HP-UX AAA Server A.06.01
Getting Started Guide
HP-UX 11.0, 11i v1, 11i v2
Manufacturing Part Number : T1428-90058
E1004
U.S.A.
© Copyright 2001-2004 Hewlett-Packard Development Company, L.P.
RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
RADIUS Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Establishing a RADIUS Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Supported Authentication Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
RADIUS Data Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Shared Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Product Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
AAA Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
AAA Server Manager Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
The 802.1x Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Accessing the Server Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
AAA Server Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
AATV Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
The Software Engine: Finite State Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
HP-UX AAA Server Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
General Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Authentication Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Authorization Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Accounting Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Admin and Debug Tools/Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Getting the HP-UX AAA Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Installing the HP-UX AAA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Starting the HP-UX AAA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Starting and Stopping the RMI Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Starting and Stopping Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Testing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Installation Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Commands, Utilities, & Daemons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
UnInstalling the HP-UX AAA Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3. Basic Configuration Tasks
Storing User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
iii
Storing User Profiles in the Default Users File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Grouping Users by Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Adding and Modifying Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Session Logging and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Viewing User Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Viewing Server Logfiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Viewing Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Securing WLANs with the HP-UX AAA Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4. Glossary of Terms
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
iv
About This Document
This document provides an overview of the HP-UX AAA Server and explains how to install
and start the product. The document also provides steps to basic configuration tasks for
beginning users. Refer to the HP-UX AAA Server Administrator’s Guide for complete HP-UX
AAA Server documentation.
The document printing date and part number indicate the document’s current edition. The
printing date and part number will change when a new edition is printed. Minor changes may
be made at reprint without changing the printing date. The document part number will
change when extensive changes are made.
Document updates may be issued between editions to correct errors or document product
changes. To ensure that you receive the updated or new editions, you should subscribe to the
appropriate product support service. See your HP sales representative for details.
Security Solutions page.
Intended Audience
This Getting Started Guide is designed for first-time and beginning users of the HP-UX AAA
Server. The objective of this guide is to allow you to quickly familiarize yourself with the basic
functions of the product. Users should be familiar with the HP-UX operating system before
using this guide.
New and Changed Documentation in This Edition
•
Removed the various requirements, including installing and operating requirements, for
each specific 6.1.x version of the HP-UX AAA Server. Refer to the HP-UX AAA Server
Release Notes for the requirements of each version of the product.
v
Publishing History
The following table shows the printing history of this document. The first entry in the table
corresponds to this document, while previous releases are listed in descending order.
Table 1
Getting Started Guide Printing History
Document
Part
Number
Document
Release Date
(month/year)
Supports
Software
Version
Supported OS
T1428-90058
T1428-90049
T1428-90043
T1428-90026
T1428-90002
10/04
01/04
10/03
04/03
06/02
A.06.01.x
A.06.01.x
A.06.01.x
HP-UX 11i v1, 11i v2
HP-UX 11.00, 11i v1, 11i v2
HP-UX 11.00, 11i v1
A.06.00.08 HP-UX 11.00, 11i v1
A.05.01.01 HP-UX 11.00, 11i v1
What’s in This Document
•
•
•
Chapter 1, Introduction to AAA Server, contains an overview of product features and
basic information about using the server.
Chapter 2, Installing and Starting the HP-UX AAA Server, leads you through server
installation, testing the installation, and starting the Server Manager GUI.
Chapter 3, Basic Configuration Tasks, contains procedures that lead you through basic
configuration and testing tasks.
Typographical Conventions
monospace
Identifies files, daemons, or any other item that may appear on screen
italics
Identifies titles of books, chapters, or sections
Document Advisories Different types of notes appear in the text to call your attention to
information of special importance. They are enclosed in ruling lines with a header that
indicates the type of note and its urgency.
vi
NOTE
Emphasizes or supplements parts of the text. You can disregard the
information in a note and still complete a task.
IMPORTANT Notes that provide information that are essential to completing a task.
CAUTION
Describes an action that must be avoided or followed to prevent a loss of data.
Related Documents
In addition to this Getting Started Guide, HP released the following documents to support the
HP-UX AAA Server A.06.01.x:
•
•
•
•
•
•
HP-UX AAA Server A.06.01 Administrator’s Guide
HP-UX AAA Server A.06.01.02 Release Notes
HP-UX AAA Server A.06.01.02.04 Release Notes
HP-UX AAA Server A.06.01.02.06 Release Notes
HP-UX AAA Server A.06.01.02.07 Release Notes
HP-UX AAA Server A.06.01.05 Release Notes
The Administrator’s Guide and the Getting Started Guide are installed with the product at
/opt/aaa/share/doc/. You can also find these documents in the Server Manager’s Help
menu. The most recently released documentation for the HP-UX AAA Server is always
HP Encourages Your Comments
HP encourages your comments concerning this document. We are truly committed to
providing documentation that meets your needs.
Please send comments to: [email protected]
Please include document title, manufacturing part number, and any comment, error found, or
suggestion for improvement you have concerning this document. Also, please include what we
did right so we can incorporate it into other documents.
vii
viii
Introduction to AAA Server
RADIUS Overview
RADIUS Overview
The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and
implemented to manage access to network services. It defines a standard for information
exchange between a Network Access Server (NAS) and an authentication, authorization, and
accounting (AAA) server for performing authentication, authorization, and accounting
operations. A RADIUS AAA server can manage user profiles for authentication (verifying user
name and password), configuration information that specifies the type of service to deliver,
and policies to enforce that may restrict user access.
RADIUS Topology
The RADIUS protocol follows client-server architecture. The client sends user information to
the RADIUS AAA server (in an Access-Request message) and after receiving a reply from the
server acts according to the returned information. The RADIUS AAA server receives user
requests for access from the client, attempts to authenticate the user, and returns the
configuration information and polices to the client. The RADIUS AAA server may be
configured to authenticate an Access-Request locally or to act as a proxy client and forward a
request to another AAA server. After forwarding a request, it handles the message exchanges
between the NAS and the remote server. A single server can be configured to handle some
requests locally and to forward proxy requests to remote servers.
In Figure 1-1 on page 3 an example ISP uses four AAA servers to handle user requests. Each
user organization represents a logical grouping of users (defined as a realm). Each user
organization dials in to one of the ISP’s servers through an assigned NAS, some of which are
shared by the same groups or realm. To provide appropriate service to a customer, the server
accesses user and policy information from a repository, which may be integrated with the
server, may be an external application, or a database that interfaces with the server. For the
HP-UX AAA RADIUS and policy server the repository information may be stored in flat text
files or in an external database, such as an Oracle® database or LDAP directory server.
2
Chapter 1
Introduction to AAA Server
RADIUS Overview
Figure 1-1
Generic AAA Network Topology
A forwarding server sends
proxied Access-Requests
to a remote server
AAA servers and NASs
exchange requests/replies
Users dial-in
to a NAS
A User
Organization
AAA1.ISP.net
NAS1
location: Ann Arbor
B User
Organization
Repository
NAS2
C User
AAA4.ISP.net
Organization
location: Detroit
D User
Organization
Repository
AAA2.ISP.net
location: Flint
NAS3
E User
Organization
Repository
Repository
F User
Organization
AAA3.ISP.net
location: Kalamazoo
NAS4
Establishing a RADIUS Session
The handling of a user request is series of message exchanges that attempts to provide the
user with a network service by establishing a session for the user. This transaction can be
described as a series of actions that exchange data packets containing information related to
the request. Figure 1-2, Client-Server RADIUS Transaction, illustrates the details of the
Chapter 1
3
Introduction to AAA Server
RADIUS Overview
transaction between a RADIUS AAA server and a client (a NAS in this example). When the
user’s workstation connects to the client, the client sends an Access-Request RADIUS data
packet to the AAA server.
