HP-UX AAA Server A.06.00 Getting Started Guide HP-UX 11.0, 11i v1 Manufacturing Part Number: T1428-90026 E0403 U.S.A. © Copyright 2003 Hewlett-Packard Company. .
Legal Notices The information in this document is subject to change without notice.Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
Contents About This Document 1. Introduction to AAA Server RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 RADIUS Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Establishing a RADIUS Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Supported Authentication Methods. . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Commands, Utilities, & Daemons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Testing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 3. Basic Configuration Tasks Storing User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Storing User Profiles in the Default Users File . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Document This document provides an overview of the HP-UX AAA Server product and explains how to install it. The document also provides basic configuration steps to beginning tasks. The document printing date and part number indicate the document’s current edition. The printing date and part number will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
• “About This Document” content was removed from Chapter 1 in the previous version of this guide, and now resides in the preface of this guide. Publishing History The following table shows the printing history of this document. The first entry in the table corresponds to this document, while previous releases are listed in descending order.
NOTE Emphasizes or supplements parts of the text. You can disregard the information in a note and still complete a task. IMPORTANT Notes that provide information that are essential to completing a task. CAUTION Describes an action that must be avoided or followed to prevent a loss of data. Related Documents In addition to this Getting Started Guide, HP released the following documents to support the HP-UX AAA Server A.06.
Please send comments to: netinfo_feedback@cup.hp.com Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document. Also, please include what we did right so we can incorporate it into other documents.
1 Introduction to AAA Server This chapter contains an overview of product features and basic information about using the HP-UX AAA Server.
Introduction to AAA Server RADIUS Overview RADIUS Overview The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and implemented to manage access to network services. It defines a standard for information exchange between a Network Access Server (NAS) and an authentication, authorization, and accounting (AAA) server for performing authentication, authorization, and accounting operations.
Introduction to AAA Server RADIUS Overview Figure 1-1 Generic AAA Network Topology A forwarding server sends proxied Access-Requests to a remote server AAA servers and NASs exchange requests/replies AAA1.ISP.net location: Ann Arbor Repository Users dial-in to a NAS NAS1 A User Organization NAS2 B User Organization C User Organization AAA4.ISP.net location: Detroit Repository AAA2.ISP.net location: Flint NAS3 AAA3.ISP.
Introduction to AAA Server RADIUS Overview Establishing a RADIUS Session The handling of a user request is series of message exchanges that attempts to provide the user with a network service by establishing a session for the user. This transaction can be described as a series of actions that exchange data packets containing information related to the request.
Introduction to AAA Server RADIUS Overview If all conditions are met, the server will send an Access-Accept packet to the client; otherwise, the server will send an Access-Reject. An Access-Accept data packet often includes authorization information that specifies what services the user can access and other session information, such as a timeout value that will indicate when the user should be disconnected from the system.
Introduction to AAA Server RADIUS Overview which can calculate the correct response. The NAS will then forward the challenge and the response in the Access-Request, which the AAA server will use to authenticate the user. NOTE • Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) is an implementation of the CHAP protocol that Microsoft created to authenticate remote Windows workstations. In most respects, MS-CHAP is identical to CHAP, but there are some differences.
Introduction to AAA Server RADIUS Overview Shared Secret Encrypting the transmission of the User-Password in a request is accomplished by a shared secret. The shared secret is used to sign RADIUS data packets to ensure they are coming from a trusted source. The shared secret is also used to encrypt user passwords with certain authentication methods such as PAP.
Introduction to AAA Server Product Structure Product Structure The HP-UX AAA Server, based on a client/server architecture, consists of three components which may be installed independently: • HP-UX AAA Server daemon, libraries, and utilities • The AAA Server Manager is a program that performs administration and configuration tasks from a client’s browser for one or more AAA servers.
Introduction to AAA Server Product Structure AAA Server Manager Program The AAA Server Manager utilizes the HP-UX Tomcat-based Serverlet Engine to provide a configuration interface between a web browser and one or more AAA servers. Server Manager is used for starting, stopping, configuring, and modifying the servers. In addition, the program can retrieve logged server sessions and accounting information for an administrator.
Introduction to AAA Server Product Structure Figure 1-3 The Server Manager User Interface Browser Requirements for Server Manager You need one of the following Web browsers to access the Server Manager: • Netscape® Navigator 4.76 (or higher) • Microsoft® Internet Explorer 5.0.5 (or higher) The browser preferences or Internet options should be set to always compare loaded pages to cached pages. HP recommends these versions because of known problems in earlier versions.
