HP -UX AAA Ser ver A.06.00
Gettin g Sta r ted Gu id e
HP -UX 11.0, 11i v1
Ma n u fa ctu r in g Pa r t Nu m ber : T1428-90026
E0403
U.S.A.
© Copyright 2003 Hewlett-Packard Company. .
RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
RADIUS Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Establishing a RADIUS Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Supported Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
RADIUS Data Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Shared Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Product Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
AAA Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
AAA Server Manager Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Accessing the Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
AAA Server Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
AATV Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
The Software Engine: Finite State Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
HP-UX AAA Server Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Authorization Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Accounting Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Admin and Debug Tools/Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
NAS Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
LAN Access Device Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Obtaining the HP-UX AAA Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Product Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Installation and Start-Up Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Installation and Start-Up Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Running Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Starting and Stopping the RMI Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Starting and Stopping Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Changing Server Manager User Name and Password . . . . . . . . . . . . . . . . . . . . . . . 27
UnInstalling the HP-UX AAA Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Installation Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
iii
Commands, Utilities, & Daemons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Testing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Storing User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Storing User Profiles in the Default Users File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Storing Wireless User Profiles Locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Grouping Users by Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Adding and Modifying Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Session Logging and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Viewing User Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Viewing Server Logfiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Viewing Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4. Glossa r y of Ter m s
iv
Abou t Th is Docu m en t
This document provides an overview of the HP-UX AAA Server product
and explains how to install it. The document also provides basic
configuration steps to beginning tasks.
The document printing date and part number indicate the document’s
current edition. The printing date and part number will change when a
new edition is printed. Minor changes may be made at reprint without
changing the printing date. The document part number will change
when extensive changes are made.
Document updates may be issued between editions to correct errors or
document product changes. To ensure that you receive the updated or
new editions, you should subscribe to the appropriate product support
service. See your HP sales representative for details.
The latest version of this document can be found at
In ten d ed Au d ien ce
This Getting Started Guide is designed for first-time and beginning
users of the HP-UX AAA Server. Its objective is to allow you to quickly
familiarize yourself with the basic functions of the product. Users should
be familiar with the HP-UX operating system before using this guide.
New a n d Ch a n ged Docu m en ta tion in Th is
Ed ition
•
HP-UX AAA Server now uses the HP-UX Tomcat-Based Serverlet
Engine component, as opposed to previously using the entire HP-UX
Download the HP-UX Tomcat-Based Serverlet Engine at
information.
•
New steps for starting the Server Manager GUI. See “Installation
and Start-Up Procedure” for more information.
v
•
“About This Document” content was removed from Chapter 1 in the
previous version of this guide, and now resides in the preface of this
guide.
P u blish in g Histor y
The following table shows the printing history of this document. The first
entry in the table corresponds to this document, while previous releases
are listed in descending order.
Ta ble 1
Gettin g Sta r ted Gu id e P r in tin g Histor y
Docu m en t
Pa r t
Nu m ber
Docu m en t
Relea se Da te
(m on th /yea r )
Su p p or ts
Softw a r e
Ver sion
Su p p or ted OS
T1428-90026
T1428-90002
0403
0602
A.06.00.08 HP-UX 11.00, 11i v1
A.05.01.01 HP-UX 11.00, 11i v1
•
product features and basic information about using the server and
using it in AAA applications.
•
•
Chapter 2, Installation, leads you through server installation,
testing the installation, and starting the Server Manager GUI.
Chapter 3, Basic Configuration Tasks, contains procedures that lead
you through basic configuration and testing tasks.
Typ ogr a p h ica l Con ven tion s
monospace
Identifies files, daemons, or any other item that may
appear on screen
italics
Identifies titles of books, chapters, or sections
Docu m en t Ad visor ies Different types of notes appear in the text to call
your attention to information of special importance. They are enclosed in
ruling lines with a header that indicates the type of note and its urgency.
vi
NOTE
Emphasizes or supplements parts of the text. You can disregard the
information in a note and still complete a task.
IMPORTANT
CAUTION
Notes that provide information that are essential to completing a task.
Describes an action that must be avoided or followed to prevent a loss of
data.
Rela ted Docu m en ts
In addition to this Getting Started Guide, HP released the following
documents to support the HP-UX AAA Server A.06.00:
Ta ble 2
Ad d ition a l Docu m en ts
Docu m en t
Pa r t Nu m ber
Docu m en t Title
HP-UX AAA Server A.06.00 Administration and
Authentication Guide
T1428-90025
T1428-90024
HP-UX AAA Server A.06.00.08 Release Notes
The Administration and Authentication Guide, and the Getting Started
are installed with the product at /opt/aaa/share/doc/. You can also
find these documents in the Server Manager’s Help menu. The most
recently released documentation for the HP-UX AAA Server is always
Solutionspage.
HP En cou r a ges You r Com m en ts
HP encourages your comments concerning this document. We are truly
committed to providing documentation that meets your needs.
vii
Please send comments to: netinfo_feedback@cup.hp.com
Please include document title, manufacturing part number, and any
comment, error found, or suggestion for improvement you have
concerning this document. Also, please include what we did right so we
can incorporate it into other documents.
viii
Introduction to AAA Server
RADIUS Overview
RADIUS Over view
The Remote Authentication Dial In User Service (RADIUS) protocol is
widely used and implemented to manage access to network services. It
defines a standard for information exchange between a Network Access
Server (NAS) and an authentication, authorization, and accounting
(AAA) server for performing authentication, authorization, and
accounting operations. A RADIUS AAA server can manage user profiles
for authentication (verifying user name and password), configuration
information that specifies the type of service to deliver, and policies to
enforce that may restrict user access.
RADIUS Top ology
The RADIUS protocol follows client-server architecture. The client sends
user information to the RADIUS AAA server (in an Access-Request
message) and after receiving a reply from the server acts according to the
returned information. The RADIUS AAA server receives user requests
for access from the client, attempts to authenticate the user, and returns
the configuration information and polices to the client. The RADIUS
AAA server may be configured to authenticate an Access-Request locally
or to act as a proxy client and forward a request to another AAA server.
After forwarding a request, it handles the message exchanges between
the NAS and the remote server. A single server can be configured to
handle some requests locally and to forward proxy requests to remote
servers.
In Figure 1-1 on page 3 an example ISP uses four AAA servers to handle
user requests. Each user organization represents a logical grouping of
users (defined as a realm). Each user organization dials in to one of the
ISP’s servers through an assigned NAS, some of which are shared by the
same groups or realm. To provide appropriate service to a customer, the
server accesses user and policy information from a repository, which may
be integrated with the server, may be an external application, or a
database that interfaces with the server. For the HP-UX AAA RADIUS
and policy server the repository information may be stored in flat text
files or in an external database, such as an Oracle® database or LDAP
directory server.
2
Chapter 1
Introduction to AAA Server
RADIUS Overview
Figu r e 1-1
Gen er ic AAA Netw or k Top ology
A forwarding server sends
proxied Access-Requests
to a remote server
AAA servers and NASs
exchange requests/replies
Users dial-in
to a NAS
A User
Organization
AAA1.ISP.net
NAS1
location: Ann Arbor
B User
Organization
Repository
NAS2
C User
AAA4.ISP.net
Organization
location: Detroit
D User
Organization
Repository
AAA2.ISP.net
location: Flint
NAS3
E User
Organization
Repository
Repository
F User
Organization
AAA3.ISP.net
location: Kalamazoo
NAS4
Chapter 1
3
Introduction to AAA Server
RADIUS Overview
Esta blish in g a RADIUS Session
The handling of a user request is series of message exchanges that
attempts to provide the user with a network service by establishing a
session for the user. This transaction can be described as a series of
actions that exchange data packets containing information related to the
request. Figure 1-2, Client-Server RADIUS Transaction, illustrates the
details of the transaction between a RADIUS AAA server and a client (a
NAS in this example). When the user’s workstation connects to the
client, the client sends an Access-Request RADIUS data packet to the
AAA server.
