HP-UX AAA Server A.06.01 Getting Started Guide HP-UX 11.0, 11i v1, 11i v2 Manufacturing Part Number : T1428-90058 E1004 U.S.A. © Copyright 2001-2004 Hewlett-Packard Development Company, L.P.
Legal Notices The information in this document is subject to change without notice.Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
Contents About This Document 1. Introduction to AAA Server RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 RADIUS Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Establishing a RADIUS Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Supported Authentication Methods. . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Storing User Profiles in the Default Users File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Grouping Users by Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding and Modifying Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session Logging and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing User Session . . . . . . . . . . . .
About This Document This document provides an overview of the HP-UX AAA Server and explains how to install and start the product. The document also provides steps to basic configuration tasks for beginning users. Refer to the HP-UX AAA Server Administrator’s Guide for complete HP-UX AAA Server documentation. The document printing date and part number indicate the document’s current edition. The printing date and part number will change when a new edition is printed.
Publishing History The following table shows the printing history of this document. The first entry in the table corresponds to this document, while previous releases are listed in descending order. Table 1 Getting Started Guide Printing History Document Part Number Document Release Date (month/year) T1428-90058 10/04 A.06.01.x HP-UX 11i v1, 11i v2 T1428-90049 01/04 A.06.01.x HP-UX 11.00, 11i v1, 11i v2 T1428-90043 10/03 A.06.01.x HP-UX 11.00, 11i v1 T1428-90026 04/03 A.06.00.08 HP-UX 11.
NOTE Emphasizes or supplements parts of the text. You can disregard the information in a note and still complete a task. IMPORTANT Notes that provide information that are essential to completing a task. CAUTION Describes an action that must be avoided or followed to prevent a loss of data. Related Documents In addition to this Getting Started Guide, HP released the following documents to support the HP-UX AAA Server A.06.01.x: • HP-UX AAA Server A.06.01 Administrator’s Guide • HP-UX AAA Server A.06.
viii
1 Introduction to AAA Server This chapter contains an overview of product features and basic information about using the HP-UX AAA Server.
Introduction to AAA Server RADIUS Overview RADIUS Overview The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and implemented to manage access to network services. It defines a standard for information exchange between a Network Access Server (NAS) and an authentication, authorization, and accounting (AAA) server for performing authentication, authorization, and accounting operations.
Introduction to AAA Server RADIUS Overview Figure 1-1 Generic AAA Network Topology A forwarding server sends proxied Access-Requests to a remote server AAA servers and NASs exchange requests/replies AAA1.ISP.net location: Ann Arbor Repository Users dial-in to a NAS NAS1 A User Organization NAS2 B User Organization C User Organization AAA4.ISP.net location: Detroit Repository AAA2.ISP.net location: Flint NAS3 AAA3.ISP.
Introduction to AAA Server RADIUS Overview transaction between a RADIUS AAA server and a client (a NAS in this example). When the user’s workstation connects to the client, the client sends an Access-Request RADIUS data packet to the AAA server.
Introduction to AAA Server RADIUS Overview Accounting-Request—triggered by the user, by the client, or an interruption in service—to stop the session. Again, the server will acknowledge the Accounting-Request with an Accounting-Response.
Introduction to AAA Server RADIUS Overview mechanisms. This flexibility also allows EAP to be implemented in a way (LEAP, for example) that is more suitable for wireless and mobile environments than other authentication protocols. EAP allows authentication to take place directly between the user and server without the intervention by the access device that occurs with CHAP. The following is a list of the EAP supported authentication methods you can use with the HP-UX AAA Server A.06.
Introduction to AAA Server RADIUS Overview defined way of extending RADIUS. Conflicts can occur when the RFC is not followed. In those cases, the server can map the attributes to unique internal values for processing. For a full description of RADIUS attribute-value pairs, see the Administrator’s Guide. Shared Secret Encrypting the transmission of the User-Password in a request is accomplished by a shared secret.
