Manualshelf

HP-UX Mobile IPv4 A.03.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
21222324252627282930
2TQFWEV1XGTXKGY
###5WRRQTV
Chapter 1
8
AAA Support
HP-UX Mobile IPv4 supports the use of AAA (Authentication, Authorization, and
Accounting) servers using the Diameter protocol to authenticate Mobile Nodes and
authorize access. In a Mobile IPv4 environment, remote nodes and users may visit other
networks and domains. Administrators in the networks being visited may want to use
AAA to restrict or grant access to local resources.
HP-UX Mobile IPv4 supports the following additional features when used with AAA
Diameter servers:
Dynamic Key Generation
Dynamic Home Address Allocation (optional)
Dynamic Home Agent Allocation (optional)
AAA Mobile Node Authentication
Mobile IPv4 AAA authentication is based on user authentication. A Mobile Node is
identified and configured on AAA servers as a user. A Mobile Node user is identified by a
Network Access Identifier (NAI), in the format user@realm. A realm is logical group
of users, similar to a domain. There are different types of AAA user authentication.
Many of them are based on a shared secret--a security key or password that is specified
on both the AAA server and the Mobile Node.
The AAA server on which a Mobile Node is configured is known as its AAA Home
Agent server (AAAH). The Home Agent for the Mobile Nodes and the AAAH exchange
AAA messages.
When a AAA Mobile Node uses a Foreign Agent Care-of Address, the Foreign Agent
must also have a relationship configured with an AAA server. This AAA server is known
as the AAA Foreign Agent server (AAAF). One of the main functions of the AAAF is
to receive AAA requests from Foreign Agents and forward them to the appropriate
AAAH according to the Mobile Node user NAI.
In some topologies, a single AAA server may have relationships configured with multiple
Home or Foreign Agents and act as both an AAAH and an AAAF. However, in many
cases the AAAH and AAAF servers are different AAA servers because of administrative
boundaries or geographic requirements.
AAA Mobile Node Authentication with Foreign Agent Care-of Addresses
When a AAA Mobile Node uses Foreign Agent Care-of Addresses, HP-UX Mobile IPv4
uses the procedure listed below for the initial registration. This procedure is also shown
in Figure 1-6.
1. The Foreign Agent includes a challenge value in its Agent Advertisements.
2. The challenge value signals the Mobile Node that the Foreign Agent is requesting
some form of authentication. The Mobile Node calculates an authentication value
based on data in the Registration Request and the Mobile Node user’s AAA key or
password. The Mobile Node sends a Registration Request to the Foreign Agent with
extensions that contain the authentication and challenge value.