Figu r e 1-2
Clien t-Ser ver RADIUS Tr a n sa ction
Client
(NAS)
User
AAA Server
User Connects
Access-Request
Access-Reject
Or
User Disconnects
Access-Accept
Accounting-Request (Start)
Accounting-Response
Session Starts
Accounting-Request (Stop)
Accounting-Response
Session Ends
User Disconnected
When the server receives the request, it validates the sending client. If
the client is permitted to send requests to the server, the server will then
take information from the Access-Request and attempt to match the
request to a user profile. The profile will contain a list of requirements
that must be met to successfully authenticate the user. Authentication
usually includes verification of a password, but can also specify other
information, such as the port number of the client or the service type
that has been requested, that must be verified.
4
Chapter 1
Introduction to AAA Server
RADIUS Overview
If all conditions are met, the server will send an Access-Accept packet to
the client; otherwise, the server will send an Access-Reject. An
Access-Accept data packet often includes authorization information that
specifies what services the user can access and other session
information, such as a timeout value that will indicate when the user
should be disconnected from the system.
When the client receives an Access-Accept packet, it will generate an
Accounting-Request to start the session and send the request to the
server. The Accounting-Request data packet describes the type of service
being delivered and the user that will use the service. The server will
respond with an Accounting-Response to acknowledge that the request
was successfully received and recorded. The user’s session will end when
the client generates an Accounting-Request—triggered by the user, by
the client, or an interruption in service—to stop the session. Again, the
server will acknowledge the Accounting-Request with an
Accounting-Response.
Su p p or ted Au th en tica tion Meth od s
The following list describes the authentication methods the HP-UX AAA
Server supports:
•
Pa ssw or d Au th en tica tion P r otocol (PAP) is not a strong
authentication method to establish a connection; passwords are sent
in clear text between the user and client. When used with RADIUS
for authentication, the messages exchanged between the client and
server to establish a PPP connection corresponds to Figure 1-2. This
authentication method is most appropriately used where a plaintext
password must be available to simulate a login at a remote host. In
such use, this method provides a similar level of security to the usual
user login at the remote host.
•
Ch a llen ge-Ha n d sh a k e Au th en tica tion P r otocol (CHAP) is a
stronger authentication protocol to establish a connection. When
used with RADIUS for authentication, the messages exchanged
between the client and server to establish a PPP connection is
similar to Figure 1-2. One difference, however, is that a challenge
occurs between the user and NAS before the NAS sends an
Access-Request. The user must respond by encrypting the challenge
(usually a random number) and returning the result. Authorized
users are equipped with special devices, like smart cards or software,
Chapter 1
5
Introduction to AAA Server
RADIUS Overview
which can calculate the correct response. The NAS will then forward
the challenge and the response in the Access-Request, which the
AAA server will use to authenticate the user.
•
Micr osoft Ch a llen ge-Ha n d sh a k e Au th en tica tion P r otocol
(MS-CHAP) is an implementation of the CHAP protocol that
Microsoft created to authenticate remote Windows workstations. In
most respects, MS-CHAP is identical to CHAP, but there are some
differences. MS-CHAP is based on the encryption and hashing
algorithms used by Windows networks, and the MS-CHAP response
to a challenge is in a format optimized for compatibility with
Windows operating systems.
•
Exten sible Au th en tica tion P r otocol (EAP) Like CHAP, EAP is a
more secure authentication protocol to establish a PPP connection
than PAP and offers more flexibility to handle authentication
requests with different encryption algorithms. It allows
authentication by encapsulating various types of authentication
exchanges, such as MD5. These EAP messages can be encapsulated
in the packets of other protocols, such as RADIUS, for compatibility
with a wide range of authentication mechanisms. This flexibility also
allows EAP to be implemented in a way (LEAP, for example) that is
more suitable for wireless and mobile environments than other
authentication protocols. EAP allows authentication to take place
directly between the user and server without the intervention by the
access device that occurs with CHAP.
NOTE
EAP/TLS and EAP/TTLS functionality is not supported in the
HP-UX AAA Server A.06.00.
RADIUS Da ta Pa ck ets
The Access-Request and other RADIUS data packets contain a header
and a set of attribute-value (A-V) pairs, which are used by the server
during the AAA transaction. The RADIUS RFC 2865 defines how
vendors can extend the protocol. Encapsulation is the RFC defined way
of extending RADIUS. Conflicts can occur when the RFC is not followed.
In those cases, the server can map the attributes to unique internal
values for processing. For a full description of RADIUS attribute-value
pairs, see the Administrator’s Guide.
6
Chapter 1
Introduction to AAA Server
RADIUS Overview
Sh a r ed Secr et
Encrypting the transmission of the User-Password in a request is
accomplished by a shared secret. The shared secret is used to sign
RADIUS data packets to ensure they are coming from a trusted source.
The shared secret is also used to encrypt user passwords with certain
authentication methods such as PAP. The HP-UX AAA Server uses the
clientsconfiguration file to associate a secret to each client (or server)
that is authorized to make use of its services.
Chapter 1
7
Introduction to AAA Server
Product Structure
P r od u ct Str u ctu r e
The HP-UX AAA Server, based on a client/server architecture, consists of
three components which may be installed independently:
•
HP-UX AAA Server daemon, libraries, and utilities
•
The AAA Server Manager is a program that performs administration
and configuration tasks from a client’s browser for one or more AAA
servers.
•
•
AAA Server module for Oracle authentication
Documentation
The exchange of configuration information between a remote AAA server
and the AAA Server Manager program is validated by a shared secret.
This secret is unique to the Server Manager and a remote AAA server. It
should not be the same secret used by a AAA server and the peers that it
communicates with. The exchange of information between a browser and
the client program is not validated or encrypted by default, although you
can configure HTTPS to secure this communication. Refer to the HP-UX
AAA Server Administration and Authentication Guide for more
information about configuring Server Manager to run over HTTPS.
NOTE
To secure the communication between the Server Manager and the
HP-UX AAA Server, install the Server Manager and the HP-UX AAA
Server software inside a secure network.
AAA Ser ver s
AAA server installations include the AAA server, which performs the
authentication, authorization, and accounting functions to process
requests, and RMI objects. The RMI objects establish a connection and
facilitate communication between the AAA server and the HP-UX
Tomcat-based Serverlet Engine.
8
Chapter 1
Introduction to AAA Server
Product Structure
AAA Ser ver Ma n a ger P r ogr a m
The AAA Server Manager utilizes the HP-UX Tomcat-based Serverlet
Engine to provide a configuration interface between a web browser and
one or more AAA servers. Server Manager is used for starting, stopping,
configuring, and modifying the servers. In addition, the program can
retrieve logged server sessions and accounting information for an
administrator.
Accessin g th e Ser ver Ma n a ger
The Server Manager provides access to the AAA server management
functions and configuration files. From a remote client workstation,
administrators can access the AAA Server Manager interface through a
Web browser. An administrator can create a AAA configuration for
authenticating users and implementing authorization policies. In
addition to creating, modifying, and deleting entries in many of the
server’s configuration files, an administrator may start and stop the AAA
server, access the server’s status and system time, retrieve information
from accounting and session logs, and terminate sessions. You can access
the functions that perform these operations by selecting an item from the
Navigation Tree located in the left frame of the HTML page.
NOTE
Some advanced features of the HP-UX AAA Server cannot be configured
through the Server Manager interface. For example, if you want to define
policy or vendor-specific attributes, you must manually edit the
configuration files. Refer to the HP-UX AAA Server Administration and
Authentication Guide for more information.
Chapter 1
9
Introduction to AAA Server
Product Structure
Figu r e 1-3
Th e Ser ver Ma n a ger User In ter fa ce
Br ow ser Requ ir em en ts for Ser ver Ma n a ger
You need one of the following Web browsers to access the Server
Manager:
•
Netscape® Navigator 4.76 (or higher)
•
Microsoft® Internet Explorer 5.0.5 (or higher)
The browser preferences or Internet options should be set to always
compare loaded pages to cached pages. HP recommends these versions
because of known problems in earlier versions.
10
Chapter 1
Introduction to AAA Server
AAA Server Architecture
AAA Ser ver Ar ch itectu r e
The HP-UX AAA Server Architecture consists of three primary
components:
•
Configuration files. By editing these flat text files, with either the
Server Manager user interface or with a text editor, you can provide
the information necessary for the server to perform authentication,
authorization, and accounting requests for your system.