Introduction to AAA Server Product Structure Product Structure The HP-UX AAA Server, based on a client/server architecture, consists of the following components which may be installed independently: • HP-UX AAA Server daemon, libraries, and utilities • The AAA Server Manager is the user interface that performs administration and configuration tasks from a client’s browser for one or more AAA servers.
Introduction to AAA Server Product Structure The 802.1x Advisor The 802.1x Advisor is an HTML tutorial/help system in the Server Manager GUI that walks you through the tasks and Server Manager screens for securing WLANs with the HP-UX AAA Server. The 802.1x Advisor provides information only—it does not edit configuration files. Follow the 802.1x Advisor and use Server Manager to create and deploy basic AAA configurations for securing WLANs.
Introduction to AAA Server Product Structure Accessing the Server Manager The Server Manager provides access to the AAA server management functions and configuration files. From a remote client workstation, administrators can access the AAA Server Manager interface through a Web browser. An administrator can create a AAA configuration for authenticating users and implementing authorization policies.
Introduction to AAA Server Product Structure Some advanced features of the HP-UX AAA Server cannot be configured through the Server Manager interface. For example, if you want to define session management parameters, policies, or vendor-specific attributes, you must manually edit the configuration files. Refer to the HP-UX AAA Server Administrator’s Guide for more information. IMPORTANT Refer to the HP-UX AAA Server Release Notes for the supported browsers for each version of the product.
Introduction to AAA Server AAA Server Architecture AAA Server Architecture The HP-UX AAA Server Architecture consists of three primary components: • Configuration files. By editing these flat text files, with either the Server Manager user interface or with a text editor, you can provide the information necessary for the server to perform authentication, authorization, and accounting requests for configured users.
Introduction to AAA Server AAA Server Architecture Table 1-1 HP-UX AAA Server Configuration Files (Continued) File .users Description The same information as the users file, but this user information is associated with a particular realm. These files are only necessary to perform File type authentication for a defined realm. Realms are recognized by the realm component of the user’s Network Access Identifier, for example: user@realm.com.
Introduction to AAA Server AAA Server Architecture Table 1-1 HP-UX AAA Server Configuration Files (Continued) File Description iaaaAgent.conf Specifies how often the AAA server’s SNMP subagent will check to see if a master agent is active. EAP.authfile Used to configure EAP authentication for user profiles. db_srv.opt The configuration script for the db_srv environment variables. engine.config Called by aaa.config, this file stores most of the AAA server properties.
Introduction to AAA Server HP-UX AAA Server Features HP-UX AAA Server Features General Features • Compliant with RADIUS protocol RFC 2865 and 2866 standards • Supports multiple vendor NASs with a single server (multi-vendor dictionary that includes Nortel®, Cisco®, Lucent®, and others) • Configurable dictionary that allows the definition of new vendors and vendor-specific attributes and values • Dictionary includes attributes from RFCs 2865, 2866, 2867, 2868, and 2869 • Vendor-specific attribute t
Introduction to AAA Server HP-UX AAA Server Features • Supports multiple user definition (realm) files keyed by realm (File type authentication) • Authentication of users defined in an LDAP server (ProLDAP™ type authentication), including support of {clear} indicator for clear text passwords • Authentication of users defined in an ORACLE database • UNIX bigcrypt() for users defined in a flat file or LDAP directory • Load balancing and failover when authenticating users stored in an LDAP directory s
Introduction to AAA Server HP-UX AAA Server Features • “Self-signed” AAA Server digital certificates created during installation allow for a secured TLS, TTLS, and PEAP environment without having to generate your own certificates • Generates server activity logfiles, compressed daily • Optional debug levels for greater server log output to help debug problems • Packaged with a RADIUS protocol client (radpwtst) for testing and debugging • Packaged with a utility, (radcheck), to check status of serve
Introduction to AAA Server HP-UX AAA Server Features 18 Chapter 1
2 Installing and Starting the HP-UX AAA Server This chapter leads you through the steps to install and start the HP-UX AAA Server.
Installing and Starting the HP-UX AAA Server Getting the HP-UX AAA Server Software Getting the HP-UX AAA Server Software You can get the most recent version of the HP-UX AAA Server software at the HP Software Depot: http://software.hp.com.