Introduction to AAA Server AAA Server Architecture AAA Server Architecture The HP-UX AAA Server Architecture consists of three primary components: • Configuration files. By editing these flat text files, with either the Server Manager user interface or with a text editor, you can provide the information necessary for the server to perform authentication, authorization, and accounting requests for your system.
Introduction to AAA Server AAA Server Architecture Table 1-1 File HP-UX AAA Server Configuration Files Description users Information about user IDs, passwords, and check/deny/reply items. realm The same information as the users file, but this user information is associated with a particular realm. These files are only necessary to perform File type authentication for a defined realm. Realms are recognized by the realm component of the user’s Network Access Identifier, for example: user@realm.com.
Introduction to AAA Server AAA Server Architecture Table 1-1 File HP-UX AAA Server Configuration Files Description EAP.authfile Used to configure EAP authentication for user profiles. db_srv.opt The configuration script for the db_srv environment variables. engine.config Called by aaa.conf, this file stores most of the AAA server properties. You can find out more information about these files by referring to the HP-UX AAA Server Administration and Authentication Guide.
Introduction to AAA Server HP-UX AAA Server Features HP-UX AAA Server Features General Features • Compliant with RADIUS protocol RFC 2865 and 2866 standards • Supports multiple vendor NASs with a single server (multi-vendor dictionary that includes Nortel®, Cisco®, Lucent®, and others) • Configurable dictionary that allows the definition of new vendors and vendor-specific attributes and values • Dictionary includes attributes from RFCs 2865, 2866, 2867, 2868, and 2869 • Vendor-specific attribute t
Introduction to AAA Server HP-UX AAA Server Features • Authentication of users defined in a /etc/passwd file • Authentication using multiple sets of user definition and realm definition files (users and authfile files) keyed by network access server (NAS) • Supports multiple user definition (realm) files keyed by realm (File type authentication) • Authentication of users defined in an LDAP server (ProLDAP™ type authentication), including support of {clear} indicator for clear text passwords • Authe
Introduction to AAA Server HP-UX AAA Server Features • Supports distributed accounting (proxy) by realms (RADIUS type authentication) • Merit format accounting session record reading utility included (radrecord) Admin and Debug Tools/Features 16 • Server Manager Graphical User Interface (GUI) for managing multiple AAA servers • Support for Simple Network Management Protocol (SNMP) • Generates server activity logfiles, compressed daily • Optional debug levels for greater server log output to hel
2 Installation This chapter leads you through the steps to install the HP-UX AAA Server.
Installation System Requirements System Requirements To install and use this software, the following system specifications are recommended: • HP-UX 11.0 or 11i version 1UNIX operating systems • Disk space: Operational requirements depend on the amount of logging information to be maintained online. With a moderate dial-in load, 1.0 GB should suffice for approximately six months. • CPU speed: This depends on the frequency of incoming requests. The transaction load affects what is required.
Installation System Requirements • Compaq/DEC • Livingston/Lucent • Shiva/Intel • Telebit • Unisphere • US Robotics/3COM LAN Access Device Compatibility The HP-UX AAA Server supports LAN switches and wireless LAN Access points that follow the IETF standard for EAP with MD5, as well as devices supporting the Cisco proprietary LEAP protocol.
Installation Obtaining the HP-UX AAA Server Software Obtaining the HP-UX AAA Server Software You can download the HP-UX AAA Server software at http://software.hp.com on the Internet and Security Solutions page. Product Dependencies The following figure shows the components you must install to use the HP-UX AAA Server: Figure 2-1 HP-UX AAA Server Dependencies Tomcat Serverlet Java2 RTE 1.4.0.x AAA Software v 1.0.00.01 HTTP or HTTPS Browser HP-UX 11.
Installation Product Dependencies You must have the following two software dependencies installed on your system to use the HP-UX AAA Server: • HP-UX SDK (product #T1456AA) containing Java2 RTE 1.4.0.x • HP-UX Tomcat-based Serverlet Engine v 1.0.00.01 (product # HPUXWST100001) or higher You can get HP-UX SDK with Java2 RTE 1.4.0.x at: http://www.hp.com/products1/unix/java/index.html You can get the HP-UX Tomcat-based Serverlet Engine v 1.0.00.01 at: http://software.hp.