•
•
AATV plug-ins perform discrete actions; such as initiating an
authentication request, replying to an authentication request, or
logging an accounting record.
The software engine, which includes the Finite State Machine (FSM)
and some associated routines. At server startup, the finite state
machine reads instructions from a state table—by default the
/etc/opt/aaa/radius.fsmtext file. The state table outlines what
AATV actions to call and what order to call them in.
When the server is initialized, it performs a few distinct operations. It
loads and initializes the AATV plug-ins, so that actions can be executed
when called by the finite state machine. It also reads the configuration
files to initialize the data required for the actions to execute according to
the application’s requirements.
Con figu r a tion Files
The HP-UX AAA Server reads data from the following configuration files installed
at /etc/opt/aaa/by default:
Ta ble 1-1
File
HP -UX AAA Ser ver Con figu r a tion Files
Descr ip tion
clients
Information about all RADIUS clients—name,
address, shared secret, type, etc.—that allows the
server to recognize and communicate with the
clients.
authfile
Authentication type parameters for defined realms.
Chapter 1
11
Introduction to AAA Server
AAA Server Architecture
Ta ble 1-1
File
HP -UX AAA Ser ver Con figu r a tion Files
Descr ip tion
users
realm
Information about user IDs, passwords, and
check/deny/reply items.
The same information as the usersfile, but this
user information is associated with a particular
realm. These files are only necessary to perform
File type authentication for a defined realm.
Realms are recognized by the realm component of
the user’s Network Access Identifier, for example:
user@realm.com.
NOTE: This is a user generated file, it does not ship
with the product.
decision
las.conf
Policy information for user authorization and
session control based on any logical group that can
be defined with A-V pairs.
NOTE: This is a user generated file, it does not ship
with the product.
Defines services for session control based on
realms.
vendors
Optional entries for vendor-specific behavior.
dictionary
Defines all attributes and values that may be used
to build attribute-value (A-V) pairs that will be
recognizable by the server. These A-V pairs contain
information about requests and responses. This file
also contains definitions for all the authentication
types that the server recognizes.
log.config
Specifies the predefined session log formats to use.
aaa.config
Calls engine.config.
iaaaAgent.conf Specifies how often the AAA server’s SNMP
subagent will check to see if a master agent is
active.
12
Chapter 1
Introduction to AAA Server
AAA Server Architecture
Ta ble 1-1
File
HP -UX AAA Ser ver Con figu r a tion Files
Descr ip tion
EAP.authfile
db_srv.opt
Used to configure EAP authentication for user
profiles.
The configuration script for the db_srv
environment variables.
engine.config
Called by aaa.conf, this file stores most of the
AAA server properties.
You can find out more information about these files by referring to the
HP-UX AAA Server Administration and Authentication Guide. Each
configuration file also contains comments with examples.
AATV P lu g-In s
Define actions to perform functions, such as authenticating requests,
authorizing, and logging. Built-in actions support authentication of users
from information in different storage methods.
Th e Softw a r e En gin e: Fin ite Sta te Ma ch in e
In the Finite State Machine, a request will transition through a series of
states, starting with a state that includes possible starting events. The
first action specified to be called in response to an initial authentication
request would return a value, an event that determines the next state to
transition to. Within each state, the next action is triggered by an event
(based on previous state and action and a value, typically ACK or NAK,
returned by the previous action), which in turn directs the flow of the
request to another state, until an End state is reached.
Chapter 1
13
Introduction to AAA Server
HP-UX AAA Server Features
HP -UX AAA Ser ver Fea tu r es
Gen er a l Fea tu r es
•
•
Compliant with RADIUS protocol RFC 2865 and 2866 standards
Supports multiple vendor NASs with a single server (multi-vendor
dictionary that includes Nortel®, Cisco®, Lucent®, and others)
•
•
Configurable dictionary that allows the definition of new vendors and
vendor-specific attributes and values
Dictionary includes attributes from RFCs 2865, 2866, 2867, 2868,
and 2869
•
•
Vendor-specific attribute translation
Configurable attribute-value pruning behavior (based on dictionary
and clients file definitions)
•
•
•
Various configurable (through aaa.config) internal queue and
buffer sizes
Persistent user session table and automatic recovery of session
information after a server reload occurs
Engine support of loadable plug-in modules
Au th en tica tion Fea tu r es
•
Distributed authentication (proxy) by realms (RADIUS type
authentication)
•
Support for PAP authentication protocol by all supported
authentication types
•
•
•
Support for CHAP (clear text password required in the user profile)
Support for MS-CHAP
Support for EAP authentication for wireless LAN access points and
switches (including EAP-MD5 and EAP-LEAP)
•
Authentication of users with profiles defined in a flat text file that
the server loads into memory (clear text or UNIX-style encrypted
passwords)
14
Chapter 1
Introduction to AAA Server
HP-UX AAA Server Features
•
•
Authentication of users defined in a /etc/passwd file
Authentication using multiple sets of user definition and realm
definition files (usersand authfilefiles) keyed by network access
server (NAS)
•
•
Supports multiple user definition (realm) files keyed by realm (File
type authentication)
Authentication of users defined in an LDAP server (ProLDAP™ type
authentication), including support of {clear} indicator for clear text
passwords
•
•
•
Authentication of users defined in an ORACLE database
UNIX bigcrypt() for users defined in a flat file or LDAP directory
Load balancing and failover when authenticating users stored in an
LDAP directory server or Oracle database
Au th or iza tion Fea tu r es
•
•
•
Support of simple authorization policy through check and deny
attribute-value pair items specified in users files
Support for definition of reply item attribute-value pairs in a users
file
Support of simple authorization policy through check and deny
attribute-value pair items specified in realm files (File type
authentication) or an LDAP directory server (ProLDAP type
authentication)
•
•
•
Support for definition of reply item attribute-value pairs through
realm files, an LDAP directory server, or an Oracle database
Support of complex authorization policy construction through
Boolean expressions with attribute-value pair operands
Supports simultaneous session limitation by user and by realm
Accou n tin g Fea tu r es
•
Generates Merit or Livingston reference accounting detail files
(accounting start and stop RADIUS messages from network access
server (NAS)), known as call detail records (CDR)
Chapter 1
15
Introduction to AAA Server
HP-UX AAA Server Features
•
•
Supports distributed accounting (proxy) by realms (RADIUS type
authentication)
Merit format accounting session record reading utility included
(radrecord)
Ad m in a n d Debu g Tools/Fea tu r es
•
Server Manager Graphical User Interface (GUI) for managing
multiple AAA servers
•
•
•
Support for Simple Network Management Protocol (SNMP)
Generates server activity logfiles, compressed daily
Optional debug levels for greater server log output to help debug
problems
•
Packaged with a RADIUS protocol client (radpwtst) for testing and
debugging
•
•
•
Packaged with a utility, (radcheck), to check status of server.
Utility (sesstab) to help review the session table for active sessions
Script (stopsession.sh) to terminate specific users sessions that
appear active to the server but are no longer active
•
Script (las.test.sh)tests simultaneous session control to aid in
performance of session testing of the server
16
Chapter 1
Installation
System Requirements
System Requ ir em en ts
To install and use this software, the following system specifications are
recommended:
•
•
HP-UX 11.0 or 11i version 1UNIX operating systems
Disk space: Operational requirements depend on the amount of
logging information to be maintained online. With a moderate dial-in
load, 1.0 GB should suffice for approximately six months.
•
•
CPU speed: This depends on the frequency of incoming requests. The
transaction load affects what is required.
Browser Compatibility: To access the Server Manager you need one
of the following Web browsers:
• Netscape® Navigator 4.76 (or higher)
• Microsoft® Internet Explorer 5.0.5 (or higher)
The browser preferences or Internet options should be set to always
compare loaded pages to cached pages.
IMPORTANT
HP recommends using the browser versions specified above because
of known defects in earlier versions.
