Instruction/ maintenance manual of the product T1428-90026 HP (Hewlett-Packard)
Go to page of 70
HP-UX AAA Server A.06.00 Getting Started Guide HP-UX 11.0, 11i v1 Manufacturing P art Number: T1428-90026 E0403 U .S .A. © Copyright 2003 Hewlett-P ackard Company .
ii Legal Notices The information in this document is subject to change without notice . Hewlett-P ackard makes no warranty of any kind with regard to this manual, including , but not limited to , the implied warranties of merchantability and fitness f or a particular purpose .
Contents iii About This Document 1. Introduction to AAA Server RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 RADIUS T opology . . . . . . . . . . . . . . . . . . . . . .
Contents iv Commands , Utilities, & Daemons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 T esting the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
v About This Document This document provides an overview of the HP-UX AAA Server product and explains how to install it. The document also provides basic configuration steps to beginning tasks. The document printing date and part number indicate the document’s current edition.
vi • “ About This Document” content w as removed from Chapter 1 in the previous version of this guide, and now resides in the preface of this guide.
vii NO TE Emphasizes or supplements parts of the text. Y ou can disregard the information in a note and still complete a task. IMPORT ANT Notes that provide information that are essential to completing a task. CA UTION Describes an action that must be avoided or followed to prevent a loss of data.
viii Please send comments to: netinfo_feedback@cup .hp.com Please include document title , manufacturing part number , and any comment, error found, or suggestion for improvement you have concerning this document. Also, please inc lude what we did right so we can incorporate it into other documents.
Chapter 1 1 1 Introduction to AAA Server This chapter contains an overview of product features and basic information about using the HP-UX AAA Server .
Introduction to AAA Ser ver RADIUS Overview Chapter 1 2 RADIUS Overview The Remote Authentication Dial In User Service (RADIUS) protocol is widely used and implemented to manage access to network services.
Introduction to AAA Server RADIUS Overview Chapter 1 3 Figure 1-1 Generic AAA Network T opology AAA4.ISP.net location: Detroit NAS1 NAS2 NAS3 NAS4 location: Ann Arbor AAA1.
Introduction to AAA Ser ver RADIUS Overview Chapter 1 4 Establishing a RADIUS Session The handling of a user request is series of message exchanges that attempts to provide the user with a network service by establishing a session for the user .
Introduction to AAA Server RADIUS Overview Chapter 1 5 If all conditions are met, the server will send an Access-Accept packet to the client; otherwise , the server will send an Access-Reject.
Introduction to AAA Ser ver RADIUS Overview Chapter 1 6 which can calculate the correct response . The NAS will then forward the challenge and the response in the Access-Request, which the AAA server will use to authenticate the user .
Introduction to AAA Server RADIUS Overview Chapter 1 7 Shared Secret Encrypting the transmission of the User-P assword in a request is accomplished by a shared secret. The shared secret is used to sign RADIUS data packets to ensure they are coming from a trusted source .
Introduction to AAA Ser ver Product Structure Chapter 1 8 Product Structure The HP-UX AAA Server , based on a client/server architecture , consists of three components which may be installed independe.
Introduction to AAA Server Product Structure Chapter 1 9 AAA Server Manager Program The AAA Server Manager utilizes the HP-UX T omcat-based Serverlet Engine to provide a configuration interface between a web browser and one or more AAA servers . Server Manager is used for starting, stopping , configuring , and modifying the servers.
Introduction to AAA Ser ver Product Structure Chapter 1 10 Figure 1-3 The Server Manager User Interface Browser Requirements for Server Manager Y ou need one of the following W eb browsers to access the Server Manager: • Netscape® Navigator 4.76 (or higher) • Microsoft® Internet Explorer 5.
Introduction to AAA Server AAA Server Architecture Chapter 1 11 AAA Server Architecture The HP-UX AAA Server Architecture consists of three primary components: • Configuration files .
Introduction to AAA Ser ver AAA Server Architecture Chapter 1 12 users Information about user IDs, passwords , and check/deny/reply items . realm The same information as the users file , but this user information is associated with a particular realm.
Introduction to AAA Server AAA Server Architecture Chapter 1 13 Y ou can find out more information about these files by referring to the HP-UX AAA Server Administration and Authentication Guide . Eac h configuration file also contains comments with examples .
Introduction to AAA Ser ver HP-UX AAA Server Features Chapter 1 14 HP-UX AAA Server F eatures General F eatures • Compliant with RADIUS protocol RFC 2865 and 2866 standards • Supports multiple ven.
Introduction to AAA Server HP-UX AAA Server Features Chapter 1 15 • Authentication of users defined in a /etc/passwd file • Authentication using multiple sets of user definition and realm defi.
Introduction to AAA Ser ver HP-UX AAA Server Features Chapter 1 16 • Supports distributed accounting (proxy) by realms (RADIUS type authentication) • Merit format accounting session record reading.
Chapter 2 17 2 Installation This chapter leads you through the steps to install the HP-UX AAA Server ..