Figure 1-2
Client-Server RADIUS Transaction
Client
(NAS)
User
AAA Server
User Connects
Access-Request
Access-Reject
Or
User Disconnects
Access-Accept
Accounting-Request (Start)
Accounting-Response
Session Starts
Accounting-Request (Stop)
Accounting-Response
Session Ends
User Disconnected
When the server receives the request, it validates the sending client. If the client is permitted
to send requests to the server, the server will then take information from the Access-Request
and attempt to match the request to a user profile. The profile will contain a list of
requirements that must be met to successfully authenticate the user. Authentication usually
includes verification of a password, but can also specify other information, such as the port
number of the client or the service type that has been requested, that must be verified.
If all conditions are met, the server will send an Access-Accept packet to the client; otherwise,
the server will send an Access-Reject. An Access-Accept data packet often includes
authorization information that specifies what services the user can access and other session
information, such as a timeout value that will indicate when the user should be disconnected
from the system.
When the client receives an Access-Accept packet, it will generate an Accounting-Request to
start the session and send the request to the server. The Accounting-Request data packet
describes the type of service being delivered and the user that will use the service. The server
will respond with an Accounting-Response to acknowledge that the request was successfully
received and recorded. The user’s session will end when the client generates an
4
Chapter 1
Introduction to AAA Server
RADIUS Overview
Accounting-Request—triggered by the user, by the client, or an interruption in service—to
stop the session. Again, the server will acknowledge the Accounting-Request with an
Accounting-Response.
Supported Authentication Methods
The following list describes the authentication methods the HP-UX AAA Server supports:
Password Authentication Protocol (PAP)
Not a strong authentication method to establish a connection; passwords are sent in clear text
between the user and client. When used with RADIUS for authentication, the messages
exchanged between the client and server to establish a PPP connection corresponds to
Figure 1-2. This authentication method is most appropriately used where a plaintext
password must be available to simulate a login at a remote host. In such use, this method
Challenge Handshake Authentication Protocol (CHAP)
A stronger authentication protocol to establish a connection. When used with RADIUS for
authentication, the messages exchanged between the client and server to establish a PPP
connection is similar to Figure 1-2. One difference, however, is that a challenge occurs
between the user and NAS before the NAS sends an Access-Request. The user must respond
by encrypting the challenge (usually a random number) and returning the result. Authorized
users are equipped with special devices, like smart cards or software, which can calculate the
correct response. The NAS will then forward the challenge and the response in the
Access-Request, which the AAA server will use to authenticate the user.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
An implementation of the CHAP protocol that Microsoft created to authenticate remote
Windows workstations. In most respects, MS-CHAP is identical to CHAP, but there are some
differences. MS-CHAP is based on the encryption and hashing algorithms used by Windows
networks, and the MS-CHAP response to a challenge is in a format optimized for
compatibility with Windows operating systems.
Extensible Authentication Protocol (EAP)
Like CHAP, EAP is a more secure authentication protocol to establish a PPP connection than
PAP and offers more flexibility to handle authentication requests with different encryption
algorithms. It allows authentication by encapsulating various types of authentication
exchanges, such as MD5. These EAP messages can be encapsulated in the packets of other
protocols, such as RADIUS, for compatibility with a wide range of authentication
Chapter 1
5
Introduction to AAA Server
RADIUS Overview
mechanisms. This flexibility also allows EAP to be implemented in a way (LEAP, for example)
that is more suitable for wireless and mobile environments than other authentication
protocols. EAP allows authentication to take place directly between the user and server
without the intervention by the access device that occurs with CHAP.
The following is a list of the EAP supported authentication methods you can use with the
HP-UX AAA Server A.06.01:
•
Transport Layer Security (TLS): Uses TLS (also known as SSL) to authenticate the
client using its digital certificate. Note: some wireless supplicants require specific
extensions to support certificates for EAP. TLS features include: Dynamic Key Exchange;
Mutual Authentication; Digital Certificate/Token Card-based Authentication; and,
Encrypted Tunnelling.
•
Tunneled TLS (TTLS): Can carry additional EAP or legacy authentication methods like
PAP, MS-CHAP, and CHAP. Integrates with the widest variety of password storage
formats and existing password-based authentication systems. Wireless supplicants
available for a large number of clients. TTLS features include: Dynamic Key Exchange;
Mutual Authentication; Password-based Authentication; and, Encrypted Tunnelling.
•
•
Protected EAP (PEAP): Functionally very similar to TTLS, but does not encapsulate
legacy authentication methods. PEAP features include: Dynamic Key Exchange; Mutual
Authentication; and, Encrypted Tunnelling.
Message Digest 5 (MD5): Passwords are hashed using the MD5 algorithm. Can be
deployed for protecting access to LAN switches where the authentication traffic will not
be transmitted over airwaves. Can also be safely deployed for wireless authentication
inside EAP tunnel methods. The main feature in MD5 is Password-based Authentication.
•
•
•
Lightweight EAP (LEAP): For Legacy Cisco equipment only. LEAP features include:
Dynamic Key Exchange; Mutual Authentication; and, Password-based Authentication.
Generic Token Card (GTC): Carries user specific token cards for authentication. The
main feature in GTC is Digital Certificate/Token Card-based Authentication.
EAP MS-CHAP: Passwords are hashed using a Microsoft algorithm. Can be deployed for
protecting access to LAN switches where the authentication traffic will not be transmitted
over airwaves. Can also be safely deployed for wireless authentication inside EAP tunnel
methods. EAP-MSCHAP features include Mutual Authentication and Password-based
Authentication.
RADIUS Data Packets
The Access-Request and other RADIUS data packets contain a header and a set of
attribute-value (A-V) pairs, which are used by the server during the AAA transaction. The
RADIUS RFC 2865 defines how vendors can extend the protocol. Encapsulation is the RFC
6
Chapter 1
Introduction to AAA Server
RADIUS Overview
defined way of extending RADIUS. Conflicts can occur when the RFC is not followed. In those
cases, the server can map the attributes to unique internal values for processing. For a full
description of RADIUS attribute-value pairs, see the Administrator’s Guide.
Shared Secret
Encrypting the transmission of the User-Password in a request is accomplished by a shared
secret. The shared secret is used to sign RADIUS data packets to ensure they are coming from
a trusted source. The shared secret is also used to encrypt user passwords with certain
authentication methods such as PAP. The HP-UX AAA Server uses the clientsconfiguration
file to associate a secret to each client (or server) that is authorized to make use of its services.
Chapter 1
7
Introduction to AAA Server
Product Structure
Product Structure
The HP-UX AAA Server, based on a client/server architecture, consists of the following
components which may be installed independently:
•
•
HP-UX AAA Server daemon, libraries, and utilities
The AAA Server Manager is the user interface that performs administration and
configuration tasks from a client’s browser for one or more AAA servers.
•
•
AAA Server module for Oracle authentication
Documentation
The exchange of configuration information between a remote AAA server and the AAA Server
Manager program is validated by a shared secret. This secret is unique to the Server Manager
and a remote AAA server. It should not be the same secret used by a AAA server and the peers
that it communicates with. The exchange of information between a browser and the client
program is not validated or encrypted by default, although you can configure HTTPS to secure
this communication. Refer to the HP-UX AAA Server Administrator’s Guide for more
information about configuring Server Manager to run over HTTPS.
NOTE
To secure the communication between the Server Manager and the HP-UX
AAA Server, install the Server Manager and the HP-UX AAA Server software
inside a secure network.
AAA Servers
AAA server installations include the AAA server, which performs the authentication,
authorization, and accounting functions to process requests, and RMI objects. The RMI
objects establish a connection and facilitate communication between the AAA server and the
HP-UX Tomcat-based Serverlet Engine.
AAA Server Manager Program
The AAA Server Manager utilizes the HP-UX Tomcat-based Serverlet Engine to provide a
configuration interface between a web browser and one or more AAA servers. Server Manager
is used for starting, stopping, configuring, and modifying the servers. In addition, the program
can retrieve logged server sessions and accounting information for an administrator.
8
Chapter 1
Introduction to AAA Server
Product Structure
The 802.1x Advisor
The 802.1x Advisor is an HTML tutorial/help system in the Server Manager GUI that walks
you through the tasks and Server Manager screens for securing WLANs with the HP-UX AAA
Server. The 802.1x Advisor provides information only—it does not edit configuration files.