NAS Com p a tibility
The HP-UX AAA Server should operate with any NAS that adheres to
the RADIUS standard. The HP-UX AAA Server has been used
successfully in configurations with NASs from the following vendors:
•
•
•
•
•
•
Avail
Ascend/Lucent
Bay Networks
Cisco
Cisco Aironet (software version 11.10 or higher)
Computone
18
Chapter 2
Installation
System Requirements
•
•
•
•
•
•
Compaq/DEC
Livingston/Lucent
Shiva/Intel
Telebit
Unisphere
US Robotics/3COM
LAN Access Device Com p a tibility
The HP-UX AAA Server supports LAN switches and wireless LAN
Access points that follow the IETF standard for EAP with MD5, as well
as devices supporting the Cisco proprietary LEAP protocol.
Chapter 2
19
Installation
Obtaining the HP-UX AAA Server Software
Obta in in g th e HP -UX AAA Ser ver Softw a r e
You can download the HP-UX AAA Server software at
http://software.hp.com on the Internet and Security Solutions page.
P r od u ct Dep en d en cies
The following figure shows the components you must install to use the
HP-UX AAA Server:
Figu r e 2-1
HP -UX AAA Ser ver Dep en d en cies
Java2 RTE 1.4.0.x
Tomcat Serverlet
AAA Software
v 1.0.00.01
HTTP or
HTTPS
Browser
HP-UX 11.00 or 11i v1 Server
20
Chapter 2
Installation
Product Dependencies
You must have the following two software dependencies installed on your
system to use the HP-UX AAA Server:
•
•
HP-UX SDK (product #T1456AA) containing Java2 RTE 1.4.0.x
HP-UX Tomcat-based Serverlet Engine v 1.0.00.01 (product #
HPUXWST100001) or higher
You can get HP-UX SDK with Java2 RTE 1.4.0.x at:
You can get the HP-UX Tomcat-based Serverlet Engine v 1.0.00.01 at:
IMPORTANT
HP-UX AAA Server A.06.00 does not support any other version of Java
or Tomcat. You must use the versions specified above.
Chapter 2
21
Installation
Installation and Start-Up Overview
In sta lla tion a n d Sta r t-Up Over view
The information in this section is to help you understand the sequence of
the installation and start-up steps, and the relationship between the
product dependencies and the HP-UX AAA Server software.
The following steps are an overview of the installation and start-up
procedure:
Step 1. Download and install the HP-UX AAA Server software from the Internet
and Security Solutions page at http://software.hp.com
Step 2. Start the RMI objects to allow the AAA server software to communicate
with Server Manager
Step 3. Configure and start the HP-UX Tomcat-based Serverlet Engine to allow
a web browser to connect to it
Step 4. Point your web browser to the AAA server to administer it using Server
Manager
22
Chapter 2
Installation
Installation and Start-Up Procedure
In sta lla tion a n d Sta r t-Up P r oced u r e
The following components are installed when you install the HP-UX
AAA Server:
•
•
AAA Server binaries, libraries, and utilities
RMI objects that facilitate communication from the AAA server to
Server Manager
•
AAA server AATV module for authentication
Perform the following steps to install and start the HP-UX AAA server:
Step 1. Log in to your HP-UX 11.0 or 11i v1 system as root.
Step 2. Verify the product dependencies are installed:
# swlist |egrep “hpuxwsTomcat|T1456AA”
hpuxwsTomcat
T1456AA
A.1.0.00.01
1.4.0.01.00
HP-UX Tomcat-based Servlet Engine
Java2 1.4 SDK for HP-UX
IMPORTANT
Be sure you have the correct versions of the product dependencies
installed.
Step 3. If needed, install HP-UX SDK (product #T1456AA) containing Java2
RTE 1.4.0.x
Step 4. If needed, install the HP-UX Tomcat-based Serverlet Engine v 1.0.00.01
(product # HPUXWST100001) or higher
move it to /tmp
Step 6. Verify you downloaded the file correctly: # swlist -d -s /tmp/<AAA
Server>.depot
Step 7. Stop any active Tomcat processes. Use
/opt/hpws/tomcat/bin/shutdown.shto stop Tomcat.
Step 8. Install the AAA Server: # swinistall -s /tmp/<AAA Server>.depot
Chapter 2
23
Installation
Installation and Start-Up Procedure
NOTE
If the installation is not successful, an error message is displayed. The
cause of the failure will appear at the end of /var/adm/sw/swagent.log
file.
Step 9. After installing the product, you will need to add the following RADIUS
authentication and accounting entries to the /etc/servicesfile of your
server hardware:
# RADIUS protocol
radius
radacct
1812/udp
1813/udp
NOTE
These RADIUS values are the server’s defaults and are specified in the
RADIUS RFC 2865.
Step 10. Edit the rmi.config.secretitem in
/opt/hpws/tomcat/webapps/aaa/WEB-INF/gui.propertiesand
/opt/aaa/remotecontrol/rmiserver.propertiesso the two values
are the same. This matching secret value is for secure exchange of
information between Server Manager and the RMI objects.
IMPORTANT
The rmi.config.secretyou configure in
/opt/hpws/tomcat/webapps/aaa/WEB-INF/gui.properties
Step 11. Start the RMI Objects by going to the /opt/aaa/remotecontrol
directory and running the rmistart.shscript. See “Starting and
Stopping the RMI Objects” for more information.
24
Chapter 2
Installation
Installation and Start-Up Procedure
Step 12. Uncomment the following lines in /opt/hpws/tomcat/conf/web.xml:
Com m en ted
<!-- The mapping for the invoker servlet -->
<!--
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
-->
Un com m en ted
<!-- The mapping for the invoker servlet -->
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
/opt/hpws/tomcat/conf/tomcat-users.xml. Add your user name and
password in the following syntax:
<user username="specify" password="specify" roles="tomcat"/>
Enter your values where "specify"is in the previous example. See
“Changing Server Manager User Name and Password” for more
information.
Step 14. Start Server Manager. See “Starting and Stopping Server Manager” for
more information.
IMPORTANT
Always restart Server Manager after making changes to any of the
HP-UX Tomcat-based Serverlet Engine configuration files.
Server Manager using the user name and password you specified in the
previous steps.
Chapter 2
25
Installation
Running Server Manager
Ru n n in g Ser ver Ma n a ger
The RMI objects must be started from the command line before HP-UX
AAA Servers can be started, stopped, and configured through the Server
Manager interface. Start the RMI objects to allow AAA Servers to
communicate with the Server Manager. Start the Server Manager to
allow the browser to connect to it.
Sta r tin g a n d Stop p in g th e RMI Objects
Step 1. Login and cdto the remote control directory
(/opt/aaa/remotecontrol/).
Step 2. Enter /opt/aaa/remotecontrol/rmistart.shto start the RMI objects
or /opt/aaa/remotecontrol/rmistop.shto stop the RMI objects.
Step 3. Verify the RMI objects are running by checking port 7790 with:
$ netstat -a |grep 7790
Sta r tin g a n d Stop p in g Ser ver Ma n a ger
Step 1. cd to /opt/hpws/tomcat/
Step 2. Execute $ export JAVA_HOME=/opt/java1.4
Step 3. Enter ./bin/startup.shto start the Server Manager or
./bin/shutdown.sh to stop it.
Step 4. Verify Tomcat is running by checking port 8081 (Tomcat’s default port #):
$ netstat -a |grep 8081
When Tomcat is running, an administrator can access the graphic
interface through an Internet browser by entering
configured https. See the HP-UX AAA Server Administration and
Authentication Guide, section “Securing Server Manager
Communication with HTTPS” for more information about https).
When prompted by your web browser, enter the user name and password
you configured in /opt/hpws/tomcat/conf/tomcat-users.xml.
26
Chapter 2
Installation
Running Server Manager
Ch a n gin g Ser ver Ma n a ger User Na m e a n d Pa ssw or d
You can change the user name or password used to access the Server
Manager graphic interface.
Step 1. Go to /opt/hpws/tomcat/conf/tomcat-users.xml
passwords:
<user name=“New-UserName” password=“New-Password” roles=“tomcat” />
Step 3. Save tomcat-users.xml
Step 4. Restart the Tomcat. Refer to “Starting and Stopping Server Manager” for
more information.
