The aaa.config File

The aaa.config file contains keyword-value entries, one-per-line, which allows the user to override compiled-in default values in the HP-UX AAA Server. The aaa.config file can be used for performance tuning, debugging, or overriding built-in defaults.




	IMPORTANT: Configuration files have maximum input line length of 255 characters. No checking is done to insure that a configuration statement has not exceeded this limit.

You can include configuration data in multiple text files and load them at server startup. For each text file, add a one-line entry to the aaa.config file according to the format shown below:

include “File-name”

If File-name does not specify a path, the server will look for the file in the configuration directory.

Syntax of a Keyword-Value Entry in the aaa.config file as shown below:

variable = value




	NOTE: Any space or tab characters before the variable or surrounding the equal sign character are ignored. Space and tab characters after the value may be considered part of the value assigned to the variable.

Variables in the aaa.config File

Following lists the variables that you can modify in the aaa.config file:

The strict_duplicate_check Variable

This variable is used to change the behavior for detecting duplicate RADIUS packets. To identify a RADIUS packet as duplicate the HP-UX AAA Server checks the identifier, source port, source IP address, and the packet length. This is the default behavior when the strict_duplicate_check variable is “off”. This default behavior allows the AAA Server to support a wider range of NASs.

When the strict_duplicate_check variable is enabled to “on” the HP-UX AAA Server also checks if the request authenticator is the same. Setting this variable to “on” results in significant performance increase.

The aatv.ProLDAP Property

This property controls HP-UX AAA Server connections to an LDAP server.

Retry-Interval sets the number of seconds for the HP-UX AAA Server to wait before trying to reconnect to a LDAP directory server, when a realm has failover directory servers configured. Defaults to 60 seconds.
Retry-Wait sets the number of seconds that the HP-UX AAA Server will wait before attempting to connect to the same failover LDAP server. When all failover directory servers configured for a realm are down, the HP-UX AAA Server will try to reconnect to one every time an access request is received. In such a situation, this parameter guarantees that the software does not spend too much time in trying to reconnect those directory servers. Default value is 1 second.
Timeout sets the number of seconds that an LDAP connection will remain open when the HP-UX AAA Server has not been able to successfully perform any successful LDAP operation. This parameter allows better handling of the situation where the LDAP directory times out client connections.
TCP-Timeout sets the number of seconds that the HP-UX AAA Server will wait for an LDAP server when trying to establish the TCP connection.
Debug determines whether OpenLDAP debug messages must be written to the radius.debug file. A value of 0 disables writing these messages; a value of -1 enables writing these messages. The syntax of this property follows a block syntax that is different than the other aaa.config variables.

For example:

aatv.ProLDAP
{
Retry-Interval 60
Retry-Wait 1
Timeout 60
TCP-Timeout 3
Debug 0 
}

The log_threshold_limit and suppression_interval Variables

These variables can be used to suppress a message from being repeatedly recorded in the log file. For example:

log_threshold_limit=150
supression_interval=20

Where:

log_threshold_limit: The number of times that the same message can be recorded to the log file within two seconds, before it is suppressed. Default: 100.
supression_interval: The time in seconds for which the logging of a message is suppressed. Default: 30 seconds.

In the above example, a message will be suppressed for 20 seconds, if it is logged more than 150 times within 2 seconds.

The list_copy_limit Variable

This variable can be used for customized server configurations that accumulate A-V pairs or generate large responses. The default (and maximum) value is 512. Following is the syntax of the list_copy_limit variable:

list_copy_limit=256

The log_forwarding Variable

This variable turns logging in the logfile on (or off) when packets are forwarded through the server to another RADIUS server. In addition, it also controls the logging of the forwarding vector, reply vector, or dumping of the packet being forwarded on (or off). This allows finer detail when tracking problems, at the expense of increased log file size. Following is the syntax of the log_forwarding variable:

log_forwarding=on
log_forwarding=off
log_forwarding=+vector
log_forwarding=+digest
log_forwarding=+dump
log_forwarding=-vector
log_forwarding=-digest
log_forwarding=-dump
log_forwarding=clear

The log_generated_request Variable

This variable turns the logging of internally generated packets on (or off) when they are created, and when they reach their end-state. It is useful for a customized server configuration that produces accounting requests based on internal state transitions rather than on an externally delivered requests. Following is the syntax of the log_generated_request variable:

log_generated_request=on
log_generated_request=off

The ourhostname Variable

This variable sets the interface (DNS name or IP address) that a multihomed server would use. By default, the HP-UX AAA Server determines hostname by calling gethostname. For multihomed hosts this call may not return the correct name for the interface that the HP-UX AAA Server should use to send and listen for messages. Following is the syntax for the ourhostname variable:

DNS host name: ourhostname=interface1.radius.server.net
Traditional IP (IPv4) address: ourhostname=192.0.2.0
IPv6 Address: ourhostname=fedc:ba98:7654:3210:fedc:ba98:7654:3210




	CAUTION: If you configure an IPv6 address in the `ourhostname` variable, then traditional IP (IPv4) hosts will not be able to send or receive messages. Similarly, if you configure an IPv4 address here, then IPv6 hosts will not be able to send or receive messages. If you configure a DNS name, then the first address returned by the DNS server is used.

The packet_log Variable

This variable controls checks to match a current request with an original request, which can occur when logging certain attributes in a request log (NAS-Identifier, NAS-Port, User-Name, and so on). This check can cause an abort and core-dump if the +abort option is given. This check is useful for tracking situations where a remote RADIUS server is responding with incorrect values. In addition, it can also be used to investigate if an AATV is corrupting the current request. Following is the syntax for the packet_log variable:

packet_log=default
packet_log=clear (or none)
packet_log=+abort
packet_log=+both (or +comp)
packet_log=+current (or +cur)
packet_log=+original (or +orig)
packet_log=-abort
packet_log=-both (or -comp)
packet_log=-current (or -cur)
packet_log=-original (or -orig)

The value of defserver connection means to report only from the original request. The value of +abort means to abort and core-dump if there is a mismatch.

The radius_log_fmt Variable

This variable overrides the logfile format string used.

The reply_check Variable

This variable specifies which attributes to check on a reply from a forwarded request to ensure that they are the same as the forwarded request. Besides specifying which attributes to check, you can specify the action to take when a mismatch occurs. Listed below are the actions you can choose to take:

Ignore the reply
Ignore the mismatch
Abort and core dump

Useful attributes to check are NAS-Identifier, Acct-Session-Id, Class, User-Name. For example:

reply_check=first
reply_check=all
reply_check=+abort
reply_check=+dump
reply_check=+ignore
reply_check=+verbose
reply_check=clear
reply_check=none
reply_check=Attribute

The value of first (default) means to check only the first match. The value of all means to check all the attributes for matches. The value of +abort means to abort and coredump if a check fails. The value of +dump means to dump the offending packet (in hexadecimal). You can specify a specific attribute to check with the syntax reply_check=Attribute.




	NOTE: This feature may not work well in situations where the HP-UX AAA Server is communicating with non-HP servers.