 |
» |
|
|
|
Figure 1-7 “Default FSM State Transitions” shows that when
the HP-UX AAA server engine receives any RADIUS request message,
it calls the Finite State Machine and defines a starting event according
to the type of request message. This first event will determine
the first action. In the default FSM, the first action for an Access-Request
is AUTHENTICATE. Figure 1-8 “Default Action Sequence” shows
how FSM actions interact to process the Access-Request
for authentication and authorization. Load
Balancing and Failover | |
When authenticating users stored in replicated LDAP directory
servers or Oracle databases, the server performs load balancing
and failover functions. Load balancing assigns a number of requests
(determined by authentication type) to one server and assigns each
subsequent set of requests to a different server. Failover keeps
track of each pending request's age and after a built-in
time interval moves the request to a different server's queue. Both
functions assign requests in a round robin fashion — they
find the next available server to communicate with and that has
space available in its request queue. Authentication
to Verify the Client and User | |
The authentication of an access request has
a number of distinctive steps as shown in Figure 1-9 “Authentication Steps”. The rounded rectangles represent configuration
files that the HP-UX AAA server uses and the ovals represent
one or more authentication types. Authentication StepsAfter
the server receives an Access-Request, the FSM AUTHENTICATE
action attempts to match the client making the request to an entry
in the clients file, refer to Figure 1-8 “Default Action Sequence”. The server will only attempt to authenticate a request
if a match can be made. A matched entry is used to determine whether
to use the default or an alternate users file, according to a specified prefix.
In the following example, the client entry associates a particular
NAS with a nas1. prefix: yourcompany.com Type=Merit:NAS v1 nas1. |
All requests from that NAS will be processed in the following
steps with files called nas1.users and nas1.authfile, instead of the default users and authfile files. Next, AUTHENTICATE checks the
users file that corresponds to the client entry. In
this step, the User-Name attribute
value from the Access-Request is used to find an entry
for the user in the users file. The server checks the file from beginning
to end. When the first match occurs, the remaining file entries
are not also checked. If
User-Name matches an
entry, but User-Password does
not match the user's password, the authentication will fail. If User-Name and
User-Password match
an entry, authentication moves to step 5 If User-Name matches an entry,
but Authentication-Type is
specified instead of User-Password. AUTHENTICATE calls
another action as specified by Authentication-Type,
and then authentication moves to the next step, refer to Figure 1-8 “Default Action Sequence”. If User-Name does not match an
entry, the server will use the default users entry. In the default users file, this entry specifies an Authentication-Type of Realm.
If the user's entry specified one of the AAA server's other authentication types,
the server handles the entry as if it were an authfile entry, where an authentication type is associated
with all users belonging to a particular realm. If User-Name does
not match an entry and there is no default entry, the authentication
will fail.
If the authentication type for
the user is Realm, AUTHENTICATE calls the REALM action, which parses
the User-Name attribute value for a realm name and searches
authfile to determine the authentication type that corresponds
to the user's realm. A default entry may be used to handle
any realms that are not explicitly configured in authfile. | | | |  | NOTE: A User-Name value in the Network Access
Identifier (NAI) (described in RFC 2486) format should look like
userid@realm or realm/username. If no realm is specified, the server
assigns the value, NULL, to the realm. | | | | |
As a result, REALM will in turn, call another one of the authentication
type actions. Entries for most authentication types require one or
more parameters that specify the location of external data sources
and similar information. The server handles each authentication
type differently by calling an authentication-specific
Action to handle the request. Under the Passwd
authentication types, the server looks for a matching user on the
local machine. Under the
ProLDAP and
Oracle authentication
types, the server looks for a matching user in an external database
on a specified server. The ProLDAP type requires several additional
search parameters to find a user entry on an LDAP directory
server. Under the RADIUS authentication
type, the server acts as a proxy client and forwards the Access-Request
to a specified remote server. Similar to
the File authentication type, EAP will try to find the user in a
realm file; however, the AAA server will perform authentication
according to EAP, instead of
PAP or CHAP.
If
the user's password can be verified, authentication succeeds. The
user profile information is added to the request, and the FSM begins
authorization with the CHK_DNY action.
Authorization
to Control Sessions and Access to Services | |
The HP-UX AAA server can authorize users
through a few different methods: Provisioning
on a user-by-user basis with check items and by
adding reply items to an Access-Accept message (simple
policy) Based on realms through its Local Authorization Server (LAS) functions Based on other
logical groups through stored policy decisions (complex policy) that can make
check and add reply items to the request in a more sophisticated
manner
Like authentication, the authorization of
an access request has a number of distinctive steps to handle these
methods, as shown in Figure 1-10 “Authorization Steps”.