NOTE
You will be disconnected from the Server Manager interface if you
restart the Tomcat while logged-on to Server Manager. You will need to
log on to Server Manager again after restarting the Tomcat component.
Chapter 2
27
Installation
UnInstalling the HP-UX AAA Server Software
Un In sta llin g th e HP -UX AAA Ser ver Softw a r e
Use the following steps to uninstall the HP-UX AAA Server:
Step 1. If the radiusdand db_srvservers are running, stop the servers. Use the
following commands to determine if radiusdor db_srv processes are
active:
$ ps -ef |grep radiusd
$ ps -ef |grep db_srv
You can stop radiusdby killing the radiusd process ID
You can stop db_srvservers with the /opt/aaa/bin/stop_db_srv.sh
script.
Step 2. Remove all files residing in /var/opt/aaasubdirectories.
Logout anyone using HP-UX AAA Server administrator login “aaa”.
Step 3. As root user, enter “swremove T1428AA” or “swremove” at the command
prompt to invoke the standard HP-UX GUI to select T1428AA bundle for
removal. See the swremoveman page for more information on this
command.
28
Chapter 2
Installation
Installation Defaults
In sta lla tion Defa u lts
The HP-UX AAA Server can be run as root user, however non-root user is
recommended.
A user and group, both named aaa, will be created during installation.
The HP-UX AAA Server can be run as non-root user, using the default
aaa user created during installation, or any other user who is part of the
aaagroup.
IMPORTANT
Do not remove the default login aaa and group aaa created during
installation, even if you prefer not to use them.
Ta ble 2-1
File Loca tion s Up on In sta lla tion
File
Dir ector y
/opt/aaa/aatv
/opt/aaa/bin
Server modules and plug-ins. The directory where the Actions are
placed.
Server daemons and utilities:
• db_srv: Oracle client daemon for authentication
• las.test.sh: script to create simulated sessions for testing
• radcheck: AAA Server test utility (like the ping command)
• raddbginc: controls server debug output
• radiusd: AAA Server executable
• radpwtst: AAA test client utility
• radrecord: reads and displays AAA Server session log files
• sesstab: print contents of the AAA Server session table file
• start_db_srv: script to start the Oracle client daemon
• stop_db_srv: script to stop the Oracle client daemon
• stopsession.sh: a script to manually stop an accounting
session
Chapter 2
29
Installation
Installation Defaults
Ta ble 2-1
Dir ector y
File Loca tion s Up on In sta lla tion (Con tin u ed )
File
/opt/aaa/examples/ Finite state machine, group policy example files:
config
• *.fsm: sample finite state machine (FSM) tables
• *.grp: sample decision files
/opt/aaa/examples/ • create.sql: SQL script to create Oracle users table
oracle
• delete.sql: Sample SQL script to delete Oracle user records
• insert.sql: Sample SQL script to add Oracle user records
/opt/aaa/examples/ ProLDAP setup example files
proldap
/opt/aaa/lib
Shared libraries:
• libradlib.sl: contains functions that interface with the
main server
• librpilib.sl: contains functions for programs and utilities,
such as radrecord
• libjniAgents.sl: contains functions for Server Manager.
/opt/aaa/newconfig Default configuration files. Files residing here are copied to
/etc/opt/aaadirectory during installation.
/opt/aaa/share/man Directories where man pages are installed
/man5and ~/man1m
30
Chapter 2
Installation
Installation Defaults
Ta ble 2-1
Dir ector y
File Loca tion s Up on In sta lla tion (Con tin u ed )
File
/etc/opt/aaa
Configuration files:
• aaa.config: runtime and tunneling configuration file
• authfile: realm to authentication-type mapping file
• clients: client to shared secret mapping file
• db_srv.opt: configuration script for db_srv environment
variables
• dictionary: definition file required by radiusd
• las.conf: authorization and accounting configuration file
• log.config: session logging configuration file
• radius.fsm: external FSM table for the server
• users: holds user security profiles and reply items
• vendors: holds IANA numbers and other vendor specific
details
• engine.config: Called by aaa.conf, this file stores most of
the AAA server properties
• EAP.authfile: Used to configure EAP authentication for user
profiles
• iaaaAgent.conf: Specifies how often the AAA server’s SNMP
subagent will check to see if a master agent is active
• aaa.config.license: Do not alter this file
• RADIUS-ACC-SERVER-MIB.txt: Text file describing RADIUS
Accounting MIB definitions.
• RADIUS-AUTH-SERVER-MIB.txt: Text file describing RADIUS
Authentication MIB definitions.
Chapter 2
31
Installation
Installation Defaults
The following table lists the files generated during operation and located
in /var/opt/aaa/by default:
Ta ble 2-2
Files Gen er a ted Du r in g Op er a tion
Dir ector y
File
/acct/session.yyyy-mm-dd.log Default session accounting logs, Merit style
/data/session.las
/ipc/*.sm
Currently active sessions Session log file
Shared memory files related to the interface used for
some authentication types.
IMPORTANT: You must not alter or delete the shared
memory (*.sm) files. The server will not operate
correctly if the files are changed or removed from the
ipcdirectory.
/logs/logfile
The server log file
/logs/logfile.yyyymmdd
/radacct/*
Compressed daily or weekly log files
For session accounting logs in Livingston call detail
records directory style format (not generated by
default configuration)
/run/radius.pid
Contains the process id (pid) for the server, etc.
32
Chapter 2
Installation
Commands, Utilities, & Daemons
Com m a n d s, Utilities, & Da em on s
Ta ble 2-3
Com m a n d
Com m a n d s, Utilities, & Da em on s
Descr ip tion
db_srv
The db_srvdaemon performs Oracle database access operations for
authentication on behalf of one or more remote HP-UX AAA Servers.
radcheck
Sends a RADIUS status and protocol requests to a AAA server and
display the replies. Receiving the reply confirms that the HP-UX
AAA Server is operational. radcheckcan be invoked on any host by
any user, however the HP-UX AAA server will return more
information to registered clients.
raddbginc
radiusd
Sets debug logging level for currently running HP-UX AAA Server.
Turn debugging on and off or set the level of output while the AAA
Server is running.
A daemon process that services user authentication and accounting
requests from RADIUS clients. Authentication and accounting
requests come to radiusd in the form of UDP packets conforming to
the RADIUS protocol. It runs as a daemon that can be started from
the command line or through an inetd service. radiusddetermines
the action to take when receiving RADIUS requests based upon a
finite state machine (FSM) loaded into memory when radiusd is
started. The FSM is configurable, but static after startup.
radpwtst
A utility used to simulate a RADIUS client when troubleshooting or
validating configuration for the HP-UX AAA Server. It will prompt
for the user password (when not supplied by the -w option.) If the
request to the AAA server succeeds, radpwtstdisplays
authentication OK on standard output. Otherwise, radpwtst
displays userid authentication failed.
radrecord
A utility to read and print HP-UX AAA server Merit format session
logs. The accounting information that is displayed includes the user
name, the total session time, the number of sessions, and the average
time per session.
sesstab
Displays the currently active sessions for the HP-UX AAA Server.
start_db_srv.sh
Script to start Oracle authentication client daemon db_srv.
Chapter 2
33
Installation
Commands, Utilities, & Daemons
Ta ble 2-3
Com m a n d
Com m a n d s, Utilities, & Da em on s (Con tin u ed )
Descr ip tion
stop_db_srv.sh
stopsession.sh
las.test.sh
Script to stop db_srvdaemon and its child process(es).
Script to manually stop an accounting session.
Script to create simulated sessions for testing.
34
Chapter 2
Installation
Testing the Installation
Testin g th e In sta lla tion
To quickly test the server installation, you will use Server Manager to
add a loopback connection to a AAA server, start the server, and then
check its status for a response. Use the following steps to test the server
installation:
Step 1. Follow the directions for “Running Server Manager” to start Server
Manager after installing the HP-UX AAA Server software.
Step 2. Select the Server Connections link from the Navigation Tree and then
select the Connect to Server link.
Step 3. Enter the values for your server in the Add Connectionscreen that
appears and select Create:
Name
The identifying string of a remote server.