Installation System Requirements Chapter 2 18 System Requirements T o install and use this software , the following system specifications are recommended: • HP-UX 11.0 or 11i version 1UNIX operating systems • Disk space: Operational requirements depend on the amount of logging information to be maintained online.
Installation System Requirements Chapter 2 19 • Compaq/DEC • Livingston/Lucent • Shiva/Intel • T elebit • Unisphere • US Robotics/3COM LAN Access Device Compatibility The HP-UX AAA Server .
Installation Obtaining the HP-UX AAA Server Software Chapter 2 20 Obtaining the HP-UX AAA Server Software Y ou can download the HP-UX AAA Server software at http://software .
Installation Product Dependencies Chapter 2 21 Y ou must have the following two softw are dependencies installed on your system to use the HP-UX AAA Server: • HP-UX SDK (product #T1456AA) containing Ja va2 RTE 1.4.0.x • HP-UX T omcat-based Serverlet Engine v 1.
Installation Installation and Start-Up Overview Chapter 2 22 Installation and Start-Up Overview The information in this section is to help you understand the sequence of the installation and start-up steps, and the relationship between the product dependencies and the HP-UX AAA Server software .
Installation Installation and Start-Up Procedure Chapter 2 23 Installation and Start-Up Procedure The following components are installed when you install the HP-UX AAA Server: • AAA Server binaries .
Installation Installation and Start-Up Procedure Chapter 2 24 NO TE If the installation is not successful, an error message is displayed. The cause of the failure will appear at the end of /var/adm/sw/swagent.
Installation Installation and Start-Up Procedure Chapter 2 25 Step 12. Uncomment the following lines in /opt/hpws/tomcat/conf/web.xml : Commented <!-- The mapping for the invoker servlet --> <.
Installation Running Server Manager Chapter 2 26 Running Server Manager The RMI objects must be started from the command line before HP-UX AAA Servers can be started, stopped, and configured through the Server Manager interface. Start the RMI objects to allow AAA Servers to communicate with the Server Manager .
Installation Running Server Manager Chapter 2 27 Changing Server Manager User Name and P assword Y ou can change the user name or password used to access the Server Manager graphic interface. Step 1. Go to /opt/hpws/tomcat/conf/tomcat-users.xml Step 2.
Installation UnInstalling the HP-UX AAA Server Software Chapter 2 28 UnInstalling the HP-UX AAA Server Software Use the following steps to uninstall the HP-UX AAA Server: Step 1.
Installation Installation Defaults Chapter 2 29 Installation Defaults The HP-UX AAA Server can be run as root user , however non-root user is recommended.
Installation Installation Defaults Chapter 2 30 /opt/aaa/examples/ config Finite state machine , group policy example files: • *.fsm : sample finite state machine (FSM) tables • *.grp : sample decision files /opt/aaa/examples/ oracle • create.
Installation Installation Defaults Chapter 2 31 /etc/opt/aaa Configuration files: • aaa.config : runtime and tunneling configuration file • authfile : realm to authentication-type mapping file • clients : client to shared secret mapping file • db_srv.
Installation Installation Defaults Chapter 2 32 The following table lists the files generated during operation and located in /var/opt/aaa/ by default: T able 2-2 Files Generated During Operation Directory File /acct/session.yyyy-mm-dd.log Default session accounting logs, Merit style /data/session.
Installation Commands, Utilities, & Daemons Chapter 2 33 Commands, Utilities, & Daemons T able 2-3 Commands, Utilities, & Daemons Command Description db_srv The db_srv daemon performs Oracle database access operations for authentication on behalf of one or more remote HP-UX AAA Servers .
Installation Commands, Utilities, & Daemons Chapter 2 34 stop_db_srv.sh Script to stop db_srv daemon and its child process(es). stopsession.sh Script to manually stop an accounting session. las .test.sh Script to create simulated sessions for testing.
Installation T esting the Installation Chapter 2 35 T esting the Installation T o quickly test the server installation, you will use Server Manager to add a loopback connection to a AAA server , start the server , and then check its status for a response .
Installation T esting the Installation Chapter 2 36.
Chapter 3 37 3 Basic Configuration T asks This chapter explains a few basic configuration tasks . Refer to the HP-UX AAA Server Administration and Authentication Guide for complete information on configuring the HP-UX AAA Server .
Basic Configuration T asks Storing User Profiles Chapter 3 38 Storing User Profiles The user information that determines how an access request is authenticated and authorized is configured in a profile as a set of A-V pairs .
Basic Configuration T asks Storing User Profiles Chapter 3 39 CA UTION Save Configuration will save the entire server configuration (access devices, proxies , local realms, users , and server properties) to the servers you specify .
Basic Configuration T asks Storing User Profiles Chapter 3 40 Step 12. Complete any of the remaining optional fields as necessary for your configuration. Step 13. Select the Create button. Step 14. Repeat steps 8 to 13 for each user profile that you need to configure.