The rounded rectangles represent configuration files that the HP-UX
AAA server uses, and the ovals represent one or more actions called
by the Finite State Machine. The dotted lines and shapes indicate
a step in the process that does not occur with the server's default
FSM configuration, but can occur with a customized configuration. The server receives
a request and authenticates the user. If authentication is successful,
the authorization will begin. Check Items After
authentication each check item in the user profile is processed
or matched against the request's A-V pairs. For
example, a check item indicating that the request must be for
PPP service must
be matched by a corresponding Framed-Protocol=PPP A-V pair in the request in order for
the request to be accepted. If all
the check and deny items associated with User-Name are
satisfied, then the CHK_DNY action returns an ACK value to the FSM. If any check or deny item,
including the user's password, is not matched correctly,
the authentication module returns a NAK value to the software engine.
The request fails, and an Access-Reject is issued.
Policy HP-UX
AAA policy can be simple or complex decisions that control the authentication,
authorization, and accounting process for a user's request. Simple policy
has already been described as using lists of check and reply items.
Complex policy refers to checking a logical A-V pair expression
associated with a group of users for a true or false result. An
A-V pair expression is represented by a Boolean logic statement
that may include AND, OR, NOT Boolean operators and relative operators
and may use parentheses to nest statements. According to the result of this complex policy decision,
which can be based on a wide range of criteria and comparisons,
the AAA server can accept or reject the request, as well as control
how services are delivered or logged. Some policies that can be implemented
include: Dialed Number
Identification Service (DNIS)—routing requests according
to the number called from or called. Grouping users by NAS addresses
or ports Control session duration,
concurrent usage, or delivered services—not based on user
or realm, but based on any other logical grouping that can be defined
by A-V pairs Control access according
to any time-based criteria
By default, ProLDAP policy occurs after CHK_DNY, but you can
define policy decisions in ProLDAP or text files (called decision
files) and configure the server to evaluate the policy at any point
in the authentication and authorization process—before
authentication, for example— and as often as you would
like. After the POLICY action evaluates a decision, it retrieves
reply items that may be added to the Access-Accept message
and returns a value that determines the subsequent sequence of actions
followed by the FSM. Local Authorization Server (LAS) The refers
to the routines and code in the server that handle authorization.
Both the LAS and POSTLAS actions are part of the LAS. Session control
with the LAS is based on realms, refer to Figure 1-8 “Default Action Sequence”. A realm must be listed in the las.conf file, if not listed, LAS will not enforce any
session control for users from that realm. When the LAS handles
an Access-Request for a user in a local realm configured
in the las.conf file, the LAS module performs the following steps: Checks
the user profile for a Simultaneous-Session attribute-value
pair, which determines the maximum number of active sessions the
user may have. 1 is the default. Authorizes or denies service
to a user based on the user's membership in a UNIX group. Authorizes or denies service
based on Service-Class.
The POSTLAS action performs simultaneous access token (SAT)
control, which is used to implement realm-based simultaneous
session control. Reply
Items One of the last actions that occur during authorization
is the generation of an Access-Accept or Access-Reject
message (refer to Figure 1-10 “Authorization Steps”) by the
REPLY action (refer to Figure 1-8 “Default Action Sequence”).
By adding reply items to a user's profile or through policy
decisions, REPLY can provide a NAS with provisioning information in
an Access-Accept data packet. Depending on the capabilities
of the NAS, the reply items can be used to control a user's
session. For example, the following user entry would limit the length
of the session
and what hosts could be accessed:
guest@library.org Password = "public"
Filter = "lib",
Session-Timeout = 3600 |
Users can authenticate as guest@library.org using password "public" to
connect for one hour (3600 seconds) to the library hosts that the
filter "lib" allows.
The REPLY action
also checks for a Service-Type value,
equates the value with one of three special user entries (pppuser,
slipuser, dumbuser), and then appends reply items to the request
accordingly. The attribute values for these items specify the default
values to use when configuring the connection specified by Service-Type. The special
user entries are not used for authentication; the reply items for
one of these entries are appended to a request from any user requesting the
corresponding service type. When duplicate attribute-value pairs exist, in a
user profile and policy decision for example, pruning is applied
to determine which A-V pair should be included in the Access-Accept
or Access-Reject message.
|
Printable version