Installing and Starting the HP-UX AAA Server Installing the HP-UX AAA Server Installing the HP-UX AAA Server IMPORTANT Be sure to review the HP-UX AAA Server Release Notes before installation. The Release Notes list the requirements for each release, including: installation, patch, and browser requirements. You can access the Release Notes online at: http://docs.hp.com/hpux/internet/index.
Installing and Starting the HP-UX AAA Server Starting the HP-UX AAA Server Starting the HP-UX AAA Server NOTE Refer to the Securing the HP-UX AAA Server section in the HP-UX AAA Server Administrator’s Guide for information on securing your HP-UX AAA Server. Use the following steps to start the HP-UX AAA Server and the Server Manager graphic user interface: Step 1. Enter the following command: # export JAVA_HOME=/opt/java1.4 Step 2.
Installing and Starting the HP-UX AAA Server Testing the Installation Testing the Installation To quickly test the server installation, you will use Server Manager to add a loopback connection to a AAA server, start the server, and then check its status for a response. Use the following steps to test the server installation: Step 1. Connect to Server Manager and start the AAA server. See “Starting the HP-UX AAA Server” on page 22. Step 2.
Installing and Starting the HP-UX AAA Server Testing the Installation Step 10. Verify your HP-UX AAA Server is installed and operating correctly by using the testing user (named test_user) created during installation. After test_user is authenticated and the AAA server sends an Access-Accept, the client sends an Accounting-Request to start the session.
Installing and Starting the HP-UX AAA Server Installation Defaults Installation Defaults The HP-UX AAA Server can be run as root user, however non-root user is recommended. A user and group, both named aaa, will be created during installation. The HP-UX AAA Server can be run as non-root user, using the default aaa user created during installation, or any other user who is part of the aaa group.
Installing and Starting the HP-UX AAA Server Installation Defaults Table 2-1 File Locations Upon Installation (Continued) Directory /opt/aaa/examples/orac le File • create.sql: SQL script to create Oracle users table • delete.sql: Sample SQL script to delete Oracle user records • insert.sql: Sample SQL script to add Oracle user records /opt/aaa/examples/prol dap ProLDAP schema and sample LDIF files /opt/aaa/lib — Note that shared library files have .so file extensions on HP-UX 11i v2.0 (B.11.
Installing and Starting the HP-UX AAA Server Installation Defaults Table 2-1 File Locations Upon Installation (Continued) Directory /etc/opt/aaa Chapter 2 File Configuration files: • aaa.config: runtime and tunneling configuration file • authfile: realm to authentication-type mapping file • clients: client to shared secret mapping file • db_srv.opt: configuration script for db_srv environment variables • dictionary: definition file required by radiusd • las.
Installing and Starting the HP-UX AAA Server Installation Defaults The following table lists the files generated during operation and located in /var/opt/aaa/ by default: Table 2-2 Files Generated During Operation Directory File /acct/session.yyyy-mm-dd.log Default session accounting logs, Merit style /data/session.las Currently active sessions Session log file /ipc/*.sm Shared memory files related to the interface used for some authentication types.
Installing and Starting the HP-UX AAA Server Commands, Utilities, & Daemons Commands, Utilities, & Daemons Table 2-3 Command Commands, Utilities, & Daemons Description db_srv The db_srv daemon performs Oracle database access operations for authentication on behalf of one or more remote HP-UX AAA Servers. radcheck Sends a RADIUS status and protocol requests to a AAA server and display the replies. Receiving the reply confirms that the HP-UX AAA Server is operational.
Installing and Starting the HP-UX AAA Server UnInstalling the HP-UX AAA Server Software UnInstalling the HP-UX AAA Server Software Use the following steps to uninstall the HP-UX AAA Server: Step 1. Select Administration in the Navigation Tree. Verify the AAA server you want to stop is selected in the Server Status Frame. Click the Stop button to stop the server. Step 2. From the command line, stop the RMI objects and Tomcat.
3 Basic Configuration Tasks This chapter explains a few basic configuration tasks. Refer to the HP-UX AAA Server Administrator’s Guide for complete information on configuring the HP-UX AAA Server.
