HP 11I V1 - Manual

v About This Document This document provides an overview of the HP-UX AAA Server and explains how to installand start the product. The document also provides steps to basic configuration tasks forbeginning users. Refer to the HP-UX AAA Server Administrator’s Guide for complete HP-UXAAA Server docume...

vi Publishing History The following table shows the printing history of this document. The first entry in the tablecorresponds to this document, while previous releases are listed in descending order. What’s in This Document • Chapter 1, Introduction to AAA Server, contains an overview of product fe...

vii NOTE Emphasizes or supplements parts of the text. You can disregard theinformation in a note and still complete a task. IMPORTANT Notes that provide information that are essential to completing a task. CAUTION Describes an action that must be avoided or followed to prevent a loss of data. Relate...

Chapter 1 1 1 Introduction to AAA Server This chapter contains an overview of product features and basic information about using theHP-UX AAA Server.

Introduction to AAA Server RADIUS Overview Chapter 1 2 RADIUS Overview The Remote Authentication Dial In User Service (RADIUS) protocol is widely used andimplemented to manage access to network services. It defines a standard for informationexchange between a Network Access Server (NAS) and an authe...

Introduction to AAA Server RADIUS Overview Chapter 1 3 Figure 1-1 Generic AAA Network Topology Establishing a RADIUS Session The handling of a user request is series of message exchanges that attempts to provide theuser with a network service by establishing a session for the user. This transaction ...

Introduction to AAA Server RADIUS Overview Chapter 1 5 Accounting-Request—triggered by the user, by the client, or an interruption in service—tostop the session. Again, the server will acknowledge the Accounting-Request with anAccounting-Response. Supported Authentication Methods The following list ...

Introduction to AAA Server RADIUS Overview Chapter 1 6 mechanisms. This flexibility also allows EAP to be implemented in a way (LEAP, for example)that is more suitable for wireless and mobile environments than other authenticationprotocols. EAP allows authentication to take place directly between th...

Introduction to AAA Server RADIUS Overview Chapter 1 7 defined way of extending RADIUS. Conflicts can occur when the RFC is not followed. In thosecases, the server can map the attributes to unique internal values for processing. For a fulldescription of RADIUS attribute-value pairs, see the Administ...

Introduction to AAA Server Product Structure Chapter 1 8 Product Structure The HP-UX AAA Server, based on a client/server architecture, consists of the followingcomponents which may be installed independently: • HP-UX AAA Server daemon, libraries, and utilities • The AAA Server Manager is the user i...

Introduction to AAA Server Product Structure Chapter 1 10 Accessing the Server Manager The Server Manager provides access to the AAA server management functions andconfiguration files. From a remote client workstation, administrators can access the AAAServer Manager interface through a Web browser. ...

Introduction to AAA Server Product Structure Chapter 1 11 Some advanced features of the HP-UX AAA Server cannot be configured through the ServerManager interface. For example, if you want to define session management parameters,policies, or vendor-specific attributes, you must manually edit the conf...

Introduction to AAA Server AAA Server Architecture Chapter 1 12 AAA Server Architecture The HP-UX AAA Server Architecture consists of three primary components: • Configuration files. By editing these flat text files, with either the Server Manager userinterface or with a text editor, you can provide...

Introduction to AAA Server AAA Server Architecture Chapter 1 13 <realm name>.users The same information as the users file, but this user information is associated with a particularrealm. These files are only necessary to performFile type authentication for a defined realm.Realms are recognized...

Introduction to AAA Server AAA Server Architecture Chapter 1 14 You can find out more information about these files by referring to the HP-UX AAA Server Administrator’s Guide . Each configuration file also contains comments with examples. AATV Plug-Ins Define actions to perform functions, such as au...

Introduction to AAA Server HP-UX AAA Server Features Chapter 1 15 HP-UX AAA Server Features General Features • Compliant with RADIUS protocol RFC 2865 and 2866 standards • Supports multiple vendor NASs with a single server (multi-vendor dictionary thatincludes Nortel®, Cisco®, Lucent®, and others) •...

Introduction to AAA Server HP-UX AAA Server Features Chapter 1 16 • Supports multiple user definition ( realm ) files keyed by realm (File type authentication) • Authentication of users defined in an LDAP server (ProLDAP™ type authentication),including support of {clear} indicator for clear text pas...