Domain Name or IP Address
The IP address (in dotted-quad notation) or valid
Domain Name System (DNS) host name of the AAA
server that the connection maps to.
Step 4. Verify the server is listed and selected in the Server Status frame.
Step 5. Select the Administration link from the Navigation Tree.
Step 6. Select the Start option.
Step 7. Verify the server started. A green “GO” icon in the Server Status frame
indicates the server is running.
Step 8. Verify the server is selected in the Server Status frame and then select
the Status option.
Step 9. Check Server Manager’s Message Frame for the status reply. The
following reply at the bottom of the Message Frame indicates the server
is running correctly:
“<server name> (port#)” is responding
If you did not receive this message, refer to the Troubleshooting chapter
in HP-UX AAA Server Administration and Authentication Guide. You
can also use this guide to learn different methods for testing your HP-UX
AAA Servers.
Chapter 2
35
Installation
Testing the Installation
36
Chapter 2
Basic Configuration Tasks
Storing User Profiles
Stor in g User P r ofiles
The user information that determines how an access request is
authenticated and authorized is configured in a profile as a set of A-V
pairs. These user profiles are grouped by realm and may be stored in flat
text files or an external source such as an Oracle database or and LDAP
server. Realms are recognized by the realm component of a user’s
Network Access Identifier. If you have a small AAA deployment without
several realm-specific configurations, you can define a default realm and
store it in the usersfile.
Stor in g User P r ofiles in th e Defa u lt User s File
When the AAA server receives a request, before it checks for profiles
grouped by realms, it first checks the default users file for a matching
profile. Use the following steps to store user profiles in the default users
file:
Step 1. Access the Server Manager.
Step 2. Load the configuration from the appropriate AAA server by selecting the
Load Configurationlink from the Navigation Tree.
Step 3. Select the Users link from the Navigation Tree.
Step 4. Select the New User link.
Step 5. The User Attributes screen will appear. In the User Name text box, enter
the name of the user profile.
Step 6. In the Password text box, enter the value to match to the value to
compare to the Password attribute value in the request.
Step 7. You may enter values in the remaining fields to control the users session.
These fields are optional and correspond to RADIUS A-V pairs that are
explained in more detail in the HP-UX AAA Server Administration and
Authentication Guide.
Step 8. Select the Create button.
Step 9. Select Save Configurationfrom the Navigation Frame. If you have
multiple remote servers, you will prompted to select and confirm which
servers you wish to add the access device entry to.
38
Chapter 3
Basic Configuration Tasks
Storing User Profiles
CAUTION
Save Configuration will save the entire server configuration (access
devices, proxies, local realms, users, and server properties) to the servers
you specify.
Stor in g Wir eless User P r ofiles Loca lly
If you want to authenticate users with EAP, you will need to identify the
wireless access point (WAP), the users' realms, and the user profiles. For
more information about EAP, refer to the HP-UX AAA Server
Administration and Authentication Guide. Use the following steps to
store wireless user profiles locally:
Step 1. Select the Access Deviceslink
Step 2. Select the New access device link from the Access Device screen. The
Access Device Attributes screen appears.
Step 3. In the Name field identify the IP address or DNS name of the WAP.
Step 4. In the Shared secret field identify the encryption key, or shared secret,
between the WAP and the AAA server.
Step 5. From the Vendor drop-down list, select Generic or the WAP vendor if the
vendor appears in the vendors file.
Step 6. Select any of the Options check boxes to define additional instructions to
handle the Access-Request.
Step 7. Select the Create button.
Step 8. For each individual user that will be authenticated through EAP, you
will need to add a user profile to the RADIUS server. Select the Users
link.
Step 9. Select the New User link from the Users screen. The Users Attributes
screen appears.
Step 10. In the User Name field identify the user profile by user name and the
users realm (user@realm).
Step 11. From the Authentication Type drop-down list, select Realm.
Chapter 3
39
Basic Configuration Tasks
Storing User Profiles
Step 12. Complete any of the remaining optional fields as necessary for your
configuration.
Step 13. Select the Create button.
Step 14. Repeat steps 8 to 13 for each user profile that you need to configure.
Step 15. For each realm using EAP, you must associate the realm name with the
type of EAP to perform. Select the Local Realmslink.
Step 16. Select the New local realm link from the Local Realms screen. The Local
Realm Attributes screen appears.
Step 17. In the Name field identify the name of the realm that will use EAP.
Step 18. From the Authentication Type drop-down list, select EAP as the
authentication type. The extended parameters for EAP will appear
Step 19. From Extended Parameters select the EAP type(s) to use.
Step 20. Complete any of the remaining optional fields as necessary for your
configuration.
Step 21. Select the Create button.
Step 22. Repeat steps 15 to 21 as necessary for your configuration.
Step 23. Select the Save Configurationlink from the Navigation Frame. If you
have multiple remote servers, you will prompted to select and confirm
which servers you wish to add the access device entry to.
CAUTION
Save Configurationwill save the entire server configuration (access
devices, proxies, local realms, users, and server properties) to the servers
you specify.
40
Chapter 3
Basic Configuration Tasks
Storing User Profiles
Gr ou p in g User s by Rea lm
While the HP-UX AAA Server can authenticate an individual user, you
may want to authenticate and provision a group of users according to a
common criteria, like an authentication type. One method of grouping
users is according to the realm that they belong to. A realm is derived
where sample.comis the realm. Use the following steps to store user
profiles in a flat text file grouped by realm:
Step 1. Access Server Manager.
Step 2. Select the Local Realms link from the Navigation Tree and then select
the New local realm link
Step 3. In the Name field, enter the users realm.
Step 4. From the Authentication Type drop-down list, select File.
Step 5. In the DNS or filename text box, enter a name for the file that will store
the profiles. If the file does not already exist, it will automatically be
created when you save the realm definition.
NOTE
You can configure different realms to save users profiles in the same file.
Step 6. Select the Create button.
Step 7. Return to the Local Realms screen to add user profiles to the realm.
Step 8. From the Local Realms screen, select the following icon for the realm
that you wish to add user profiles for:
Step 9. From the Users screen select the New User link.
Step 10. In the User Name text box, enter the name of the users profile.
Step 11. In the Password text box, enter the value to match to the value to
compare to the Password attribute value in the request.
Chapter 3
41
Basic Configuration Tasks
Storing User Profiles
Step 12. You may enter values in the remaining fields to control the users session.
These fields are optional and correspond to RADIUS A-V pairs that are
explained in more detail in the “A-V Pairs” chapter of HP-UX AAA Server
Administration and Authentication Guide.
Step 13. Select the Create button in the User Attributes screen.
Step 14. Repeat steps 9 to 13 for each user profile you wish to add to the realm.
Step 15. Repeat these steps to add additional realms and groups of users.
Step 16. Select Save Configurationfrom the Navigation Frame. If you have
multiple remote servers, you will prompted to select and confirm which
servers you wish to add the access device entry to.
CAUTION
Save Configuration will save the entire server configuration (access
devices, proxies, local realms, users, and server properties) to the servers
you specify.
42
Chapter 3
Basic Configuration Tasks
Adding and Modifying Users
Ad d in g a n d Mod ifyin g User s
User profiles associate information with a user name for authentication
and authorization. This information is defined by attribute-value pairs.
The server configuration must include profiles for all the users that can
access services through the AAA server. If a user profile is not included
in the configuration, the server will reject the users access request.
Profiles may be stored in flat text files or an external source. The Users
screen allows you to add a new user, modify an existing user, or delete an
existing user from a text file. This screen is accessed by selecting the
Users link from the graphic interfaces Navigation Tree.
When adding a new user profile to the server configuration or modifying
an existing entry, you supply values for the user profile attributes
through a form’s fields. This form is tabbed according to groups of
attribute-value pairs. Initially, the General tab is active.
Figu r e 3-1
Ser ver Ma n a ger ’s Gen er a l User Attr ibu tes
Chapter 3
43
Basic Configuration Tasks
Adding and Modifying Users
User Name:
Value to compare to the User-Name attribute value in
the request. It must be less than 64 characters. &, “, ~,
\ , /,%, $, ‘, and space characters may not be used.