Follow the 802.1x Advisor and use Server Manager to create and deploy basic AAA
configurations for securing WLANs. Refer to the HP-UX AAA Server Administrator’s Guide
for complete HP-UX AAA Server documentation. The following figure shows the 802.1x
Advisor.
Figure 1-3
The 802.1x Advisor For Securing WLANs
Chapter 1
9
Introduction to AAA Server
Product Structure
Accessing the Server Manager
The Server Manager provides access to the AAA server management functions and
configuration files. From a remote client workstation, administrators can access the AAA
Server Manager interface through a Web browser. An administrator can create a AAA
configuration for authenticating users and implementing authorization policies. In addition to
creating, modifying, and deleting entries in many of the server’s configuration files, an
administrator may start and stop the AAA server, access the server’s status and system time,
retrieve information from accounting and session logs, and terminate sessions. You can access
the functions that perform these operations by selecting an item from the Navigation Tree
located in the left frame of the HTML page.
Figure 1-4
The Server Manager User Interface
10
Chapter 1
Introduction to AAA Server
Product Structure
Some advanced features of the HP-UX AAA Server cannot be configured through the Server
Manager interface. For example, if you want to define session management parameters,
policies, or vendor-specific attributes, you must manually edit the configuration files. Refer to
the HP-UX AAA Server Administrator’s Guide for more information.
IMPORTANT Refer to the HP-UX AAA Server Release Notes for the supported browsers for
each version of the product.
NOTE
The browser preferences or Internet options should be set to always compare
loaded pages to cached pages.
Chapter 1
11
Introduction to AAA Server
AAA Server Architecture
AAA Server Architecture
The HP-UX AAA Server Architecture consists of three primary components:
•
Configuration files. By editing these flat text files, with either the Server Manager user
interface or with a text editor, you can provide the information necessary for the server to
perform authentication, authorization, and accounting requests for configured users.
•
•
AATV plug-ins perform discrete actions; such as initiating an authentication request,
replying to an authentication request, or logging an accounting record.
The software engine, which includes the Finite State Machine (FSM) and some associated
routines. At server startup, the finite state machine reads instructions from a state
table—by default the /etc/opt/aaa/radius.fsmtext file. The state table outlines what
AATV actions to call and what order to call them in.
When the server is initialized, it performs a few distinct operations. It loads and initializes
the AATV plug-ins, so that actions can be executed when called by the finite state machine. It
also reads the configuration files to initialize the data required for the actions to execute
according to the application’s requirements.
Configuration Files
The HP-UX AAA Server reads data from the following configuration files installed at
/etc/opt/aaa/by default:
Table 1-1
HP-UX AAA Server Configuration Files
Description
File
clients
Information about all RADIUS clients—name,
address, shared secret, type, etc.—that allows the
server to recognize and communicate with the
clients.
authfile
users
Authentication type parameters for defined realms.
Information about user IDs, passwords, and
check/deny/reply items.
12
Chapter 1
Introduction to AAA Server
AAA Server Architecture
Table 1-1
HP-UX AAA Server Configuration Files (Continued)
File
Description
<realm name>.users
The same information as the usersfile, but this
user information is associated with a particular
realm. These files are only necessary to perform
File type authentication for a defined realm.
Realms are recognized by the realm component of
the user’s Network Access Identifier, for example:
NOTE: This is a user generated file, it does not ship
with the product.
decision
las.conf
Policy information for user authorization and
session control based on any logical group that can
be defined with A-V pairs.
NOTE: This is a user generated file, it does not ship
with the product.
Defines services for session control based on
realms.
vendors
Optional entries for vendor-specific behavior.
dictionary
Defines all attributes and values that may be used
to build attribute-value (A-V) pairs that will be
recognizable by the server. These A-V pairs contain
information about requests and responses. This file
also contains definitions for all the authentication
types that the server recognizes.
log.config
aaa.config
Specifies the predefined session log formats to use.
Calls engine.configand contains properties for
the following:
•
•
•
•
DHCP relay
SNMP properties
Certificate paths
Tunneling properties
Chapter 1
13
Introduction to AAA Server
AAA Server Architecture
Table 1-1
HP-UX AAA Server Configuration Files (Continued)
Description
File
iaaaAgent.conf
Specifies how often the AAA server’s SNMP
subagent will check to see if a master agent is
active.
EAP.authfile
db_srv.opt
Used to configure EAP authentication for user
profiles.
The configuration script for the db_srv
environment variables.
engine.config
Called by aaa.config, this file stores most of the
AAA server properties.
You can find out more information about these files by referring to the HP-UX AAA Server
Administrator’s Guide. Each configuration file also contains comments with examples.
AATV Plug-Ins
Define actions to perform functions, such as authenticating requests, authorizing, and
logging. Built-in actions support authentication of users from information in different storage
methods. The AATV plug-in files are in /opt/aaa/aatv/.
The Software Engine: Finite State Machine
In the Finite State Machine, a request will transition through a series of states, starting with
a state that includes possible starting events. The first action specified to be called in response
to an initial authentication request would return a value, an event that determines the next
state to transition to. Within each state, the next action is triggered by an event (based on
previous state and action and a value, typically ACK or NAK, returned by the previous
action), which in turn directs the flow of the request to another state, until an End state is
reached.
14
Chapter 1
Introduction to AAA Server
HP-UX AAA Server Features
HP-UX AAA Server Features
General Features
•
•
Compliant with RADIUS protocol RFC 2865 and 2866 standards
Supports multiple vendor NASs with a single server (multi-vendor dictionary that
includes Nortel®, Cisco®, Lucent®, and others)
•
Configurable dictionary that allows the definition of new vendors and vendor-specific
attributes and values
•
•
•
Dictionary includes attributes from RFCs 2865, 2866, 2867, 2868, and 2869
Vendor-specific attribute translation
Configurable attribute-value pruning behavior (based on dictionary and clients file
definitions)
•
•
Various configurable (through aaa.config) internal queue and buffer sizes
Persistent user session table and automatic recovery of session information after a server
reload occurs
•
Engine support of loadable plug-in modules
Authentication Features
•
•
•
•
•
Distributed authentication (proxy) by realms (RADIUS type authentication)
Support for PAP authentication protocol by all supported authentication types
Support for CHAP (clear text password required in the user profile)
Support for MS-CHAP
Support for EAP authentication for wireless LAN access points and switches (including
EAP-MD5, EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-GTC, and EAP-LEAP)
•
Authentication of users with profiles defined in a flat text file that the server loads into
memory (clear text or UNIX-style encrypted passwords)
•
•
Authentication of users defined in a /etc/passwd file
Authentication using multiple sets of user definition and realm definition files (usersand
authfilefiles) keyed by network access server (NAS)
Chapter 1
15
Introduction to AAA Server
HP-UX AAA Server Features
•
•
Supports multiple user definition (realm) files keyed by realm (File type authentication)
Authentication of users defined in an LDAP server (ProLDAP™ type authentication),
including support of {clear} indicator for clear text passwords
•
•
•
Authentication of users defined in an ORACLE database
UNIX bigcrypt() for users defined in a flat file or LDAP directory
Load balancing and failover when authenticating users stored in an LDAP directory
server or Oracle database
Authorization Features
•
Support of simple authorization policy through check and deny attribute-value pair items
specified in users files
•
•
Support for definition of reply item attribute-value pairs in a users file
Support of simple authorization policy through check and deny attribute-value pair items
specified in realm files (File type authentication) or an LDAP directory server (ProLDAP
type authentication)
•
•
•
Support for definition of reply item attribute-value pairs through realm files, an LDAP
directory server, or an Oracle database
Support of complex authorization policy construction through Boolean expressions with
attribute-value pair operands
Supports simultaneous session limitation by user and by realm
Accounting Features
•
Generates Merit or Livingston reference accounting detail files (accounting start and stop
RADIUS messages from network access server (NAS)), known as call detail records (CDR)
•
Supports distributed accounting (proxy) by realms (RADIUS type authentication)
Admin and Debug Tools/Features
•
•
•
•
Server Manager Graphical User Interface (GUI) for managing multiple AAA servers
802.1x Advisor HTML help system to quickly secure WLANs with the HP-UX AAA Server
DHCP interface for the AAA Server to assign IP addresses generated by a DHCP server
Support for Simple Network Management Protocol (SNMP)
16
Chapter 1
Introduction to AAA Server
HP-UX AAA Server Features
•
“Self-signed” AAA Server digital certificates created during installation allow for a
secured TLS, TTLS, and PEAP environment without having to generate your own
certificates
•
•
•
•
•
Generates server activity logfiles, compressed daily
Optional debug levels for greater server log output to help debug problems
Packaged with a RADIUS protocol client (radpwtst) for testing and debugging
Packaged with a utility, (radcheck), to check status of server.