Installation Installation and Start-Up Overview Installation and Start-Up Overview The information in this section is to help you understand the sequence of the installation and start-up steps, and the relationship between the product dependencies and the HP-UX AAA Server software. The following steps are an overview of the installation and start-up procedure: Step 1. Download and install the HP-UX AAA Server software from the Internet and Security Solutions page at http://software.hp.com Step 2.
Installation Installation and Start-Up Procedure Installation and Start-Up Procedure The following components are installed when you install the HP-UX AAA Server: • AAA Server binaries, libraries, and utilities • RMI objects that facilitate communication from the AAA server to Server Manager • AAA server AATV module for authentication Perform the following steps to install and start the HP-UX AAA server: Step 1. Log in to your HP-UX 11.0 or 11i v1 system as root. Step 2.
Installation Installation and Start-Up Procedure If the installation is not successful, an error message is displayed. The cause of the failure will appear at the end of /var/adm/sw/swagent.log file. NOTE Step 9.
Installation Installation and Start-Up Procedure Step 12. Uncomment the following lines in /opt/hpws/tomcat/conf/web.xml: Commented invoker /servlet/* --> Uncommented invoker /servlet/* Step 13.
Installation Running Server Manager Running Server Manager The RMI objects must be started from the command line before HP-UX AAA Servers can be started, stopped, and configured through the Server Manager interface. Start the RMI objects to allow AAA Servers to communicate with the Server Manager. Start the Server Manager to allow the browser to connect to it. Starting and Stopping the RMI Objects Step 1. Login and cd to the remote control directory (/opt/aaa/remotecontrol/). Step 2.
Installation Running Server Manager Changing Server Manager User Name and Password You can change the user name or password used to access the Server Manager graphic interface. Step 1. Go to /opt/hpws/tomcat/conf/tomcat-users.xml Step 2. Change the following values to configure different user names and passwords: Step 3. Save tomcat-users.xml Step 4. Restart the Tomcat. Refer to “Starting and Stopping Server Manager” for more information.
Installation UnInstalling the HP-UX AAA Server Software UnInstalling the HP-UX AAA Server Software Use the following steps to uninstall the HP-UX AAA Server: Step 1. If the radiusd and db_srv servers are running, stop the servers. Use the following commands to determine if radiusd or db_srv processes are active: $ ps -ef |grep radiusd $ ps -ef |grep db_srv You can stop radiusd by killing the radiusd process ID You can stop db_srv servers with the /opt/aaa/bin/stop_db_srv.sh script. Step 2.
Installation Installation Defaults Installation Defaults The HP-UX AAA Server can be run as root user, however non-root user is recommended. A user and group, both named aaa, will be created during installation. The HP-UX AAA Server can be run as non-root user, using the default aaa user created during installation, or any other user who is part of the aaa group. IMPORTANT Do not remove the default login aaa and group aaa created during installation, even if you prefer not to use them.
Installation Installation Defaults Table 2-1 File Locations Upon Installation (Continued) Directory /opt/aaa/examples/ config /opt/aaa/examples/ oracle File Finite state machine, group policy example files: • *.fsm: sample finite state machine (FSM) tables • *.grp: sample decision files • create.sql: SQL script to create Oracle users table • delete.sql: Sample SQL script to delete Oracle user records • insert.
Installation Installation Defaults Table 2-1 File Locations Upon Installation (Continued) Directory /etc/opt/aaa Chapter 2 File Configuration files: • aaa.config: runtime and tunneling configuration file • authfile: realm to authentication-type mapping file • clients: client to shared secret mapping file • db_srv.opt: configuration script for db_srv environment variables • dictionary: definition file required by radiusd • las.conf: authorization and accounting configuration file • log.
Installation Installation Defaults The following table lists the files generated during operation and located in /var/opt/aaa/ by default: Table 2-2 Files Generated During Operation Directory File /acct/session.yyyy-mm-dd.log Default session accounting logs, Merit style /data/session.las Currently active sessions Session log file /ipc/*.sm Shared memory files related to the interface used for some authentication types. IMPORTANT: You must not alter or delete the shared memory (*.sm) files.
Installation Commands, Utilities, & Daemons Commands, Utilities, & Daemons Table 2-3 Command Commands, Utilities, & Daemons Description db_srv The db_srv daemon performs Oracle database access operations for authentication on behalf of one or more remote HP-UX AAA Servers. radcheck Sends a RADIUS status and protocol requests to a AAA server and display the replies. Receiving the reply confirms that the HP-UX AAA Server is operational.