The remaining fields and tabs in Define Users screen allow you to specify
three types of user profile attributes: configuration items, check items,
and reply items.
Configuration Items:
These items indicate various AAA server-specific
attributes that the server can use to perform
authentication or authorization functions. A user
profile must include either the Password attribute or
the Authentication-Type and Server-Name attributes
(Server-Name is only required for some authentication
types and should be listed as a check item under the
Free tab.) Additional items are optional.
Check Items:
Reply Items:
An optional list of zero or more attribute-value pairs,
delimited by white space. These items indicate various
attribute values that the server will compare to the
corresponding attribute values in the Access-Request.
Reply items generally get returned to configure the
client for the user’s session. They include information
like PPP configuration values, the name of the host
that the user wishes to connect to, or an optional
packet filter name.
Each of the fields on the first four tabs (General, NAS/Login, Framed,
and Others) corresponds to an attribute that can be used in a user profile
as a check or reply item. When specifying attribute values through these
tabs, all A-V pairs that may ordinarily be used as either a check or a
reply item in a server configuration are automatically added as a reply
item, unless the Free tab is used.
There are many more attributes, including vendor-specific attributes,
that can be added to a user profile. The Free tab allows you to enter any
of these attributes in the Check and Reply list boxes.
44
Chapter 3
Basic Configuration Tasks
Adding and Modifying Users
Figu r e 3-2
Ser ver Ma n a ger ’s Fr ee User Attr ibu tes Scr een
To add attributes to the list boxes, follow the Attribute = Value syntax.
A-V pairs may be listed one per line. When adding a new user profile, you
select the Create button to submit it to the AAA Server Manager. When
modifying an existing profile, you select the Modify button to submit
changes to the user profile. In either case if each field contains a valid
value, the profile will be created or modified; otherwise, an error message
is displayed. You can always select the Cancel button and return to the
Users screen without making any changes to your server configuration.
Chapter 3
45
Basic Configuration Tasks
Session Logging and Monitoring
Session Loggin g a n d Mon itor in g
You can view the log files that record the details of each AAA transaction
or the session logs that record information about each user's session. You
can also access information for active sessions and manually terminate a
session if necessary.
These functions can be accessed by selecting the Maintenancemenu
items from the Server Manager Navigation Tree. When you use any of
these functions, you will retrieve information from all servers selected in
the Server Manager’s Server Status section.
View in g User Session
After a user is successfully authenticated and the AAA server sends an
Access-Accept, the access device will send an Accounting-Request
message to start the session. The AAA server stores information about
the session in an active session record. When the users session is
terminated, the client sends an Accounting-Request message to stop the
session. When a AAA server receives the stop message, it clears its active
record for the session and writes the session information to a file.Use the
following steps to display session information for a particular user:
Step 1. Through the Server Manager interface, select the Sessions link from the
Navigation Tree located in the left frame of the browser
Step 2. Enter search parameters in the Session Filter screen that appears.
Retrieved session will be restricted to the specified search parameters.
Figu r e 3-3
Session s Sea r ch Filter Scr een
46
Chapter 3
Basic Configuration Tasks
Session Logging and Monitoring
Step 3. Select the Display button. The AAA server manager will display a list of
active sessions.
Step 4. Select a session. The AAA server manager will display the attributes for
the selected session.
Step 5. Select the OK button when you are done reading the session.
Stop p in g a Session
This procedure is intended for sessions that were terminated on the
access device but are maintained as active by the AAA server.
Step 1. Follow the “Display a Session” procedure.
Step 2. Select the Stop button from the Session Attributes screen. The AAA
server will clear its record of the active session, but no action is taken by
the access device.
Chapter 3
47
Basic Configuration Tasks
Session Logging and Monitoring
View in g Ser ver Logfiles
The log file of the AAA server contains all the information concerning the
functioning of the server such as: start/stop of the server, all of the
RADIUS requests, and some internal events. The data is automatically
stored each day in a different file. They are available as long as the
corresponding files are still on the disk.
• /var/opt/aaa/logs/logfile: the server log file
• /var/opt/aaa/logs/logfile.yyyymmdd: compressed daily log file
Selecting the Server Logfilelink in Server Manager’s Navigation Tree
allows you to retrieve information from log files.
Figu r e 3-4
Ser ver Ma n a ger ’s Logfile Scr een
48
Chapter 3
Basic Configuration Tasks
Session Logging and Monitoring
Sea r ch Pa r a m eter s
You can filter what dates and times to retrieve from the logfile.
Ta ble 3-1
Op tion
Filter Pa r a m eter s for Sea r ch in g Logfiles
Descr ip tion
Begin (server time)
End (server time)
User
The date and time of the session to begin retrieving data from.
The date and time of the last session to retrieve data from.
Limits the result of the search command to messages related to a
specific user. For example, you may wish to find why a user is not
able to authenticate.
Number of Messages Limits the result of the search command to the specified number of
messages.
NOTE
You can filter what data to retrieve according to the type of messages. For
each message type, you indicate whether the message type should or
should not be retrieved by selecting the Yes or No radio buttons. Refer to
the HP-UX AAA Server Administration and Authentication Guide for
more information.
Chapter 3
49
Basic Configuration Tasks
Session Logging and Monitoring
View in g Ser ver Sta tistics
Selecting the Statisticslink from Server Manager’s Navigation Tree
allows you to retrieve a count of events that occurred on the AAA server
within a time range. The statistics are displayed using a bar graph.
Figu r e 3-5
Ser ver Ma n a ger ’s Sta tistics Scr een
Ta ble 3-2
Op tion
Sta tistic Sea r ch Pa r a m eter s
Descr ip tion
Begin (server time)
End (server time)
The date and time of the session to begin retrieving data from.
The date and time of the last session to retrieve data from.
50
Chapter 3
Glossary of Terms
4
Glossa r y of Ter m s
AAA
Abbreviation for Authentication, Authorization, and
Accounting.
AAA Server
Accounting
Access-Accept
A software application that performs authentication,
authorization, and accounting functions.
Logging session and usage information for session
control and billing purposes
The AAA server returns an Access-Accept to the client
when an Access-Request is valid. The Access-Accept
will contain A-V pairs that specify what services the
authenticated user is authorized to use.
Access-Challenge
The AAA server returns an Access-Challenge to the
client when it is necessary to issue a challenge that the
user must respond to. The client will resubmit the
request with the user-supplied information to the AAA
server.
Access-Reject
The AAA server returns an Access-Reject to the client
when an Access-Request is invalid.
Access-Request
Created by the client, the Access-Request contains A-V
Pairs, such as the user’s name, password, and ID of the
client. The client submits the Access-Request to an
AAA server. If the server can validate the client, the
server will attempt to match a user entry in its
database with information in the Access-Request to
authenticate the user.
Chapter 4
51
Glossary of Terms
Administrator
Special user, known by the system on which the AAA
server is running and is able to configure and to
manage the AAA server.
Application Service Provider
Third-party entities that manage and distribute
software-based services and solutions to customers
across a wide area network from a central data center,
abbreviated as ASP.
ASP
Application Service Provider.
Attribute-Value Pair
The RADIUS protocol defines things in terms of
attributes. Each attribute may take on one of a set of
values. When a RADIUS packet is exchanged among
clients and servers, one or more attributes and values
are sent pair wise from the client to the server. For the
AAA Server software, all valid attributes and values
are listed in the dictionary file, abbreviated as A-V pair.
Authentication
Authorization
The process of identifying and proving the identity of
an entity, for example, a user, a network client, or a
network server.
The process of determining what types of activities is
permitted. Usually, authorization is in the context of
authentication; once users are authenticated, they may
be authorized different types of access or activity.
A-V Pair
Attribute-value pair.
Challenge Handshake Authentication Protocol
Log-in security procedure for dial-in access. Rather
than send an unencrypted password, a random number
is sent to the client as a challenge. The challenge is
one-way hashed with the password, and the result is
52
Chapter 4
Glossary of Terms
sent back to the server. The server does the same with
its copy of the password and verifies that it gets the
same result to authenticate the user, abbreviated as
CHAP.
CHAP
Client
See Challenge Handshake Authentication Protocol.