Introduction to AAA Server HP-UX AAA Server Features Chapter 1 17 • “Self-signed” AAA Server digital certificates created during installation allow for asecured TLS, TTLS, and PEAP environment without having to generate your owncertificates • Generates server activity logfiles, compressed daily • Op...

Chapter 2 19 2 Installing and Starting the HP-UXAAA Server This chapter leads you through the steps to install and start the HP-UX AAA Server.

Installing and Starting the HP-UX AAA Server Getting the HP-UX AAA Server Software Chapter 2 20 Getting the HP-UX AAA Server Software You can get the most recent version of the HP-UX AAA Server software at the HP SoftwareDepot: http://software.hp.com .

Installing and Starting the HP-UX AAA Server Installing the HP-UX AAA Server Chapter 2 21 Installing the HP-UX AAA Server IMPORTANT Be sure to review the HP-UX AAA Server Release Notes before installation.The Release Notes list the requirements for each release, including:installation, patch, and br...

Installing and Starting the HP-UX AAA Server Starting the HP-UX AAA Server Chapter 2 22 Starting the HP-UX AAA Server NOTE Refer to the Securing the HP-UX AAA Server section in the HP-UX AAA Server Administrator’s Guide for information on securing your HP-UX AAA Server. Use the following steps to st...

Installing and Starting the HP-UX AAA Server Testing the Installation Chapter 2 23 Testing the Installation To quickly test the server installation, you will use Server Manager to add a loopbackconnection to a AAA server, start the server, and then check its status for a response. Use thefollowing s...

Installing and Starting the HP-UX AAA Server Testing the Installation Chapter 2 24 Step 10. Verify your HP-UX AAA Server is installed and operating correctly by using thetesting user (named test_user) created during installation. After test_user is authenticated and the AAA server sends an Access-Ac...

Installing and Starting the HP-UX AAA Server Installation Defaults Chapter 2 25 Installation Defaults The HP-UX AAA Server can be run as root user, however non-root user is recommended. A user and group, both named aaa , will be created during installation. The HP-UX AAA Server can be run as non-roo...

Installing and Starting the HP-UX AAA Server Installation Defaults Chapter 2 27 /etc/opt/aaa Configuration files: • aaa.config : runtime and tunneling configuration file • authfile : realm to authentication-type mapping file • clients : client to shared secret mapping file • db_srv.opt : configurati...

Installing and Starting the HP-UX AAA Server Installation Defaults Chapter 2 28 The following table lists the files generated during operation and located in /var/opt/aaa/ by default: Table 2-2 Files Generated During Operation Directory File /acct/session.yyyy-mm-dd.log Default session accounting lo...

Installing and Starting the HP-UX AAA Server UnInstalling the HP-UX AAA Server Software Chapter 2 30 UnInstalling the HP-UX AAA Server Software Use the following steps to uninstall the HP-UX AAA Server: Step 1. Select Administration in the Navigation Tree. Verify the AAA server you want tostop is se...

Chapter 3 31 3 Basic Configuration Tasks This chapter explains a few basic configuration tasks. Refer to the HP-UX AAA Server Administrator’s Guide for complete information on configuring the HP-UX AAA Server.

Basic Configuration Tasks Storing User Profiles Chapter 3 32 Storing User Profiles The user information that determines how an access request is authenticated and authorizedis configured in a profile as a set of A-V pairs. These user profiles are grouped by realm andmay be stored in flat text files ...

Basic Configuration Tasks Storing User Profiles Chapter 3 33 the method you choose is compatible with the client password hashing method. Thefollowing table lists the supported client password hashing methods and eachstorage hash you should use for each method: Step 9. You may enter values in the re...

Basic Configuration Tasks Storing User Profiles Chapter 3 34 Step 3. In the Name field, enter the realm name. Step 4. Select Authentication from the Realm Type drop-down list. Step 5. Select Users File in the User Profile Storage drop-down list. Step 6. Select the Users Profile Grouped by Realm butt...

Basic Configuration Tasks Adding and Modifying Users Chapter 3 36 Adding and Modifying Users User profiles associate information with a user name for authentication and authorization.This information is defined by attribute-value pairs. The server configuration must includeprofiles for all the users...

