 |
» |
|
|
|
User profiles associate information, like reply
items, with a user name. The server configuration must include profiles
for all the users that can access services through the Mobile AAA
server. If a user profile is not included in the configuration,
the server will reject the user's access request. Profiles may be
stored in flat text files or an external source. This section covers
user profiles stored in a text file. For an explanation of other
mechanisms for storing user profiles, you should refer to the HP-UX Mobile AAA Server Authentication Guide. To configure user profiles, select the Realms
link in the Navigation tree, then select the server name, then select
the File icon, and then select the appropriate server. The Define
Users screen allows you to add a new user, modify an existing user,
or delete an existing user. When you create, modify, or delete a
user, the appropriate screen will display for defining or deleting
the entry. Adding or Modifying a User
Profile | |
When adding a new user profile to the server configuration
or modifying an existing entry, you supply values for the user profile
attributes through a form's fields. This form is tabbed according
to groups of attribute-value pairs. When adding a new user profile, you select
the Create button to submit it to the Mobile AAA Server Manager. When
modifying an existing profile, you select the Modify button to submit
changes to the user profile. In either case if each field contains
a valid value, the profile will be created or modified; otherwise,
an error message is displayed. You can always select the Cancel
button and return to the Define Users screen without making any
changes to your server configuration. | | | |  | NOTE: To modify a user name, the user profile must be deleted
first and then added with the new username. | | | | |
Value to compare to the user ID portion (before the
@ delimiter) of the User-Name attribute value in the request.
It must be less than 64 characters. &, ", ~, \, /,
%, $, ', and space characters may not be used. A reply item is an A-V pair that is returned
to the client or server that made the original request. Some of
these attributes, such as Session-Timeout can be used by the client
to enforce some simple authorization policies. Reply items are not only included in Diameter answer messages,
but are also sent in the Home-Agent-MIP-Request (HAR) messages sent
from the home server to the home agent. For example, some of the
following reply-items might be used to override the server's defaults
for a given user: Authorization-Lifetime, MIP-Key-Lifetime, Session-Timeout,
MIP-Replay-Mode, MIP-Algorithm-Type, Auth-Grace-Period. For an explanation
of these Diameter attributes, see Chapter 10 Attribute-Value Pairs. Vendor-specific and other attributes can be added to a user
profile through the Additional Reply Items text box. Security
Parameter Index (SPI) Groups | |
A mobile node has a security association with its home AAA
server. A security association is a collection of one or more security
contexts. Each security context indicates an authentication algorithm
and a secret. A security parameter index (SPI) is a 32-bit index
identifying a security context between a pair of nodes among the
contexts available in the mobility security association. The SPI
is also passed, along with the authenticator, in the Mobile-IP authentication
request. To Add an SPI to the User
Profile You can specify one or
more SPI groups for a user profile. Select the Add SPI
button from the SPI Groups section of the User Attributes form. Complete the SPI Group Information
dialog that appears. - SPI Group
Security parameter index to be associated with the
encryption algorithm and password. The value is a 32-bit
unsigned integer that must be greater than 255. - Encryption Algorithm
Indicates the encryption algorithm to use when encrypting
the password in the user profile, so that the server’s
encrypted value can be compared to the encrypted value in the mobile
node’s request to verify the user’s identity.
Valid values are HMAC-MD5, HMAC-SHA-1, or MD5-Prefix-plus-Suffix-Mode. - Password
User’s secret used in the encryption algorithms
to authenticate the mobile node.
Select the Save button in the
SPI Group Information dialog
Select the name of
the SPI group you wish to modify from the drop-down list in the
SPI Groups section of the User Attributes form. Change the current field values
as necessary. Select the Save button.
Select the name
of the SPI group you wish to modify from the drop-down list in the
SPI Groups section of the User Attributes form. Select the Delete button.
Deleting a User Profile | |
You may delete a user profile in the default users file or
in a realm file, which is the file created for a realm that uses
File type authentication. To delete a profile, select the icon for
an existing user profile from the Users File screen (accessed by
selecting Users from the Navigation Tree). To delete a user in a
realm file, on the Define Realms screen you must first select the
icon for a listed realm that is configured for File type authentication. The User Deletion screen allows you to preview
a profile before you delete it. The page contains a Delete button
to submit the Delete user profile command to the Mobile AAA Server
Manager. The Mobile AAA Server Manager will delete the entry corresponding
to that user. An entry with the user name DEFAULT can be included to indicate
how to handle names that do not explicitly match any other entries
in this file. Storing User Profiles on
an LDAP server | |
Begin creating a
realm
as described in steps 1 to 3 of “Storing User Profiles
in a Flat Text File” in the HP-UX
Mobile AAA Server Getting Started Guide. From the Realm Attribute screen’s Authentication Type drop-down list, select PROLDAP. Additional extended parameters will appear. Select New LDAP Directory from the Extended Parameters drop-down list. Complete the LDAP Directory screen: Directory Name:
String that identifies how the directory configuration will appear
in the drop-down list in the Extended Parameters section of the
Realm Attributes screen. Host: Name of the host
that the LDAP directory server runs on. The value should be a fully qualified
DNS name, although an IP address in dotted-quad notation would also
work. Search Base: Pointer into
the directory where the search for users in a realm will start.
A search base contains a list of A-V pairs that trace a path from
a location in the directory's schema to the top of the directory.
The A-V pairs used depend on the schema of your particular directory
server. You can complete the remaining
fields to further define the directory server. These fields are optional.
If no value is entered for Port, Administrator, and Password, anonymous
searches and binds can be performed. You can find more information
in the ProLDAP chapter of the HP-UX Mobile
AAA Server Authentication Guide. Select the Save button in the
LDAP Directory screen. Repeat steps 3 to 6 to add
additional directory servers. Each realm may be configured with
up to four configurations for redundant LDAP accessible directories,
which are used by the server when it performs load balancing and
failover. Select the Create button
on the Realm Attributes screen. Select the Save button on
the Define Realms screen. Refer to the Mobile AAA Server Authentication Guide to
set-up the LDAP server.
|
Printable version