Basic Configuration T asks Storing User Profiles Chapter 3 41 Grouping Users by Realm While the HP-UX AAA Server can authenticate an individual user , you may w ant to authenticate and provision a group of users according to a common criteria, like an authentication type.
Basic Configuration T asks Storing User Profiles Chapter 3 42 Step 12. Y ou may enter values in the remaining fields to control the users session. These fields are optional and correspond to RADIUS A-V pairs that are explained in more detail in the “ A-V P airs” chapter of HP-UX AAA Server Administration and Authentication Guide .
Basic Configuration T asks Adding and Modifying Users Chapter 3 43 Adding and Modifying Users User profiles associate information with a user name for authentication and authorization.
Basic Configuration T asks Adding and Modifying Users Chapter 3 44 User Name: V alue to compare to the User-Name attribute value in the request. It must be less than 64 characters .
Basic Configuration T asks Adding and Modifying Users Chapter 3 45 Figure 3-2 Server Manager’ s Free User Attributes Screen T o add attributes to the list boxes , follow the Attribute = V alue syntax. A-V pairs may be listed one per line . When adding a new user profile, you select the Create button to submit it to the AAA Server Manager .
Basic Configuration T asks Session Logging and Monitoring Chapter 3 46 Session Logging and Monitoring Y ou can view the log files that record the details of each AAA transaction or the session logs that record information about each user's session.
Basic Configuration T asks Session Logging and Monitoring Chapter 3 47 Step 3. Select the Display button. The AAA server manager will display a list of active sessions. Step 4. Select a session. The AAA server manager will display the attributes for the selected session.
Basic Configuration T asks Session Logging and Monitoring Chapter 3 48 Viewing Server Logfiles The log file of the AAA server contains all the information concerning the functioning of the server such as: start/stop of the server , all of the RADIUS requests , and some internal events.
Basic Configuration T asks Session Logging and Monitoring Chapter 3 49 Search P arameters Y ou can filter what dates and times to retrieve from the logfile.
Basic Configuration T asks Session Logging and Monitoring Chapter 3 50 Viewing Server Statistics Selecting the Statistics link from Server Manager’ s Navigation Tree allows you to retrieve a count of events that occurred on the AAA server within a time range.
Glossary of T erms Chapter 4 51 4 Glossary of T erms AAA Abbreviation for Authentication, Authorization, and Accounting . AAA Server A software application that performs authentication, authorization, and accounting functions.
Glossary of T erms Chapter 4 52 Administrator Special user , known by the system on which the AAA server is running and is able to configure and to manage the AAA server .
Glossary of T erms Chapter 4 53 sent back to the server . The server does the same with its copy of the password and verifies that it gets the same result to authenticate the user , abbreviated as CHAP . CHAP See Challenge Handshake Authentication Protocol .
Glossary of T erms Chapter 4 54 The AAA server that receives an Access-Request from a client and forwards that request to another AAA server for authentication.
Glossary of T erms Chapter 4 55 Communications service company that provides Internet access and services to its customers. ISPs range in size from small independents serving a local calling area to large, established telecommunications companies, abbreviated as ISP .
Glossary of T erms Chapter 4 56 Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) An implementation of the CHAP protocol that Microsoft created to authenticate remote Windows workstations. In most respects , MS-CHAP is identical to CHAP , but there are a few differences.
Glossary of T erms Chapter 4 57 decisions that control the authentication, authorization, and accounting process for a user's access request. PPP See P oint-to-P oint Protocol . Protocol A set of rules established between two devices to allow communications to occur .
Glossary of T erms Chapter 4 58 requests . A realm has a name that looks very much like a domain name, but they bear different meanings . Realms are only used by the AAA Server to determine where an authentication request should be sent and what kind of authentication to request, etc.
Glossary of T erms Chapter 4 59 access the server’s status and system time , retrieve information from accounting and session logs , and terminate sessions.
Glossary of T erms Chapter 4 60 Session Each service provided by the client to a dial-in user constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended.
Glossary of T erms Chapter 4 61 initiated by the client or a compulsory tunnel initiated during authentication by a server or other dedicated network equipment. Users Individuals whom the AAA server must authenticate and authorize before by they can access an organization’s service , such as Internet access through an ISP .
Glossary of T erms Chapter 4 62.
An important point after buying a device HP (Hewlett-Packard) T1428-90026 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought HP (Hewlett-Packard) T1428-90026 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data HP (Hewlett-Packard) T1428-90026 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, HP (Hewlett-Packard) T1428-90026 you will learn all the available features of the product, as well as information on its operation. The information that you get HP (Hewlett-Packard) T1428-90026 will certainly help you make a decision on the purchase.
If you already are a holder of HP (Hewlett-Packard) T1428-90026, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime HP (Hewlett-Packard) T1428-90026.
However, one of the most important roles played by the user manual is to help in solving problems with HP (Hewlett-Packard) T1428-90026. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device HP (Hewlett-Packard) T1428-90026 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center