Script (las.test.sh)tests simultaneous session control to aid in performance of session
testing of the server
Chapter 1
17
Introduction to AAA Server
HP-UX AAA Server Features
18
Chapter 1
Installing and Starting the HP-UX AAA Server
Installing the HP-UX AAA Server
Installing the HP-UX AAA Server
IMPORTANT Be sure to review the HP-UX AAA Server Release Notes before installation.
The Release Notes list the requirements for each release, including:
installation, patch, and browser requirements.
You can access the Release Notes online at:
http://docs.hp.com/hpux/internet/index.html#HP-UX%20AAA%20Server%
20%28RADIUS%29
The following components are installed when you install the HP-UX AAA Server:
•
•
•
AAA Server binaries, libraries, and utilities
RMI objects that facilitate communication from the AAA server to Server Manager
AAA server AATV module for authentication
Perform the following steps to install the HP-UX AAA Server:
Step 1. Log in to your system as root.
Step 2. Verify the product requirements are installed.
Step 3. Verify the required patches are installed.
it to /tmp
Step 5. Verify you downloaded the file correctly: # swlist -d -s /tmp/<AAA
Server>.depot
Step 6. Stop any active Tomcat processes. Use /opt/hpws/tomcat/bin/shutdown.shto
stop Tomcat.
Step 7. Install the AAA Server: # swinistall -s /tmp/<AAA Server>.depot
NOTE
If the installation is not successful, an error message is displayed.
The cause of the failure will appear at the end of
/var/adm/sw/swagent.logfile.
Chapter 2
21
Installing and Starting the HP-UX AAA Server
Starting the HP-UX AAA Server
Starting the HP-UX AAA Server
NOTE
Refer to the Securing the HP-UX AAA Server section in the HP-UX AAA Server
Administrator’s Guide for information on securing your HP-UX AAA Server.
Use the following steps to start the HP-UX AAA Server and the Server Manager graphic user
interface:
Step 1. Enter the following command: # export JAVA_HOME=/opt/java1.4
Step 2. Start the RMI objects to allow the AAA server software to communicate with Server
Manager. Use the following command: # /opt/aaa/remotecontrol/rmistart.sh
Step 3. Start the HP-UX Tomcat-based Serverlet Engine to allow a web browser to connect
to it. Use the following command: # /opt/hpws/tomcat/bin/startup.sh
Step 4. Point your web browser to the following URL to manage the HP-UX AAA Server
with the Server Manager interface: http://<IP-Address or FQDN>:8081/aaa
NOTE
The default Server Manager username is tomcat. The default Server
Manager password is tomcat.
Step 5. Select Administration in the Navigation Tree. Verify the AAA server you want to
start is selected in the Server Status Frame. Click the Start button.
Starting and Stopping the RMI Objects
•
•
•
Start = /opt/aaa/remotecontrol/rmistart.sh
Stop = /opt/aaa/remotecontrol/rmistop.sh
Status = # netstat -a |grep 7790
Starting and Stopping Tomcat
•
•
•
Start = /opt/hpws/tomcat/bin/startup.sh
Stop = /opt/hpws/tomcat/bin/shutdown.sh
Status = # netstat -a |grep 8081
22
Chapter 2
Installing and Starting the HP-UX AAA Server
Testing the Installation
To quickly test the server installation, you will use Server Manager to add a loopback
connection to a AAA server, start the server, and then check its status for a response. Use the
following steps to test the server installation:
Step 1. Connect to Server Manager and start the AAA server. See “Starting the HP-UX
AAA Server” on page 22.
Step 2. Select the Server Connections link from the Navigation Tree and then select the
Connect to Server link.
Step 3. Enter the values for your server in the Add Connectionscreen that appears and
select Create:
Name
The identifying string of a remote server.
Domain Name or IP Address
The IP address (in dotted-quad notation) or valid Domain Name
System (DNS) host name of the AAA server that the connection
maps to.
Step 4. Verify the server is listed and selected in the Server Status frame.
Step 5. Select the Administration link from the Navigation Tree.
Step 6. Select Start.
Step 7. Verify the server started. A green “GO” icon in the Server Status frame indicates
the server is running.
Step 8. Verify the server is selected in the Server Status frame and then select the Status
option.
Step 9. Check Server Manager’s Message Frame for the status reply. The following reply at
the bottom of the Message Frame indicates the server is running correctly:
“<server name> (port#)” is responding
NOTE
If you did not receive this message, refer to the Troubleshooting
chapter in HP-UX AAA Server Administrator’s.
Chapter 2
23
Installing and Starting the HP-UX AAA Server
Testing the Installation
Step 10. Verify your HP-UX AAA Server is installed and operating correctly by using the
testing user (named test_user)created during installation. After test_useris
authenticated and the AAA server sends an Access-Accept, the client sends an
Accounting-Request to start the session. After the session is terminated, the client
sends an Accounting-Request stop message to stop the session logging and the AAA
server writes the session information to a file.
a. Enter the following command:
# /opt/aaa/bin/radpwtst -s localhost -i 10.0.0.1 -l 1 test_user
This command simulates an Access-Request from port 1 of a NAS with an IP
address of 10.0.0.1. When prompted for a password, enter: password. The
command should return the following output:
’test_user’ authentication OK
b. Enter the following command:
# /opt/aaa/bin/radpwtst -c 4 -s localhost -i 10.0.0.1 -l 1 -u ppp -:Acct-Status-Type=Start
test_user
This command simulates an Accounting-Request start message, activating the
users’s PPP session. The command should return the following output:
Accounting Response received
c. Enter the following command:
# /opt/aaa/bin/radpwtst -c 4 -s localhost -i 10.0.0.1 -l 1 -u ppp -:Acct-Status-Type=Stop
test_user
This command simulates an Accounting-Request stop message, terminating the
users’s session. The command should return the following output:
Accounting Response received
d. View the session logs for test_user’sstart and stop accounting messages by
selecting Accounting in Server Manager’s Navigation Tree and clicking Display.
IMPORTANT HP recommends removing test_useror changing it’s default password before
deploying your HP-UX AAA Server in a production environment. See the
Securing the HP-UX AAA Server section in the HP-UX AAA Server
Administrator’s Guide.
24
Chapter 2
Installing and Starting the HP-UX AAA Server
Installation Defaults
Installation Defaults
The HP-UX AAA Server can be run as root user, however non-root user is recommended.
A user and group, both named aaa, will be created during installation. The HP-UX AAA
Server can be run as non-root user, using the default aaa user created during installation, or
any other user who is part of the aaagroup.
IMPORTANT Do not remove the default login aaa and group aaa created during installation,
even if you prefer not to use them.
