Summary of the content on the page No. 1
HP-UX AAA Server A.06.01
Getting Started Guide
HP-UX 11.0, 11i v1, 11i v2
Manufacturing Part Number : T1428-90058
E1004
U.S.A.
© Copyright 2001-2004 Hewlett-Packard Development Company, L.P.
Summary of the content on the page No. 2
Legal Notices The information in this document is subject to change without notice.Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty. A copy of the s
Summary of the content on the page No. 3
Contents About This Document 1. Introduction to AAA Server RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 RADIUS Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Establishing a RADIUS Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Supported Authentication Methods. . . . . . . . . . . . . . . . . . . . .
Summary of the content on the page No. 4
Contents Storing User Profiles in the Default Users File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Grouping Users by Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Adding and Modifying Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Session Logging and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Viewing User Session . .
Summary of the content on the page No. 5
About This Document This document provides an overview of the HP-UX AAA Server and explains how to install and start the product. The document also provides steps to basic configuration tasks for beginning users. Refer to the HP-UX AAA Server Administrator’s Guide for complete HP-UX AAA Server documentation. The document printing date and part number indicate the document’s current edition. The printing date and part number will change when a new edition is printed. Minor changes may be made at r
Summary of the content on the page No. 6
Publishing History The following table shows the printing history of this document. The first entry in the table corresponds to this document, while previous releases are listed in descending order. Table 1 Getting Started Guide Printing History Document Document Supports Part Release Date Software Supported OS Number (month/year) Version T1428-90058 10/04 A.06.01.x HP-UX 11i v1, 11i v2 T1428-90049 01/04 A.06.01.x HP-UX 11.00, 11i v1, 11i v2 T1428-90043 10/03 A.06.01.x HP-UX 11.00, 11i v1 T1428-9
Summary of the content on the page No. 7
NOTE Emphasizes or supplements parts of the text. You can disregard the information in a note and still complete a task. IMPORTANT Notes that provide information that are essential to completing a task. CAUTION Describes an action that must be avoided or followed to prevent a loss of data. Related Documents In addition to this Getting Started Guide, HP released the following documents to support the HP-UX AAA Server A.06.01.x: • HP-UX AAA Server A.06.01 Administrator’s Guide • HP-UX AAA Server A
Summary of the content on the page No. 8
viii
Summary of the content on the page No. 9
1 Introduction to AAA Server This chapter contains an overview of product features and basic information about using the HP-UX AAA Server. Chapter 1 1
Summary of the content on the page No. 10
Introduction to AAA Server RADIUS Overview RADIUS Overview The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and implemented to manage access to network services. It defines a standard for information exchange between a Network Access Server (NAS) and an authentication, authorization, and accounting (AAA) server for performing authentication, authorization, and accounting operations. A RADIUS AAA server can manage user profiles for authentication (verifying user name
Summary of the content on the page No. 11
Introduction to AAA Server RADIUS Overview Figure 1-1 Generic AAA Network Topology A forwarding server sends AAA servers and NASs Users dial-in proxied Access-Requests exchange requests/replies to a NAS to a remote server A User AAA1.ISP.net NAS1 Organization location: Ann Arbor B User Repository Organization NAS2 C User AAA4.ISP.net Organization location: Detroit D User Repository Organization AAA2.ISP.net NAS3 location: Flint E User Organization Repository F User AAA3.ISP.net NAS4 Organization
Summary of the content on the page No. 12
Introduction to AAA Server RADIUS Overview transaction between a RADIUS AAA server and a client (a NAS in this example). When the user’s workstation connects to the client, the client sends an Access-Request RADIUS data packet to the AAA server. Figure 1-2 Client-Server RADIUS Transaction Client User AAA Server (NAS) User Connects Access-Request Access-Reject User Disconnects Or Access-Accept Accounting-Request (Start) Session Starts Accounting-Response Accounting-Request (Stop) Accounting-Respo
Summary of the content on the page No. 13
Introduction to AAA Server RADIUS Overview Accounting-Request—triggered by the user, by the client, or an interruption in service—to stop the session. Again, the server will acknowledge the Accounting-Request with an Accounting-Response. Supported Authentication Methods The following list describes the authentication methods the HP-UX AAA Server supports: Password Authentication Protocol (PAP) Not a strong authentication method to establish a connection; passwords are sent in clear text between
Summary of the content on the page No. 14
Introduction to AAA Server RADIUS Overview mechanisms. This flexibility also allows EAP to be implemented in a way (LEAP, for example) that is more suitable for wireless and mobile environments than other authentication protocols. EAP allows authentication to take place directly between the user and server without the intervention by the access device that occurs with CHAP. The following is a list of the EAP supported authentication methods you can use with the HP-UX AAA Server A.06.01: • Transpo
Summary of the content on the page No. 15
Introduction to AAA Server RADIUS Overview defined way of extending RADIUS. Conflicts can occur when the RFC is not followed. In those cases, the server can map the attributes to unique internal values for processing. For a full description of RADIUS attribute-value pairs, see the Administrator’s Guide. Shared Secret Encrypting the transmission of the User-Password in a request is accomplished by a shared secret. The shared secret is used to sign RADIUS data packets to ensure they are coming from
Summary of the content on the page No. 16
Introduction to AAA Server Product Structure Product Structure The HP-UX AAA Server, based on a client/server architecture, consists of the following components which may be installed independently: • HP-UX AAA Server daemon, libraries, and utilities • The AAA Server Manager is the user interface that performs administration and configuration tasks from a client’s browser for one or more AAA servers. • AAA Server module for Oracle authentication • Documentation The exchange of configuration inform
Summary of the content on the page No. 17
Introduction to AAA Server Product Structure The 802.1x Advisor The 802.1x Advisor is an HTML tutorial/help system in the Server Manager GUI that walks you through the tasks and Server Manager screens for securing WLANs with the HP-UX AAA Server. The 802.1x Advisor provides information only—it does not edit configuration files. Follow the 802.1x Advisor and use Server Manager to create and deploy basic AAA configurations for securing WLANs. Refer to the HP-UX AAA Server Administrator’s Guide for co
Summary of the content on the page No. 18
Introduction to AAA Server Product Structure Accessing the Server Manager The Server Manager provides access to the AAA server management functions and configuration files. From a remote client workstation, administrators can access the AAA Server Manager interface through a Web browser. An administrator can create a AAA configuration for authenticating users and implementing authorization policies. In addition to creating, modifying, and deleting entries in many of the server’s configuration files,
Summary of the content on the page No. 19
Introduction to AAA Server Product Structure Some advanced features of the HP-UX AAA Server cannot be configured through the Server Manager interface. For example, if you want to define session management parameters, policies, or vendor-specific attributes, you must manually edit the configuration files. Refer to the HP-UX AAA Server Administrator’s Guide for more information. IMPORTANT Refer to the HP-UX AAA Server Release Notes for the supported browsers for each version of the product. NOTE The br
Summary of the content on the page No. 20
Introduction to AAA Server AAA Server Architecture AAA Server Architecture The HP-UX AAA Server Architecture consists of three primary components: • Configuration files. By editing these flat text files, with either the Server Manager user interface or with a text editor, you can provide the information necessary for the server to perform authentication, authorization, and accounting requests for configured users. • AATV plug-ins perform discrete actions; such as initiating an authentication request,