Installation Commands, Utilities, & Daemons Table 2-3 Command Commands, Utilities, & Daemons (Continued) Description stop_db_srv.sh Script to stop db_srv daemon and its child process(es). stopsession.sh Script to manually stop an accounting session. las.test.sh Script to create simulated sessions for testing.
Installation Testing the Installation Testing the Installation To quickly test the server installation, you will use Server Manager to add a loopback connection to a AAA server, start the server, and then check its status for a response. Use the following steps to test the server installation: Step 1. Follow the directions for “Running Server Manager” to start Server Manager after installing the HP-UX AAA Server software. Step 2.
Installation Testing the Installation 36 Chapter 2
3 Basic Configuration Tasks This chapter explains a few basic configuration tasks. Refer to the HP-UX AAA Server Administration and Authentication Guide for complete information on configuring the HP-UX AAA Server.
Basic Configuration Tasks Storing User Profiles Storing User Profiles The user information that determines how an access request is authenticated and authorized is configured in a profile as a set of A-V pairs. These user profiles are grouped by realm and may be stored in flat text files or an external source such as an Oracle database or and LDAP server. Realms are recognized by the realm component of a user’s Network Access Identifier.
Basic Configuration Tasks Storing User Profiles CAUTION Save Configuration will save the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify. Storing Wireless User Profiles Locally If you want to authenticate users with EAP, you will need to identify the wireless access point (WAP), the users' realms, and the user profiles. For more information about EAP, refer to the HP-UX AAA Server Administration and Authentication Guide.
Basic Configuration Tasks Storing User Profiles Step 12. Complete any of the remaining optional fields as necessary for your configuration. Step 13. Select the Create button. Step 14. Repeat steps 8 to 13 for each user profile that you need to configure. Step 15. For each realm using EAP, you must associate the realm name with the type of EAP to perform. Select the Local Realms link. Step 16. Select the New local realm link from the Local Realms screen. The Local Realm Attributes screen appears. Step 17.
Basic Configuration Tasks Storing User Profiles Grouping Users by Realm While the HP-UX AAA Server can authenticate an individual user, you may want to authenticate and provision a group of users according to a common criteria, like an authentication type. One method of grouping users is according to the realm that they belong to. A realm is derived from a user’s Network Access Identifier, for example: name@sample.com where sample.com is the realm.
Basic Configuration Tasks Storing User Profiles Step 12. You may enter values in the remaining fields to control the users session. These fields are optional and correspond to RADIUS A-V pairs that are explained in more detail in the “A-V Pairs” chapter of HP-UX AAA Server Administration and Authentication Guide. Step 13. Select the Create button in the User Attributes screen. Step 14. Repeat steps 9 to 13 for each user profile you wish to add to the realm. Step 15.
Basic Configuration Tasks Adding and Modifying Users Adding and Modifying Users User profiles associate information with a user name for authentication and authorization. This information is defined by attribute-value pairs. The server configuration must include profiles for all the users that can access services through the AAA server. If a user profile is not included in the configuration, the server will reject the users access request. Profiles may be stored in flat text files or an external source.
Basic Configuration Tasks Adding and Modifying Users User Name: Value to compare to the User-Name attribute value in the request. It must be less than 64 characters. &, “, ~, \, /,%, $, ‘, and space characters may not be used. The remaining fields and tabs in Define Users screen allow you to specify three types of user profile attributes: configuration items, check items, and reply items.
Basic Configuration Tasks Adding and Modifying Users Figure 3-2 Server Manager’s Free User Attributes Screen To add attributes to the list boxes, follow the Attribute = Value syntax. A-V pairs may be listed one per line. When adding a new user profile, you select the Create button to submit it to the AAA Server Manager. When modifying an existing profile, you select the Modify button to submit changes to the user profile.
Basic Configuration Tasks Session Logging and Monitoring Session Logging and Monitoring You can view the log files that record the details of each AAA transaction or the session logs that record information about each user's session. You can also access information for active sessions and manually terminate a session if necessary. These functions can be accessed by selecting the Maintenance menu items from the Server Manager Navigation Tree.
Basic Configuration Tasks Session Logging and Monitoring Step 3. Select the Display button. The AAA server manager will display a list of active sessions. Step 4. Select a session. The AAA server manager will display the attributes for the selected session. Step 5. Select the OK button when you are done reading the session. Stopping a Session This procedure is intended for sessions that were terminated on the access device but are maintained as active by the AAA server. Step 1.