Table 2-1
Directory
File Locations Upon Installation
File
/opt/aaa/aatv
/opt/aaa/bin
Server modules and plug-ins
Server daemons and utilities:
• db_srv: Oracle client daemon for authentication
• las.test.sh: script to create simulated sessions for
testing
• radcheck: AAA Server test utility (like the ping
command)
• raddbginc: controls server debug output
• radiusd: AAA Server executable
• radpwtst: AAA test client utility
• start_db_srv: script to start the Oracle client daemon
• stop_db_srv: script to stop the Oracle client daemon
/opt/aaa/examples/conf Finite state machine, group policy example files:
ig
• *.fsm: sample finite state machine (FSM) tables
• *.grp: sample decision files
Chapter 2
25
Installing and Starting the HP-UX AAA Server
Installation Defaults
Table 2-1
Directory
File Locations Upon Installation (Continued)
File
/opt/aaa/examples/orac • create.sql: SQL script to create Oracle users table
le
• delete.sql: Sample SQL script to delete Oracle user
records
• insert.sql: Sample SQL script to add Oracle user
records
/opt/aaa/examples/prol ProLDAP schema and sample LDIF files
dap
/opt/aaa/lib — Note
that shared library files
have .sofile extensions on
HP-UX 11i v2.0 (B.11.23)
Shared libraries:
• libradlib.sl: contains functions that interface with the
main server
• librpilib.sl: contains functions for programs and
utilities
• libjniAgents.sl: contains functions for Server Manager.
/opt/aaa/newconfig
Default configuration files. Files residing here are copied to
/etc/opt/aaadirectory during installation.
/etc/opt/aaa/security/ Directory containing a unique set of “self-signed” digital
certificates created during installation.
/opt/aaa/share/man/man Directories where man pages are installed
5and ~/man1m
/opt/aaa/share/doc/
Directory containing Administrator’s and Getting Started
guides.
26
Chapter 2
Installing and Starting the HP-UX AAA Server
Installation Defaults
Table 2-1
Directory
File Locations Upon Installation (Continued)
File
/etc/opt/aaa
Configuration files:
• aaa.config: runtime and tunneling configuration file
• authfile: realm to authentication-type mapping file
• clients: client to shared secret mapping file
• db_srv.opt: configuration script for db_srv environment
variables
• dictionary: definition file required by radiusd
• las.conf: authorization and accounting configuration file
• log.config: session logging configuration file
• radius.fsm: external FSM table for the server
• users: holds user security profiles and reply items
• vendors: holds IANA numbers and other vendor specific
details
• engine.config: Called by aaa.conf, this file stores most
of the AAA server properties
• EAP.authfile: Used to configure EAP authentication for
user profiles
• iaaaAgent.conf: Specifies how often the AAA server’s
SNMP subagent will check to see if a master agent is
active
• aaa.config.license: Do not alter this file
• RADIUS-ACC-SERVER-MIB.txt: Text file describing
RADIUS Accounting MIB definitions.
• RADIUS-AUTH-SERVER-MIB.txt: Text file describing
RADIUS Authentication MIB definitions.
Chapter 2
27
Installing and Starting the HP-UX AAA Server
Installation Defaults
The following table lists the files generated during operation and located in /var/opt/aaa/
by default:
Table 2-2
Files Generated During Operation
Directory
File
/acct/session.yyyy-mm-dd.log Default session accounting logs, Merit style
/data/session.las
/ipc/*.sm
Currently active sessions Session log file
Shared memory files related to the interface used for
some authentication types.
IMPORTANT: You must not alter or delete the shared
memory (*.sm) files. The server will not operate
correctly if the files are changed or removed from the
ipcdirectory.
/logs/logfile
The server log file
/logs/logfile.yyyymmdd
/radacct/*
Compressed daily or weekly log files
For session accounting logs in Livingston call detail
records directory style format (not generated by
default configuration)
/run/radius.pid
Contains the process id (pid) for the server.
28
Chapter 2
Installing and Starting the HP-UX AAA Server
Commands, Utilities, & Daemons
Commands, Utilities, & Daemons
Table 2-3
Commands, Utilities, & Daemons
Command
Description
db_srv
The db_srvdaemon performs Oracle database access operations for
authentication on behalf of one or more remote HP-UX AAA Servers.
radcheck
Sends a RADIUS status and protocol requests to a AAA server and
display the replies. Receiving the reply confirms that the HP-UX
AAA Server is operational. radcheckcan be invoked on any host by
any user, however the HP-UX AAA server will return more
information to registered clients.
raddbginc
radiusd
Sets debug logging level for currently running HP-UX AAA Server.
Turn debugging on and off or set the level of output while the AAA
Server is running.
A daemon process that services user authentication and accounting
requests from RADIUS clients. Authentication and accounting
requests come to radiusd in the form of UDP packets conforming to
the RADIUS protocol. It runs as a daemon that can be started from
the Server Manager GUI, command line, or through an inetd service.
radiusddetermines the action to take when receiving RADIUS
requests based upon a finite state machine (FSM) loaded into
memory when radiusd is started. The FSM is configurable, but static
after startup.
radpwtst
A utility used to simulate a RADIUS client when troubleshooting or
validating configuration for the HP-UX AAA Server. It will prompt
for the user password (when not supplied by the -w option.) If the
request to the AAA server succeeds, radpwtstdisplays
authentication OK on standard output. Otherwise, radpwtst
displays <userid> authentication failed.
start_db_srv.sh
stop_db_srv.sh
las.test.sh
Script to start Oracle authentication client daemon db_srv.
Script to stop db_srvdaemon and its child process(es).
Script to create simulated sessions for testing.
Chapter 2
29
Installing and Starting the HP-UX AAA Server
UnInstalling the HP-UX AAA Server Software
UnInstalling the HP-UX AAA Server Software
Use the following steps to uninstall the HP-UX AAA Server:
Step 1. Select Administration in the Navigation Tree. Verify the AAA server you want to
stop is selected in the Server Status Frame. Click the Stop button to stop the server.
Step 2. From the command line, stop the RMI objects and Tomcat. Refer to “Starting and
Stopping the RMI Objects” and “Starting and Stopping Tomcat” on page 22 for more
information.
NOTE
You may have to enter the following command if you have not
already: # export JAVA_HOME=/opt/java1.4
Step 3. Stop the db_srvserver if it is running. Use the following command to determine if
db_srv is running: $ ps -ef |grep db_srv
You can stop db_srvservers with the /opt/aaa/bin/stop_db_srv.shscript.
Step 4. Remove all files residing in the /var/opt/aaa/and
/opt/hpws/tomcat/webapps/aaa/aaalog/subdirectories.
Logout anyone using HP-UX AAA Server administrator login “aaa”.
Step 5. As root user, enter “swremove T1428AA” or “swremove” at the command prompt to
invoke the standard HP-UX GUI to select T1428AA bundle for removal. See the
swremoveman page for more information on this command.
30
Chapter 2
Basic Configuration Tasks
Storing User Profiles
Storing User Profiles
The user information that determines how an access request is authenticated and authorized
is configured in a profile as a set of A-V pairs. These user profiles are grouped by realm and
may be stored in flat text files or an external source such as an Oracle database or and LDAP
server. Realms are recognized by the realm component of a user’s Network Access Identifier. If
you have a small AAA deployment without several realm-specific configurations, you can
define a default realm and store it in the usersfile.
Storing User Profiles in the Default Users File
When the AAA server receives a request, before it checks for profiles grouped by realms, it
first checks the default users file for a matching profile. Use the following steps to store user
profiles in the default users file:
Step 1. Access the Server Manager.
Step 2. Load the configuration from the appropriate AAA server by selecting the Load
Configurationlink from the Navigation Tree.
Step 3. Select the Users link from the Navigation Tree.
Step 4. Select the New User link.
Step 5. The User Attributes screen will appear. In the User Name text box, enter the name
of the user profile.
IMPORTANT You must enter the user’s fully-qualified name when adding to the
default users file. For example, enter [email protected]
instead of only entering user1.
Step 6. Select Local from the Authentication Type list to authenticate the user with the
authentication method configured for their realm. Selecting options other than
Local will supersede the authentication method configured for the user’s realm and
define a specific authentication method for that individual user.
Step 7. Enter a password for the user and confirm it by entering it again.
