 |
» |
|
|
|
The server can be set up for different functions
by modifying existing FSM tables, or creating new FSM tables. Edit
the state table for authorization sequence, or to have interim accounting
messages logged by calling the appropriate module at a certain point
in the authentication process. Tracking
Versions | |
You can embed version information into a state table using
the following syntax: - Version
Can be any string and will
appear as the ID in radcheck output.
Examples | |
State table modifications can range from simple to more involved customization
and offer a great deal of flexibility when configuring the HP-UX
AAA software. An Access-Request message may need to be pre-processed
for a variety of reasons. For example, if the client sends a User-Name
value with extraneous information, the extraneous information may
need to be stripped out before the server authenticates the user.
Preprocessing requires that you write or obtain a plug-in
that will parse the message and pass the processed A-V
pairs to the iaaaUsers action. Modify the state table to call the preprocessing plug-in
when the message is first received. Add a preprocessing state that
calls the iaaaUsers action and transitions to the UsersCheck state. 1 START:
2 *.+AUTHEN.ACK PREPROC Preauth
3 *.+AUTHENTICATE.ACK PREPROC Preauth
4 Preauth:
5 *.PREPROC.ACK iaaaUsers UsersCheck
6 *.PREPROC.NAK REPLY Hold
7 . . . |
|
- Line 1-3
*.+AUTHEN.ACK or +AUTHENTICATE.ACK indicates that the received message is an Access-Request.
PREPROC indicates the action, which calls the custom
PREPROC software module. PREPROC is programmed to parse User-Name, strip out the extraneous information, and assign
the result to the User-Id attribute. (The server uses User-Id to
locate a stored user profile.) If PREPROC is successful it returns an ACK event name; otherwise, it returns a NAK. Preauth indicates the next state the FSM must
proceed to, after PREPROC returns an ACK or NAK event name. - Line 4
As described for steps 1
to 3, Preauth is the next state after PREPROC has parsed User-Name and returned an ACK or NAK value. - Line 5
If PREPROC returns an ACK value, handling of the request continues normally
with the modified user name. - Line 6
If PREPROC returns a NAK value, the request will be rejected.
| | | |  | NOTE: When listing an event, you need to specify the last
action only if it is required for the finite state table to correctly
determine the next action. In this case, the Preauth events *.*.ACK and *.*.NAK on lines 5 and 6 would also work. | | | | |
Custom
Logging Format | |
Using a custom-logging format requires that you write
or obtain a plug-in that will generate a session log. In
each instance when you want to use your custom format, you must
replace the LOG action in the state table with the name of the
appropriate action defined in your plug-in. The ACCTLog state in the following example uses a logging
format generated by MYLOG for an ordinary session and uses another format generated
by TUNNELLOG for tunnel sessions. ACCTlog:
*.*.ACCT_START REPLY Hold
*.*.ACCT_STOP MYLOG REPLYHold
*.*.ACCT_ALIVE REPLY Hold
*.*.ACCT_MSTART REPLY Hold
*.*.ACCT_MSTOP MYLOG REPLYHold
*.*.ACCT_CANCEL REPLY Hold
*.*.ACCT_ON MYLOG REPLYHold
*.*.ACCT_OFF MYLOG REPLYHold
*.*.ACCT_TUNNEL_START REPLY Hold
*.*.ACCT_TUNNEL_STOP TUNNELLOG REPLYHold
*.*.ACCT_TUNNEL_REJECT TUNNELLOG REPLYHold
*.*.ACCT_TUNNEL_LINK_START REPLY Hold
*.*.ACCT_TUNNEL_LINK_STOP TUNNELLOG REPLYHold
*.*.ACCT_TUNNEL_LINK_REJECT TUNNELLOG REPLYHold |
DNIS
Routing | |
In a typical DNIS routing scheme, requests are handled according
to the Calling-Station-Id and Called-Station-Id attributes. This conditional handling of requests
can be accomplished by invoking the POLICY action with an Xstring value at the beginning of the finite state table. The Xstring value must refer to the place where policy is stored. In
this example, the policy is stored in a decision file named DNIS.grp. The POLICY action matches the Calling-Station-Id and Called-Station-Id attribute values in the Access-Request
to a group of conditions defined in the decision file, see “Decision
Files ”. Depending on the results
of the match, a set of reply items is attached to the request and
an event value is returned. |
1 %event Forward
2 %event Abandon
3 Start:
4 *.+AUTHEN.ACK POLICY Start2 Xstring=decisionfile:DNIS.grp
5 *.+AUTH_ONLY.ACK POLICY Start2 Xstring=decisionfile:DNIS.grp
6 *.+AUTHENTICATE.ACK POLICY Start2 Xstring=decisionfile:DNIS.grp
7 *.+ACCT.ACK POLICY Start2 Xstring=decisionfile:DNIS.grp
8 *.+LAS_ACCT.ACK POLICY Start2 Xstring=decisionfile:DNIS.grp
9 *.+LASCP.ACK LASCP End
10 *.+MGT_POLL.ACK SRV_STATUS REPLYHold
11 *.*.NAK REPLY Hold
12 Start2:
13 *.*.Forward RAD2RAD REPLYHold Xstring=flatland.com
14 *.*.Abandon NULL End
15 *.*.AUTHEN iaaaUsers UsersCheck
16 *.*.AUTH_ONLY iaaaUsers AuthOnly
17 *.*.AUTHENTICATE iaaaUsers UsersCheck
18 *.*.ACCT LAS_ACCT ACCTwait
19 *.*.LAS_ACCT LAS_ACCT ACCTwait
20 *.*.LASCP LASCP End
21 *.*.MGT_POLL SRV_STATUS REPLYHold
22 *.*.NAK REPLY Hold
23 ... |
|
- Lines 1 to 2
Define two new event names,
Abandon and Forward, that can be returned by the POLICY action and the DNIS.grp decision file. - Line 4 to 8
The Start state calls the
POLICY action for all incoming requests. Since the
Xstring attribute is used, POLICY will attempt to match the request to a group entry
in the DNIS.grp decision file. When a match is made, a value will
be returned and the FSM will transition to the Start2 state. - Line 13
If a matched number is granted
access according to the decision file, the POLICY action returns a Forward event name, and the next
action will be RADIUS, which will forward the request to another server. - Line 14
If a matched number is not
granted access, the POLICY action returns an Abandon event name, and the
next action will be NULL, which discards the request. - Lines15 to 22
If no number is matched,
one of the Interlink-Proxy-Action values is returned,
and the request is handled according to the current event.
| | | | | NOTE: This example appears in the template
file, DNIS.fsm. | | | | |
|
Printable version
