XYGATE User Authentication Reference Manual
XYGATE
®
User Authentication
™
Reference Manual
Appendix B: The UAACL File
XYPRO Technology Corporation 277 Proprietary and Confidential
Example 3 below will deny members of the group TECH to logon on the terminal
$ZTN0.#PTRUD24.
Example 3: How to control logon based on users Home Terminal
UAGROUP Restricted-hometerminal
DESCRIPTION "Restricted users hometerminal"
FROM_USER $EVERYONE
TO_USER TECH.*
PORT $ZTN0.#PTRUD24 +*
RESULT_DENIED
AUDIT_ACCESS_PASS ON
AUDIT_ACCESS_FAIL ON
Example 4 below will deny members of the group TECH to logon from an IPV6 client
fd1a:cb1d:4c31:f8e3:1:1:1:18.
Example 4: How to control logon based on users IPV6 Address
UAGROUP Restricted-IPv6address
DESCRIPTION "Restricted IPV6 Address"
FROM_USER $EVERYONE
TO_USER TECH.*
PORT $* fd1a:cb1d:4c31:f8e3:1:1:1:18
RESULT_DENIED
AUDIT_ACCESS_PASS ON
AUDIT_ACCESS_FAIL ON
How XUA Evaluates PORT Entries:
The port checking is a three step process:
1. If the hometerm is in the port list, then OK1.
2. If an IP address cannot be obtained for the hometerm, then OK2.
3. If an IP address can be obtained for the hometerm, then if the IP address is in the
port list, then OK2.
If OK1 and OK2, then the check passes.
Since port checking checks both the HOMETERM and the IP address, you need some
sort of IP address reference in port lists. The plus sign and asterisk ( +* ) means any
IP address.
How to Retrieve Remote IP Addresses:
When HP’s FTP is used in order for XUA to receive the IP address, an entry that
specifies the SERVICE program that starts the FTP object is needed in the
PORTCONF file as shown in the following example.
Example: How to specify the SERVICE program in PORTCONF for FTP Logon
21 $SYSTEM.XYGATEUA.SERVICE -xuaobject:$SYSTEM.ZTCPIP.FTPSERV
When XYGATETR is used to logon to the system, then an entry similar to the following
is needed in the PROTCONF file as shown in the following example.