........................................................................439char *sdk_get_config_dir()...........................................................................................439int sdk_set_authreq_info...............................................................................................439int sdk_get_client_info()................................................................................................440int sdk_decrypt_passwd().............................................................................................441int sdk_encrypt_passwd()..............................................................................................441sdk_authreq_t * sdk_authreq_allocate............................................................................441void sdk_authreq_free..................................................................................................442int sdk_enqueue_authreq..............................................................................................442
E Syntax of the Decision Files in Earlier Versions of the HP-UX AAA Server........443Expressions .........................................................................................................................443Specifying Attributes in Group Entries .....................................................................................444
Dynamic Access Control ..................................................................................................444Internal Values ................................................................................................................444
Using Indirection .................................................................................................................444Example Group Entries .........................................................................................................445
DNIS.grp for DNIS Routing...............................................................................................445DAC.grp for Dynamic Access Control.................................................................................446
Glossary of Terms......................................................................................448Index.......................................................................................................453
Contents 15
About This DocumentThis document provides an overview of the HP-UX AAA Server and describes how to configure,administer, and troubleshoot the product. This document does not cover installing the product.The document printing date and part number on the cover indicate the document’s current edition.The printing date and part number changes when a new edition is printed. Minor changes canbe made at reprint without changing the printing date. The document part number will changewhen extensive changes are made.Document updates may be issued between editions to correct errors or document product changes.To ensure that you receive the updated or new editions, subscribe to the appropriate productsupport service. Contact your HP sales representative for details.The latest version of this document is available at: http:// www.hp.com/go/hpux-security-docs.(Select HP-UX AAA Server (RADIUS) Software.)
Intended AudienceThis document is intended for HP-UX AAA Server administrators who understand the HP-UX operatingsystem.
New and Changed Information in This EditionThe following additions and changes are made for edition 11:
• Includes support for EAP-MS-CHAPv2 for OTP authentication. For more information, see “OATHStandards-Based OTP Authentication” (page 128)
• Includes support for Common Logfile for multiple instance of the HP-UX AAA server. For moreinformation, see “Administering HP-UX AAA Servers Using HP-UX AAA Server Manager”(page 200)
Other minor changes have been made throughout the document, as required.
Document OrganizationThe HP-UX AAA Server A.08.02.10 Administrator's Guide is organized as follows:
• Part I — Introduction provides general information about the HP-UX AAA Server product andthe RADIUS protocol. It also describes how to secure your HP-UX AAA Server installation.
• Part II — Configuring the HP-UX AAA Server Manager Using the Server Manager GUIdescribes how to use the Server Manager to administer your AAA environment.
• Part III — Advanced Configuration Information provides information on advanced topics, suchas securing LAN access using EAP, session management, assigning IP addresses, configuringOTP and two-factor authentication, configuring for EAP-SIM and EAP-AKA authenticationmethods, configuring for scalability and high-availability, configuring for the client functionality,and configuring for the dynamic authorization capability of the HP-UX AAA Server.
• Part IV — Integrating the HP-UX AAA Server With External Services describes how to integratethe HP-UX AAA Server with external services such as Lightweight Directory Access Protocol(LDAP), SQL Access, Dynamic Host Configuration Protocol (DHCP), Simple NetworkManagement Protocol (SNMP), and Virtual Private Network (VPN).
• Part V — Customizing the HP-UX AAA Server describes how to customize the HP-UX AAAServer to meet various deployment scenarios.
• Part VI — Troubleshooting provides guidelines and error messages to help troubleshoot issueswith the HP-UX AAA Server.
16
http:// www.hp.com/go/hpux-security-docs
• Part V — Reference provides information to supplement the task-based information in theprevious parts of the document. Use the information in this section to learn more aboutnon-task-based topics such as configuration files, and attribute-value pairs.
• Appendix A (page 424) lists all the RFCs that are supported by the HP-UX AAA Server.
• Appendix B (page 426) lists and describes all the authentication methods that are supportedby the HP-UX AAA Server.
• Appendix C (page 428) provides information about the RADIUS data packet format.
• Appendix D (page 430) lists and describes all the header files, data structures, and APIs includedin the HP-UX AAA Server SDK.
• Appendix E (page 443) discusses the syntax of decision files that are supported by previousversions of the HP-UX AAA Server.