Step 8. Choose how you want to store the user’s password by selecting a hashing method in
the Password Hashing Mechanism field. Select Plain Text to be compatible with
most client password hashing methods. If you prefer not to use Plain Text, be sure
32
Chapter 3
Basic Configuration Tasks
Storing User Profiles
the method you choose is compatible with the client password hashing method. The
following table lists the supported client password hashing methods and each
storage hash you should use for each method:
Table 3-1
Password Hashing Compatibility
Client Password Hash
Storage Hash
PAP
Any
MSCHAP
MD5
NT Hash or Plain Text
MD5 or Plain Text
Any
GTC Static
Step 9. You may enter values in the remaining fields to control the users session. These
fields are optional and correspond to RADIUS A-V pairs that are explained in more
detail in the HP-UX AAA Server Administrator’s Guide.
Step 10. Select the Create button.
Step 11. Select Save Configurationfrom the Navigation Frame. If you have multiple
remote servers, you will prompted to select and confirm which servers you wish to
add the access device entry to.
CAUTION
Save Configuration will save the entire server configuration (access devices,
proxies, local realms, users, and server properties) to the servers you specify.
Grouping Users by Realm
While the HP-UX AAA Server can authenticate an individual user, you may want to
authenticate and provision a group of users according to a common criteria, like an
authentication type. One method of grouping users is according to the realm that they belong
where sample.comis the realm. Use the following steps to store user profiles in a flat text file
grouped by realm:
Step 1. Access Server Manager.
Step 2. Select the Local Realms link from the Navigation Tree and then select the New
local realm link
Chapter 3
33
Basic Configuration Tasks
Storing User Profiles
Step 3. In the Name field, enter the realm name.
Step 4. Select Authentication from the Realm Type drop-down list.
Step 5. Select Users File in the User Profile Storage drop-down list.
Step 6. Select the Users Profile Grouped by Realm button in the User Storage Parameters
field. Identify a file to store the user information for the realm by entering a name
in the File Name box. The AAA server adds a .usersextension to the value you
enter in the File Name box. Do not enter a path or use the / character.
Step 7. In the Security Methods field, choose the authentication methods to authenticate
the users from the realm.
Step 8. Select the Create button.
Step 9. Return to the Local Realms screen to add user profiles to the realm.
Step 10. From the Local Realms screen, select the following icon for the realm that you wish
to add user profiles for:
Step 11. From the Users screen select the New User link.
Step 12. In the User Name text box, enter the name of the users profile.
Step 13. In the Password text box, enter the value to match to the value to compare to the
Password attribute value in the request. Confirm the password by entering it again.
Step 14. You may enter values in the remaining fields to control the users session. These
fields are optional and correspond to RADIUS A-V pairs that are explained in more
detail in the “A-V Pairs” chapter of HP-UX AAA Server Administration and
Authentication Guide.
Step 15. Select the Create button in the User Attributes screen.
Step 16. Repeat steps 9 to 13 for each user profile you wish to add to the realm.
Step 17. Repeat these steps to add additional realms and groups of users.
Step 18. Select Save Configurationfrom the Navigation Frame. If you have multiple
remote servers, you will prompted to select and confirm which servers you wish to
add the access device entry to.
34
Chapter 3
Basic Configuration Tasks
Storing User Profiles
CAUTION
Save Configuration will save the entire server configuration (access devices,
proxies, local realms, users, and server properties) to the servers you specify.
Chapter 3
35
Basic Configuration Tasks
Adding and Modifying Users
Adding and Modifying Users
User profiles associate information with a user name for authentication and authorization.
This information is defined by attribute-value pairs. The server configuration must include
profiles for all the users that can access services through the AAA server. If a user profile is
not included in the configuration, the server will reject the users access request.
Profiles may be stored in flat text files or an external source. The Users screen allows you to
add a new user, modify an existing user, or delete an existing user from a text file. This screen
is accessed by selecting the Users link from the graphic interfaces Navigation Tree.
When adding a new user profile to the server configuration or modifying an existing entry, you
supply values for the user profile attributes through a form’s fields. This form is tabbed
according to groups of attribute-value pairs. Initially, the General tab is active.
Figure 3-1
Server Manager’s General User Attributes
36
Chapter 3
Basic Configuration Tasks
Adding and Modifying Users
User Name:
Value to compare to the User-Name attribute value in the request. It must
be less than 64 characters. &, “, ~, \, /,%, $, ‘, and space characters may not
be used.
IMPORTANT You must enter the user’s fully-qualified name when adding
to the default users file (using the Users link in the
Navigation Tree): for example, enter
Authentication Type:
Use this field to supersede the Authentication type specified in the user’s
realm. Selecting Local will use the authentication method specified by the
user’s realm.
Password and Confirm Password:
Enter the user’s password and confirm it by entering it again.
Password Hashing Mechanism:
Choose how you want to store user passwords by selecting a hashing
method. Select Plain Text to be compatible with most client password
hashing methods. If you prefer not to use Plain Text, be sure the password
storage hashing method you choose is compatible with the client password
hashing method as described in Table 3-1 on page 33.
The remaining fields and tabs in Define Users screen allow you to specify two types of user
profile attributes: check items and reply items.
Check Items:
An optional list of zero or more attribute-value pairs, delimited by white
space. These items indicate various attribute values that the server will
compare to the corresponding attribute values in the Access-Request.
Reply Items:
Reply items generally get returned to configure the client for the user’s
session. They include information like PPP configuration values, the name
of the host that the user wishes to connect to, or an optional packet filter
name.
Each of the fields on the first four tabs (General, NAS/Login, Framed, and Others)
corresponds to an attribute that can be used in a user profile as a check or reply item. When
specifying attribute values through these tabs, all A-V pairs that may ordinarily be used as
either a check or a reply item in a server configuration are automatically added as a reply
item, unless the Free tab is used.
There are many more attributes, including vendor-specific attributes, that can be added to a
user profile. The Free tab allows you to enter any of these attributes in the Check and Reply
list boxes.
Chapter 3
37
Basic Configuration Tasks
Adding and Modifying Users
Figure 3-2
Server Manager’s Free User Attributes Screen
To add attributes to the list boxes, follow the Attribute = Value syntax. A-V pairs may be
listed one per line. When adding a new user profile, you select the Create button to submit it
to the AAA Server Manager. When modifying an existing profile, you select the Modify button
to submit changes to the user profile. In either case if each field contains a valid value, the
profile will be created or modified; otherwise, an error message is displayed. You can always
select the Cancel button and return to the Users screen without making any changes to your
server configuration.
38
Chapter 3
Basic Configuration Tasks
Session Logging and Monitoring
Session Logging and Monitoring
You can view the log files that record the details of each AAA transaction or the session logs
that record information about each user's session. You can also access information for active
sessions and manually terminate a session if necessary.
These functions can be accessed by selecting the Maintenancemenu items from the Server
Manager Navigation Tree. When you use any of these functions, you will retrieve information
from all servers selected in the Server Manager’s Server Status section.
Viewing User Session
After a user is successfully authenticated and the AAA server sends an Access-Accept, the
access device will send an Accounting-Request message to start the session. The AAA server
stores information about the session in an active session record. When the users session is
terminated, the client sends an Accounting-Request message to stop the session. When a AAA
server receives the stop message, it clears its active record for the session and writes the
session information to a file.Use the following steps to display session information for a
particular user:
Step 1. Through the Server Manager interface, select the Sessions link from the Navigation
Tree located in the left frame of the browser
Step 2. Enter search parameters in the Session Filter screen that appears. Retrieved
session will be restricted to the specified search parameters.
Figure 3-3 Sessions Search Filter Screen
Step 3. Select the Display button. The AAA server manager will display a list of active
sessions.
Chapter 3
39
Basic Configuration Tasks
Session Logging and Monitoring
Step 4. Select a session. The AAA server manager will display the attributes for the
selected session.
Step 5. Select the OK button when you are done reading the session.
Stopping a Session
This procedure is intended for sessions that were terminated on the access device but are
maintained as active by the AAA server.
Step 1. Follow the “Viewing User Session” on page 39 procedure.