Basic Configuration Tasks Storing User Profiles Storing User Profiles The user information that determines how an access request is authenticated and authorized is configured in a profile as a set of A-V pairs. These user profiles are grouped by realm and may be stored in flat text files or an external source such as an Oracle database or and LDAP server. Realms are recognized by the realm component of a user’s Network Access Identifier.
Basic Configuration Tasks Storing User Profiles the method you choose is compatible with the client password hashing method. The following table lists the supported client password hashing methods and each storage hash you should use for each method: Table 3-1 Password Hashing Compatibility Client Password Hash Storage Hash PAP Any MSCHAP NT Hash or Plain Text MD5 MD5 or Plain Text GTC Static Any Step 9. You may enter values in the remaining fields to control the users session.
Basic Configuration Tasks Storing User Profiles Step 3. In the Name field, enter the realm name. Step 4. Select Authentication from the Realm Type drop-down list. Step 5. Select Users File in the User Profile Storage drop-down list. Step 6. Select the Users Profile Grouped by Realm button in the User Storage Parameters field. Identify a file to store the user information for the realm by entering a name in the File Name box. The AAA server adds a .users extension to the value you enter in the File Name box.
Basic Configuration Tasks Storing User Profiles CAUTION Chapter 3 Save Configuration will save the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.
Basic Configuration Tasks Adding and Modifying Users Adding and Modifying Users User profiles associate information with a user name for authentication and authorization. This information is defined by attribute-value pairs. The server configuration must include profiles for all the users that can access services through the AAA server. If a user profile is not included in the configuration, the server will reject the users access request. Profiles may be stored in flat text files or an external source.
Basic Configuration Tasks Adding and Modifying Users User Name: Value to compare to the User-Name attribute value in the request. It must be less than 64 characters. &, “, ~, \, /,%, $, ‘, and space characters may not be used. IMPORTANT You must enter the user’s fully-qualified name when adding to the default users file (using the Users link in the Navigation Tree): for example, enter user1@organization.com instead of only entering user1.
Basic Configuration Tasks Adding and Modifying Users Figure 3-2 Server Manager’s Free User Attributes Screen To add attributes to the list boxes, follow the Attribute = Value syntax. A-V pairs may be listed one per line. When adding a new user profile, you select the Create button to submit it to the AAA Server Manager. When modifying an existing profile, you select the Modify button to submit changes to the user profile.
Basic Configuration Tasks Session Logging and Monitoring Session Logging and Monitoring You can view the log files that record the details of each AAA transaction or the session logs that record information about each user's session. You can also access information for active sessions and manually terminate a session if necessary. These functions can be accessed by selecting the Maintenance menu items from the Server Manager Navigation Tree.
Basic Configuration Tasks Session Logging and Monitoring Step 4. Select a session. The AAA server manager will display the attributes for the selected session. Step 5. Select the OK button when you are done reading the session. Stopping a Session This procedure is intended for sessions that were terminated on the access device but are maintained as active by the AAA server. Step 1. Follow the “Viewing User Session” on page 39 procedure. Step 2. Select the Stop button from the Session Attributes screen.
Basic Configuration Tasks Session Logging and Monitoring Figure 3-4 Chapter 3 Server Manager’s Logfile Screen 41
Basic Configuration Tasks Session Logging and Monitoring Search Parameters You can filter what dates and times to retrieve from the logfile. Table 3-2 Filter Parameters for Searching Logfiles Option Description Begin (server time) The date and time of the session to begin retrieving data from. End (server time) The date and time of the last session to retrieve data from. User Limits the result of the search command to messages related to a specific user.
Basic Configuration Tasks Session Logging and Monitoring Viewing Server Statistics Selecting the Statistics link from Server Manager’s Navigation Tree allows you to retrieve a count of events that occurred on the AAA server within a time range. The statistics are displayed using a bar graph. Figure 3-5 Server Manager’s Statistics Screen Table 3-3 Statistic Search Parameters Option Description Begin (server time) The date and time of the session to begin retrieving data from.