HP Secure Development LifecycleStarting with HP-UX 11iv3 March 2013 update release, HP Secure Development Lifecycle providesthe ability to authenticate HP-UX software. Software delivered through this web release has beendigitally signed using HP's private key. You can now verify the authenticity of the software beforeinstalling the products delivered through Web Release.To verify software signatures in signed depot, version B.11.31.1303 or later of Software Distributor(SD) and version A.01.01.07 or later of HP-UX Whitelisting (WhiteListInf) must be installed on yoursystem.To verify the signatures, run: swsign -v -s For more information, see Software Distributor documentation at http://www.hp.com/go/sd-docsand Ignite-UX documentation at http://www.hp.com/go/ignite-ux-docs.
Publishing HistoryThe following table shows the printing history of this document. The first entry in the tablecorresponds to the current edition, and previous editions are listed in reverse chronological order.
Table 1 HP-UX AAA Server Administrator’s Guide Printing History
Supported OSSupports SoftwareVersion
Document Release Date(month/year)
Document Part Number
HP-UX 11i v3A.08.02.1011/13T1428-90093
HP-UX 11i v3A.08.0208/12T1428-90091
HP-UX 11i v2 and HP-UX 11i v3A.08.0105/10T1428-90072
HP-UX 11i v2 and HP-UX 11i v3A.08.0002/09T1428-90071
HP-UX 11i v1, 11i v2, 11i v3A.07.0103/08T1428-90066
HP-UX 11i v1, 11i v2, 11i v3A.07.0009/07T1428–90064
HP-UX 11i v1, 11i v2A.07.0009/065991-6434
HP-UX 11i v1, 11i v2A.06.0211/05T1428-90061
HP-UX 11.00, 11i v1, 11i v2A.06.01.x01/04T1428-90050
HP-UX 11.00, 11i v1A.06.01.x10/03T1428-90042
HP-UX 11.00, 11i v1A.06.00.0804/03T1428-90025
HP-UX 11.00, 11i v1A.06.00.0702/03T1428-90014
HP-UX 11.00, 11i v1A.05.01.0106/02T1428-90001
HP Secure Development Lifecycle 17
http://www.hp.com/go/sd-docshttp://www.hp.com/go/ignite-ux-docs
Typographic ConventionsThis document uses the following typographical conventions:audit(5) An HP-UX manpage. In this example, audit is the name and 5 is the section in
the HP-UX Reference. On the web and on the Instant Information CD, it may bea link to the manpage itself. From the HP-UX command line, you can enter “manaudit” or “man 5 audit” to view the manpage. See man( 1).
Book Title The title of a book. On the web and on the Instant Information CD, it may bea link to the book itself.
KeyCap The name of a keyboard key. Note that Return and Enter both refer to the samekey.
Emphasis Text that is emphasized.Emphasis Text that is strongly emphasized.Term The defined use of an important word or phrase.ComputerOut Text displayed by the computer.UserInput Commands and other text that you type.Command A command name or qualified command phrase.Variable The name of a variable that you may replace in a command or function or
information in a display that represents several possible values.[ ] The contents are optional in formats and command descriptions. If the contents
are a list separated by |, you can choose one of the items.{ } The contents are required in formats and command descriptions. If the contents
are a list separated by |, you can choose one of the items.... The preceding element can be repeated an arbitrary number of times.| Separates items in a list of choices.
HP-UX Release Name and Release IdentifierEach HP-UX 11i release has an associated release name and release identifier. The uname(1)command with the -r option returns the release identifier. The following table lists the releasesavailable for HP-UX 11i.
Table 2 HP-UX 11i Releases
Release NameRelease Identifier
HP-UX 11i v1B.11.11
HP-UX 11i v2B.11.23
HP-UX 11i v3B.11.31
Related InformationIn addition to this document, additional information about the HP-UX AAA server can be found inthe Internet and Security Solutions collection under AAA Server (RADIUS) at:http:// www.hp.com/go/hpux-security-docs. (Select HP-UX AAA Server (RADIUS) Software.)
HP Encourages Your CommentsHP encourages your comments concerning this document. We are committed to providingdocumentation that meets your needs.Send your comments to: [email protected]
18
http:// www.hp.com/go/hpux-security-docsmailto:[email protected]: [email protected]
Include the document title, manufacturing part number, and any comment, error found, or suggestionfor improvement you have concerning this document.
HP Encourages Your Comments 19
Part I IntroductionThis part of the HP-UX AAA Server Administrator’s Guide contains the following chapters:• Chapter 1: “Overview: The HP-UX AAA Server ” (page 23)
• Chapter 2: “Upgrading to Version A.08.02.10” (page 34)
• Chapter 3: “Installing and Securin