Step 2. Select the Stop button from the Session Attributes screen. The AAA server will
clear its record of the active session, but no action is taken by the access device.
Viewing Server Logfiles
The log file of the AAA server contains all the information concerning the functioning of the
server such as: start/stop of the server, all of the RADIUS requests, and some internal events.
Selecting the Server Logfilelink in Server Manager’s Navigation Tree allows you to
retrieve information from log files. The data is automatically stored each day in a different
file. They are available as long as the corresponding files are still on the disk.
• /var/opt/aaa/logs/logfile: the server log file
• /var/opt/aaa/logs/logfile_part<01-09>.yyyymmdd: compressed daily log file
NOTE
If the logfile exceeds its size limit (as configured in the File Size Property in
the Server Properties link), a new logfile for that day will be created and
identified by the part<01-09>portion logfile file name string.
40
Chapter 3
Basic Configuration Tasks
Session Logging and Monitoring
Figure 3-4
Server Manager’s Logfile Screen
Chapter 3
41
Basic Configuration Tasks
Session Logging and Monitoring
Search Parameters
You can filter what dates and times to retrieve from the logfile.
Table 3-2
Filter Parameters for Searching Logfiles
Option
Description
Begin (server time)
End (server time)
User
The date and time of the session to begin retrieving data from.
The date and time of the last session to retrieve data from.
Limits the result of the search command to messages related to a
specific user. For example, you may wish to find why a user is not
able to authenticate.
Number of Messages Limits the result of the search command to the specified number of
messages.
NOTE
You can filter what data to retrieve according to the type of messages. For each
message type, you indicate whether the message type should or should not be
retrieved by selecting the Yes or No radio buttons. Refer to the HP-UX AAA
Server Administration and Authentication Guide for more information.
42
Chapter 3
Basic Configuration Tasks
Session Logging and Monitoring
Viewing Server Statistics
Selecting the Statisticslink from Server Manager’s Navigation Tree allows you to retrieve
a count of events that occurred on the AAA server within a time range. The statistics are
displayed using a bar graph.
Figure 3-5
Server Manager’s Statistics Screen
Table 3-3
Statistic Search Parameters
Description
Option
Begin (server time)
End (server time)
The date and time of the session to begin retrieving data from.
The date and time of the last session to retrieve data from.
Chapter 3
43
Basic Configuration Tasks
Securing WLANs with the HP-UX AAA Server
Securing WLANs with the HP-UX AAA Server
The HP-UX AAA Server provides security framework to support EAP authentication
mechanisms for WLAN users. The HP-UX AAA Server allows authentication of wireless users
with password or non-password based mechanisms and supports dynamic key generation for
data encryption between the access point and wireless stations.
IMPORTANT To configure the HP-UX AAA Server to secure WLANs, refer to the 802.1x
Advisor and the HP-UX AAA Server Administrator’s Guide. The 802.1x Advisor
is available from the Server Manager interface and walks you through the
steps and screens for securing WLANs with the HP-UX AAA Server.
44
Chapter 3
Glossary of Terms
4 Glossary of Terms
802.1x Advisor
The 802.1x Advisor is an HTML tutorial/help system in the Server Manager
GUI that walks you through the tasks and Server Manager screens for
securing WLANs with the HP-UX AAA Server.
AAA
Abbreviation for Authentication, Authorization, and Accounting.
AAA Server
A software application that performs authentication, authorization, and
accounting functions.
Accounting
Logging session and usage information for session control and billing
purposes
Access-Accept
The AAA server returns an Access-Accept to the client when an
Access-Request is valid. The Access-Accept will contain A-V pairs that
specify what services the authenticated user is authorized to use.
Access-Challenge
The AAA server returns an Access-Challenge to the client when it is
necessary to issue a challenge that the user must respond to. The client will
resubmit the request with the user-supplied information to the AAA server.
Access-Reject
The AAA server returns an Access-Reject to the client when an
Access-Request is invalid.
Access-Request
Created by the client, the Access-Request contains A-V Pairs, such as the
user’s name, password, and ID of the client. The client submits the
Access-Request to an AAA server. If the server can validate the client, the
server will attempt to match a user entry in its database with information
in the Access-Request to authenticate the user.
Chapter 4
45
Glossary of Terms
Administrator
Special user, known by the system on which the AAA server is running and
is able to configure and to manage the AAA server.
Application Service Provider
Third-party entities that manage and distribute software-based services
and solutions to customers across a wide area network from a central data
center, abbreviated as ASP.
ASP
Application Service Provider.
Attribute-Value Pair
The RADIUS protocol defines things in terms of attributes. Each attribute
may take on one of a set of values. When a RADIUS packet is exchanged
among clients and servers, one or more attributes and values are sent pair
wise from the client to the server. For the AAA Server software, all valid
attributes and values are listed in the dictionary file, abbreviated as A-V
pair.
Authentication
Authorization
The process of identifying and proving the identity of an entity, for example,
a user, a network client, or a network server.
The process of determining what types of activities is permitted. Usually,
authorization is in the context of authentication; once users are
authenticated, they may be authorized different types of access or activity.
A-V Pair
Attribute-value pair.
Challenge Handshake Authentication Protocol
Log-in security procedure for dial-in access. Rather than send an
unencrypted password, a random number is sent to the client as a challenge.
The challenge is one-way hashed with the password, and the result is sent
back to the server. The server does the same with its copy of the password
and verifies that it gets the same result to authenticate the user,
abbreviated as CHAP.
CHAP
See Challenge Handshake Authentication Protocol.
46
Chapter 4
Glossary of Terms
Client
NAS, proxy server, or other networking device that uses the AAA server
services to authenticate and authorize users.
Common Open Policy Service
A query and response protocol that can be used to exchange policy
information between a policy server (Policy Decision Point or PDP) and its
clients (Policy Enforcement Points or PEPs, such as a router), abbreviated
as COPS.
COPS
See Common Open Policy Service.
Dialed Number Identification Service
Each request is authenticated locally or forwarded to a remote server
according to the number called to access a network service.
See Dialed Number Identification Service.
DNIS
EAP
Extensible Authentication Protocol. Described in RFC 2284.
Finite State Machine
The Finite State Machine is the component of the AAA Server software that
controls the flow of access request authentication and accounting request
handling, abbreviated as FSM.
Forwarding Server
The AAA server that receives an Access-Request from a client and forwards
that request to another AAA server for authentication.
FSM
See Finite State Machine.
GTC (Generic Token Card)
Carries user specific token cards for authentication. The main feature in
GTC is Digital Certificate/Token Card-based Authentication.
Hint
Chapter 4
47
Glossary of Terms
When a user requests access to a service of a specific configuration, a client
may provide this information in an Access-Request as a hint to the AAA
server. The server may reject the request based on the hints or supply the
service as specified by the hints, by the server’s configuration, or by a
combination of the hints and the server’s configuration.
IETF
See Internet Engineering Task Force.
Integrated Services Digital Network
A digital internet access line using copper phone lines.
Interlink
Used to connect multiple AAA servers in a fabric with SLAs and to establish
policies among them.
Internet Engineering Task Force
Internet standards setting organization.
Internet Protocol
A Layer 3 (network layer) protocol that contains addressing information and
some control information that allows packets to be routed, abbreviated as
IP.
Internet Research Task Force
A group associated with IETF focusing on research rather than standards.
Internet Service Provider
Communications service company that provides Internet access and
services to its customers. ISPs range in size from small independents
serving a local calling area to large, established telecommunications
companies, abbreviated as ISP.
IP
See Internet Protocol.
IRTF
ISP
See Internet Research Task Force.
Internet service provider.
ISDN
48
Chapter 4
Glossary of Terms
See Integrated Services Digital Network.
See Local Authorization Server.
LAS
LDAP
See Lightweight Directory Access Protocol.
Lightweight Directory Access Protocol
Used for directories providing naming, location, management, security, and
other services for Internet networking, abbreviated as LDAP.