Basic Configuration Tasks Adding and Modifying Users Chapter 3 37 User Name: Value to compare to the User-Name attribute value in the request. It mustbe less than 64 characters. &, “, ~, \, /,%, $, ‘, and space characters may notbe used. IMPORTANT You must enter the user’s fully-qualified name w...

Basic Configuration Tasks Session Logging and Monitoring Chapter 3 39 Session Logging and Monitoring You can view the log files that record the details of each AAA transaction or the session logsthat record information about each user's session. You can also access information for activesessions and...

Basic Configuration Tasks Session Logging and Monitoring Chapter 3 40 Step 4. Select a session. The AAA server manager will display the attributes for theselected session. Step 5. Select the OK button when you are done reading the session. Stopping a Session This procedure is intended for sessions t...

Basic Configuration Tasks Session Logging and Monitoring Chapter 3 42 Search Parameters You can filter what dates and times to retrieve from the logfile. NOTE You can filter what data to retrieve according to the type of messages. For eachmessage type, you indicate whether the message type should or...

Basic Configuration Tasks Session Logging and Monitoring Chapter 3 43 Viewing Server Statistics Selecting the Statistics link from Server Manager’s Navigation Tree allows you to retrieve a count of events that occurred on the AAA server within a time range. The statistics aredisplayed using a bar gr...

Basic Configuration Tasks Securing WLANs with the HP-UX AAA Server Chapter 3 44 Securing WLANs with the HP-UX AAA Server The HP-UX AAA Server provides security framework to support EAP authenticationmechanisms for WLAN users. The HP-UX AAA Server allows authentication of wireless userswith password ...

Glossary of Terms Chapter 4 45 4 Glossary of Terms 802.1x Advisor The 802.1x Advisor is an HTML tutorial/help system in the Server ManagerGUI that walks you through the tasks and Server Manager screens forsecuring WLANs with the HP-UX AAA Server. AAA Abbreviation for Authentication, Authorization, a...

Glossary of Terms Chapter 4 46 Administrator Special user, known by the system on which the AAA server is running andis able to configure and to manage the AAA server. Application Service Provider Third-party entities that manage and distribute software-based servicesand solutions to customers acros...

Glossary of Terms Chapter 4 47 Client NAS, proxy server, or other networking device that uses the AAA serverservices to authenticate and authorize users. Common Open Policy Service A query and response protocol that can be used to exchange policyinformation between a policy server (Policy Decision P...

Glossary of Terms Chapter 4 48 When a user requests access to a service of a specific configuration, a clientmay provide this information in an Access-Request as a hint to the AAAserver. The server may reject the request based on the hints or supply theservice as specified by the hints, by the serve...

Glossary of Terms Chapter 4 49 See Integrated Services Digital Network . LAS See Local Authorization Server . LDAP See Lightweight Directory Access Protocol . Lightweight Directory Access Protocol Used for directories providing naming, location, management, security, andother services for Internet n...

Glossary of Terms Chapter 4 50 See Password Authentication Protocol . Password Authentication Protocol A simple password protocol that transmits a user name and passwordacross the network, unencrypted, abbreviated as PAP. PEAP (Protected EAP) Functionally very similar to TTLS, but does not encapsula...

Glossary of Terms Chapter 4 51 A NAS or other device that sends requests to an AAA server. RAS See Remote Access Server . Realm A realm is a logical group of users, who usually can be authenticated usingone particular method. Grouping users into realms simplifies themanagement of those users in a di...

Glossary of Terms Chapter 4 52 See Simultaneous Access Token . Server Manager A Web-based graphical user interface which provides an interface betweenan administrator and the AAA servers. In addition to creating, modifying,and deleting entries in many of the server’s configuration files, anadministr...

Glossary of Terms Chapter 4 53 A token pool contains a number of tokens belonging to some organizationand having a given name. These tokens may be shared among one or morerealms. Tunneling A secure connection between a client workstation and an intranet or othernetwork, that provides a VPN to a user...

55 Index Numerics 802.1x Advisor , 9 A acquiring HP-UX AAA Server software , 20 C Challenge Handshake Authentication Protocol , 5 CHAP (Challenge Handshake Authentication Protocol) , 5 check items , 37 configuration files , 12 D db_srv (Oracle daemon) , 29 E EAP (Extensible Authentication Protocol) ...

Index 56 user sessions , 39 W Wireless LAN , 9 , 44 Wireless LAN, Authentication , 9 Wireless LAN, securing , 9 , 44