NAS, proxy server, or other networking device that
uses the AAA server services to authenticate and
authorize users.
Common Open Policy Service
A query and response protocol that can be used to
exchange policy information between a policy server
(Policy Decision Point or PDP) and its clients (Policy
Enforcement Points or PEPs, such as a router),
abbreviated as COPS.
COPS
See Common Open Policy Service.
Dialed Number Identification Service
Each request is authenticated locally or forwarded to a
remote server according to the number called to access
a network service.
DNIS
EAP
See Dialed Number Identification Service.
Extensible Authentication Protocol. Described in RFC
2284.
Finite State Machine
The Finite State Machine is the component of the AAA
Server software that controls the flow of access request
authentication and accounting request handling,
abbreviated as FSM.
Forwarding Server
Chapter 4
53
Glossary of Terms
The AAA server that receives an Access-Request from a
client and forwards that request to another AAA server
for authentication.
FSM
Hint
See Finite State Machine.
When a user requests access to a service of a specific
configuration, a client may provide this information in
an Access-Request as a hint to the AAA server. The
server may reject the request based on the hints or
supply the service as specified by the hints, by the
server’s configuration, or by a combination of the hints
and the server’s configuration.
IETF
See Internet Engineering Task Force.
Integrated Services Digital Network
A digital internet access line using copper phone lines.
Interlink
Used to connect multiple AAA servers in a fabric with
SLAs and to establish policies among them.
Internet Engineering Task Force
Internet standards setting organization.
Internet Protocol
A Layer 3 (network layer) protocol that contains
addressing information and some control information
that allows packets to be routed, abbreviated as IP.
Internet Research Task Force
A group associated with IETF focusing on research
rather than standards.
Internet Service Provider
54
Chapter 4
Glossary of Terms
Communications service company that provides
Internet access and services to its customers. ISPs
range in size from small independents serving a local
calling area to large, established telecommunications
companies, abbreviated as ISP.
IP
See Internet Protocol.
IRTF
ISP
See Internet Research Task Force.
Internet service provider.
ISDN
LAS
LDAP
See Integrated Services Digital Network.
See Local Authorization Server.
See Lightweight Directory Access Protocol.
Lightweight Directory Access Protocol
Used for directories providing naming, location,
management, security, and other services for Internet
networking, abbreviated as LDAP.
Lightweight Extensible Authentication Protocol
Supports and manages the dynamic Wired Equivalent
Privacy (WEP) key exchange between Cisco Aironet
802.11x wireless LAN clients and access points,
abbreviated as LEAP.
LEAP
See Lightweight Extensible Authentication Protocol.
Local Authorization Server
A local authorization server is the HP-UX SERVER
code that authorizes, accounts, and bill users based on
realms, abbreviated as LAS.
Chapter 4
55
Glossary of Terms
Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)
An implementation of the CHAP protocol that
Microsoft created to authenticate remote Windows
workstations. In most respects, MS-CHAP is identical
to CHAP, but there are a few differences. MS-CHAP is
based on the encryption and hashing algorithms used
by Windows networks, and the MS-CHAP response to a
challenge is in a format optimized for compatibility
with Windows operating systems.
NAS
See Network Access Server.
Navigation Tree
Refers to the navigation links on the left side of the
Server Manager GUI.
Network Access Server
A device that interfaces telephony circuits to the
network, abbreviated as NAS.
PAP
See Password Authentication Protocol.
Password Authentication Protocol
A simple password protocol that transmits a user name
and password across the network, unencrypted,
abbreviated as PAP.
Point-to-Point Protocol
The standard protocol for dial-up networking. The
family of standards covers many aspects including
authentication, encryption, compression, addressing,
multi-protocols, etc., abbreviated as PPP.
Policy
A very broadly used term. To the AAA server, it means
the conditionally applicable set of attribute-value pairs
that an AAA protocol, such as RADIUS, may support.
HP-UX SERVER policies are simple or complex
56
Chapter 4
Glossary of Terms
decisions that control the authentication,
authorization, and accounting process for a user's
access request.
PPP
See Point-to-Point Protocol.
Protocol
A set of rules established between two devices to allow
communications to occur.
Proxy
The mechanism that allows one system to mediate
between two other systems in response to protocol
requests. A RADIUS server can act as a proxy client
and forward an Access-Request to another AAA server
for authentication. As a proxy client, the server would
mediate the requests and replies between the client
where the Access-Request originated from and the
server that the request was forwarded to.
RADIUS
See Remote Access Dial In User Service.
RADIUS Client
A NAS or other device that sends requests to an AAA
server.
RAS
See Remote Access Server.
Realm
A realm is a logical group of users, who usually can be
authenticated using one particular method. Grouping
users into realms simplifies the management of those
users in a distributed environment. For example, an
ISP’s users may be from different organizations located
in different cities. Each organization already has one
way or another to authenticate its users and each
corresponds to a realm. Each realm would be
responsible for managing its users, providing
authentication and authorization for their access
Chapter 4
57
Glossary of Terms
requests.
A realm has a name that looks very much like a
domain name, but they bear different meanings.
Realms are only used by the AAA Server to determine
where an authentication request should be sent and
what kind of authentication to request, etc. Naming a
realm with its domain name simplifies things for the
users, since their access ids will then look the same as
their e-mail addresses. A realm may also have multiple
aliases, providing a way to shorten long realm names.
Remote Access Dial In User Service
An authentication and accounting protocol defined by
the IETF in a series of RFCs, abbreviated as RADIUS.
Remote Access Server
A service that allows remote clients running Microsoft
Windows or Windows NT to dial in to a network,
abbreviated as RAS.
Remote Server
In the context of a proxy Access-Request, the remote
server is the AAA server that receives the request from
the forwarding server. The remote server authenticates
the request and sends a reply to the forwarding server.
Request For Comment
The basis for an IETF standard, abbreviated as RFC.
RFC
See Request For Comment.
SAT
See Simultaneous Access Token.
Server Manager
A Web-based graphical user interface which provides
an interface between an administrator and the AAA
servers. In addition to creating, modifying, and deleting
entries in many of the server’s configuration files, an
administrator may start and stop the AAA server,
58
Chapter 4
Glossary of Terms
access the server’s status and system time, retrieve
information from accounting and session logs, and
terminate sessions.
Service
The RADIUS client provides a service to the dial-in
user, such as PPP or Telnet.
Chapter 4
59
Glossary of Terms
Session
Each service provided by the client to a dial-in user
constitutes a session, with the beginning of the session
defined as the point where service is first provided and
the end of the session defined as the point where
service is ended. A user may have multiple sessions in
parallel or series if the RADIUS client supports that
feature.
Simple Network Management Protocol (SNMP)
Provides a mechanism for a centrally located
management workstation to monitor the activity of
remote computers and network services.
Simultaneous Access Token
The concept of token helps define and enforce policies
in regard to modem pool sharing among various
participating institutions. A simultaneous access token
is required when a user accesses a non-priority modem.
Tokens are allocated to realms and are grouped into
pools. The total number of tokens a realm has is
defined by the HP-UX Server so that the LAS may
control simultaneous use, abbreviated as SAT.
SLA
Service Level Agreement.
SLS
Service Level Specification.
See Simultaneous Access Token.
Token
Token Pool
A token pool contains a number of tokens belonging to
some organization and having a given name. These
tokens may be shared among one or more realms.
Tunneling
A secure connection between a client workstation and
an intranet or other network, that provides a VPN to a
user. This connection may be a voluntary tunnel
60
Chapter 4
Glossary of Terms
initiated by the client or a compulsory tunnel initiated
during authentication by a server or other dedicated
network equipment.
Users
VPN
Individuals whom the AAA server must authenticate
and authorize before by they can access an
organization’s service, such as Internet access through
an ISP.
See Virtual Private Network.
Virtual Private Network
A network service offered by public carriers in which
the user is provided a network that in many ways
appears as if it is a private network (user-unique
addressing, network management capabilities,
dynamic reconfiguration, etc.) but which, in fact, is
provided over the carrier's public network facilities,
abbreviated as VPN.
Chapter 4
61
Glossary of Terms
62
Chapter 4
|