Lightweight Extensible Authentication Protocol
Supports and manages the dynamic Wired Equivalent Privacy (WEP) key
exchange between Cisco Aironet 802.11x wireless LAN clients and access
points, abbreviated as LEAP.
LEAP
See Lightweight Extensible Authentication Protocol.
Local Authorization Server
A local authorization server is the HP-UX SERVER code that authorizes,
accounts, and bill users based on realms, abbreviated as LAS.
Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)
An implementation of the CHAP protocol that Microsoft created to
authenticate remote Windows workstations. In most respects, MS-CHAP is
identical to CHAP, but there are a few differences. MS-CHAP is based on the
encryption and hashing algorithms used by Windows networks, and the
MS-CHAP response to a challenge is in a format optimized for compatibility
with Windows operating systems.
NAS
See Network Access Server.
Navigation Tree
Refers to the navigation links on the left side of the Server Manager GUI.
Network Access Server
A device that interfaces telephony circuits to the network, abbreviated as
NAS.
PAP
Chapter 4
49
Glossary of Terms
See Password Authentication Protocol.
Password Authentication Protocol
A simple password protocol that transmits a user name and password
across the network, unencrypted, abbreviated as PAP.
PEAP (Protected EAP)
Functionally very similar to TTLS, but does not encapsulate legacy
authentication methods. PEAP features include: Dynamic Key Exchange;
Mutual Authentication; and, Encrypted Tunnelling.
Point-to-Point Protocol
The standard protocol for dial-up networking. The family of standards
covers many aspects including authentication, encryption, compression,
addressing, multi-protocols, etc., abbreviated as PPP.
Policy
A very broadly used term. To the AAA server, it means the conditionally
applicable set of attribute-value pairs that an AAA protocol, such as
RADIUS, may support. HP-UX SERVER policies are simple or complex
decisions that control the authentication, authorization, and accounting
process for a user's access request.
PPP
See Point-to-Point Protocol.
Protocol
A set of rules established between two devices to allow communications to
occur.
Proxy
The mechanism that allows one system to mediate between two other
systems in response to protocol requests. A RADIUS server can act as a
proxy client and forward an Access-Request to another AAA server for
authentication. As a proxy client, the server would mediate the requests and
replies between the client where the Access-Request originated from and
the server that the request was forwarded to.
RADIUS
See Remote Access Dial In User Service.
RADIUS Client
50
Chapter 4
Glossary of Terms
A NAS or other device that sends requests to an AAA server.
RAS
See Remote Access Server.
Realm
A realm is a logical group of users, who usually can be authenticated using
one particular method. Grouping users into realms simplifies the
management of those users in a distributed environment. For example, an
ISP’s users may be from different organizations located in different cities.
Each organization already has one way or another to authenticate its users
and each corresponds to a realm. Each realm would be responsible for
managing its users, providing authentication and authorization for their
access requests.
A realm has a name that looks very much like a domain name, but they bear
different meanings. Realms are only used by the AAA Server to determine
where an authentication request should be sent and what kind of
authentication to request, etc. Naming a realm with its domain name
simplifies things for the users, since their access ids will then look the same
as their e-mail addresses. A realm may also have multiple aliases, providing
a way to shorten long realm names.
Remote Access Dial In User Service
An authentication and accounting protocol defined by the IETF in a series of
RFCs, abbreviated as RADIUS.
Remote Access Server
A service that allows remote clients running Microsoft Windows or Windows
NT to dial in to a network, abbreviated as RAS.
Remote Server
In the context of a proxy Access-Request, the remote server is the AAA
server that receives the request from the forwarding server. The remote
server authenticates the request and sends a reply to the forwarding server.
Request For Comment
The basis for an IETF standard, abbreviated as RFC.
RFC
See Request For Comment.
SAT
Chapter 4
51
Glossary of Terms
See Simultaneous Access Token.
Server Manager
A Web-based graphical user interface which provides an interface between
an administrator and the AAA servers. In addition to creating, modifying,
and deleting entries in many of the server’s configuration files, an
administrator may start and stop the AAA server, access the server’s status
and system time, retrieve information from accounting and session logs, and
terminate sessions.
Service
Session
The RADIUS client provides a service to the dial-in user, such as PPP or
Telnet.
Each service provided by the client to a dial-in user constitutes a session,
with the beginning of the session defined as the point where service is first
provided and the end of the session defined as the point where service is
ended. A user may have multiple sessions in parallel or series if the
RADIUS client supports that feature.
Simple Network Management Protocol (SNMP)
Provides a mechanism for a centrally located management workstation to
monitor the activity of remote computers and network services.
Simultaneous Access Token
The concept of token helps define and enforce policies in regard to modem
pool sharing among various participating institutions. A simultaneous
access token is required when a user accesses a non-priority modem. Tokens
are allocated to realms and are grouped into pools. The total number of
tokens a realm has is defined by the HP-UX Server so that the LAS may
control simultaneous use, abbreviated as SAT.
SLA
Service Level Agreement.
SLS
Service Level Specification.
See Simultaneous Access Token.
Token
Token Pool
52
Chapter 4
Glossary of Terms
A token pool contains a number of tokens belonging to some organization
and having a given name. These tokens may be shared among one or more
realms.
Tunneling
A secure connection between a client workstation and an intranet or other
network, that provides a VPN to a user. This connection may be a voluntary
tunnel initiated by the client or a compulsory tunnel initiated during
authentication by a server or other dedicated network equipment.
TLS (Transport Layer Security)
Uses TLS (also known as SSL) to authenticate the client using its digital
certificate. Note: some wireless supplicants require specific extensions to
support certificates for EAP. TLS features include: Dynamic Key Exchange;
Mutual Authentication; Digital Certificate/Token Card-based
Authentication; and, Encrypted Tunnelling.
TTLS (Tunnelled-Transport Layer Security)
Can carry additional EAP or legacy authentication methods like PAP and
CHAP. Integrates with the widest variety of password storage formats and
existing password-based authentication systems. Wireless supplicants
available for a large number of clients. TTLS features include: Dynamic Key
Exchange; Mutual Authentication; Password-based Authentication; and,
Encrypted Tunnelling.
Users
VPN
Individuals whom the AAA server must authenticate and authorize before
by they can access an organization’s service, such as Internet access through
an ISP.
See Virtual Private Network.
Virtual Private Network
A network service offered by public carriers in which the user is provided a
network that in many ways appears as if it is a private network
(user-unique addressing, network management capabilities, dynamic
reconfiguration, etc.) but which, in fact, is provided over the carrier's public
network facilities, abbreviated as VPN.
Chapter 4
53
Glossary of Terms
54
Chapter 4
Index
Numerics
802.1x Advisor, 9
MSCHAP, 6
A
definition, 5
C
Challenge Handshake Authentication
Protocol, 5
PAP (Password Authentication Protocol), 5
PEAP, 6
CHAP (Challenge Handshake
Authentication Protocol), 5
check items, 37
plug-ins, 14
configuration files, 12
D
db_srv (Oracle daemon), 29
E
RADIUS sessions, 3
EAP (Extensible Authentication Protocol), 5
EAP-GTC (Generic Token Card), 6
EAP-LEAP (Lightweight EAP), 6
EAP-MSCHAP (Microsoft Challenge
Authentication Protocol), 6
radpwtst, 29
realms, 33
EAP-PEAP (Protected EAP), 6
EAP-TTLS (Tunnelled TLS), 6
Extensible Authentication Protocol
definition, 5
RMI Objects, 22
Server Manager, 8
F
G
GTC, 6
T
I
TLS, 6
installing, 21
TTLS, 6
installing, procedure for, 21
installing, testing, 23
L
user information, 32
user information, profiles, 32
user profiles, default users, 32
user profiles, modifying, 36
user profiles, name syntax, 37
user profiles, storing, 32
LEAP, 6
logfiles, 40
M
MD5, 6
55
Index
user sessions, 39
W
Wireless LAN, 9, 44
Wireless LAN, Authentication, 9
Wireless LAN, securing, 9, 44
56
|