Basic Configuration Tasks Securing WLANs with the HP-UX AAA Server Securing WLANs with the HP-UX AAA Server The HP-UX AAA Server provides security framework to support EAP authentication mechanisms for WLAN users. The HP-UX AAA Server allows authentication of wireless users with password or non-password based mechanisms and supports dynamic key generation for data encryption between the access point and wireless stations. IMPORTANT To configure the HP-UX AAA Server to secure WLANs, refer to the 802.
Glossary of Terms 4 Glossary of Terms 802.1x Advisor The 802.1x Advisor is an HTML tutorial/help system in the Server Manager GUI that walks you through the tasks and Server Manager screens for securing WLANs with the HP-UX AAA Server. AAA Abbreviation for Authentication, Authorization, and Accounting. AAA Server A software application that performs authentication, authorization, and accounting functions.
Glossary of Terms Administrator Special user, known by the system on which the AAA server is running and is able to configure and to manage the AAA server. Application Service Provider Third-party entities that manage and distribute software-based services and solutions to customers across a wide area network from a central data center, abbreviated as ASP. ASP Application Service Provider. Attribute-Value Pair The RADIUS protocol defines things in terms of attributes.
Glossary of Terms Client NAS, proxy server, or other networking device that uses the AAA server services to authenticate and authorize users. Common Open Policy Service A query and response protocol that can be used to exchange policy information between a policy server (Policy Decision Point or PDP) and its clients (Policy Enforcement Points or PEPs, such as a router), abbreviated as COPS. COPS See Common Open Policy Service.
Glossary of Terms When a user requests access to a service of a specific configuration, a client may provide this information in an Access-Request as a hint to the AAA server. The server may reject the request based on the hints or supply the service as specified by the hints, by the server’s configuration, or by a combination of the hints and the server’s configuration. IETF See Internet Engineering Task Force. Integrated Services Digital Network A digital internet access line using copper phone lines.
Glossary of Terms See Integrated Services Digital Network. LAS See Local Authorization Server. LDAP See Lightweight Directory Access Protocol. Lightweight Directory Access Protocol Used for directories providing naming, location, management, security, and other services for Internet networking, abbreviated as LDAP. Lightweight Extensible Authentication Protocol Supports and manages the dynamic Wired Equivalent Privacy (WEP) key exchange between Cisco Aironet 802.
Glossary of Terms See Password Authentication Protocol. Password Authentication Protocol A simple password protocol that transmits a user name and password across the network, unencrypted, abbreviated as PAP. PEAP (Protected EAP) Functionally very similar to TTLS, but does not encapsulate legacy authentication methods. PEAP features include: Dynamic Key Exchange; Mutual Authentication; and, Encrypted Tunnelling. Point-to-Point Protocol The standard protocol for dial-up networking.
Glossary of Terms A NAS or other device that sends requests to an AAA server. RAS See Remote Access Server. Realm A realm is a logical group of users, who usually can be authenticated using one particular method. Grouping users into realms simplifies the management of those users in a distributed environment. For example, an ISP’s users may be from different organizations located in different cities. Each organization already has one way or another to authenticate its users and each corresponds to a realm.
Glossary of Terms See Simultaneous Access Token. Server Manager A Web-based graphical user interface which provides an interface between an administrator and the AAA servers. In addition to creating, modifying, and deleting entries in many of the server’s configuration files, an administrator may start and stop the AAA server, access the server’s status and system time, retrieve information from accounting and session logs, and terminate sessions.
Glossary of Terms A token pool contains a number of tokens belonging to some organization and having a given name. These tokens may be shared among one or more realms. Tunneling A secure connection between a client workstation and an intranet or other network, that provides a VPN to a user. This connection may be a voluntary tunnel initiated by the client or a compulsory tunnel initiated during authentication by a server or other dedicated network equipment.
Glossary of Terms 54 Chapter 4
Index Numerics 802.
Index user sessions, 39 W Wireless LAN, 9, 44 Wireless LAN, Authentication, 9 Wireless LAN, securing, 9, 44 56