Basic Configuration Tasks Session Logging and Monitoring Viewing Server Logfiles The log file of the AAA server contains all the information concerning the functioning of the server such as: start/stop of the server, all of the RADIUS requests, and some internal events. The data is automatically stored each day in a different file. They are available as long as the corresponding files are still on the disk. • /var/opt/aaa/logs/logfile: the server log file • /var/opt/aaa/logs/logfile.
Basic Configuration Tasks Session Logging and Monitoring Search Parameters You can filter what dates and times to retrieve from the logfile. Table 3-1 Filter Parameters for Searching Logfiles Option Description Begin (server time) The date and time of the session to begin retrieving data from. End (server time) The date and time of the last session to retrieve data from. User Limits the result of the search command to messages related to a specific user.
Basic Configuration Tasks Session Logging and Monitoring Viewing Server Statistics Selecting the Statistics link from Server Manager’s Navigation Tree allows you to retrieve a count of events that occurred on the AAA server within a time range. The statistics are displayed using a bar graph. Figure 3-5 Server Manager’s Statistics Screen Table 3-2 Statistic Search Parameters Option Description Begin (server time) The date and time of the session to begin retrieving data from.
Glossary of Terms 4 Glossary of Terms AAA Abbreviation for Authentication, Authorization, and Accounting. AAA Server A software application that performs authentication, authorization, and accounting functions. Accounting Logging session and usage information for session control and billing purposes Access-Accept The AAA server returns an Access-Accept to the client when an Access-Request is valid.
Glossary of Terms Administrator Special user, known by the system on which the AAA server is running and is able to configure and to manage the AAA server. Application Service Provider Third-party entities that manage and distribute software-based services and solutions to customers across a wide area network from a central data center, abbreviated as ASP. ASP Application Service Provider. Attribute-Value Pair The RADIUS protocol defines things in terms of attributes.
Glossary of Terms sent back to the server. The server does the same with its copy of the password and verifies that it gets the same result to authenticate the user, abbreviated as CHAP. CHAP See Challenge Handshake Authentication Protocol. Client NAS, proxy server, or other networking device that uses the AAA server services to authenticate and authorize users.
Glossary of Terms The AAA server that receives an Access-Request from a client and forwards that request to another AAA server for authentication. FSM See Finite State Machine. Hint When a user requests access to a service of a specific configuration, a client may provide this information in an Access-Request as a hint to the AAA server.
Glossary of Terms Communications service company that provides Internet access and services to its customers. ISPs range in size from small independents serving a local calling area to large, established telecommunications companies, abbreviated as ISP. IP See Internet Protocol. IRTF See Internet Research Task Force. ISP Internet service provider. ISDN See Integrated Services Digital Network. LAS See Local Authorization Server. LDAP See Lightweight Directory Access Protocol.
Glossary of Terms Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) An implementation of the CHAP protocol that Microsoft created to authenticate remote Windows workstations. In most respects, MS-CHAP is identical to CHAP, but there are a few differences. MS-CHAP is based on the encryption and hashing algorithms used by Windows networks, and the MS-CHAP response to a challenge is in a format optimized for compatibility with Windows operating systems. NAS See Network Access Server.
Glossary of Terms decisions that control the authentication, authorization, and accounting process for a user's access request. PPP See Point-to-Point Protocol. Protocol A set of rules established between two devices to allow communications to occur. Proxy The mechanism that allows one system to mediate between two other systems in response to protocol requests. A RADIUS server can act as a proxy client and forward an Access-Request to another AAA server for authentication.
Glossary of Terms requests. A realm has a name that looks very much like a domain name, but they bear different meanings. Realms are only used by the AAA Server to determine where an authentication request should be sent and what kind of authentication to request, etc. Naming a realm with its domain name simplifies things for the users, since their access ids will then look the same as their e-mail addresses. A realm may also have multiple aliases, providing a way to shorten long realm names.
Glossary of Terms access the server’s status and system time, retrieve information from accounting and session logs, and terminate sessions. Service The RADIUS client provides a service to the dial-in user, such as PPP or Telnet.
Glossary of Terms Session Each service provided by the client to a dial-in user constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended. A user may have multiple sessions in parallel or series if the RADIUS client supports that feature.
Glossary of Terms initiated by the client or a compulsory tunnel initiated during authentication by a server or other dedicated network equipment. Users Individuals whom the AAA server must authenticate and authorize before by they can access an organization’s service, such as Internet access through an ISP. VPN See Virtual Private Network.
Glossary of Terms 62 Chapter 4
