What is New in This Version

HP-UX AAA Server version A.07.01 includes the following new and enhanced features:

OATH Standards-Based OTP Authentication

HP-UX AAA Server A.07.01 now supports OATH standards-based OTP authentication, which can be used for two-factor authentication.

OATH is an industry-wide collaboration to develop open-reference architecture for strong authentication. The OATH consortium has developed a set of open royalty-free algorithms for one-time password authentication. The OATH standards-based OTP authentication solution uses the HMAC sequence-based One-Time Password (HOTP) algorithm to generate an OTP, using a secret key and a sequence counter.

The HP-UX AAA Server supports OATH standards HOTP algorithm to generate and validate OTP, which enables the HP-UX AAA Server to interoperate with other OATH-compliant HOTP algorithm-based OTP generators.

Normally, the authentication process used by the HP-UX AAA Server is confined to validating the user password against the password stored in the database. However, with OTP support, the HP-UX AAA Server can now perform the following additional functions:

Validate the OTP
Proxy the OTP to another RADIUS server for OTP validation
Generate OTP that can be delivered to target users through secondary channels using e-mail, SMS, FTP and so on.

The OATH-based OTP authentication feature provides the HP-UX AAA Server with the following benefits:

Secures applications by providing an additional factor (OTP)
Provides a low-cost solution for implementing OATH standards-based OTP authentication
Offers flexibility to configure OATH standards-based OTP authentication for various deployment scenarios
Provides compatibility with different types of OATH-compliant OTP generators

The OATH standards-based OTP authentication feature uses default FSM, and SQL Access AATV and its components, such as database schema and sqlaccess.conf files, client connector libraries for supported database clients, to retrieve and update the token information from the SQL database to complete the OTP authentication. This feature consists of a set of reference implementation files that provide a quick and easy way to set up a working environment that provides fully functional reference implementations for basic password and OATH standards-based OTP (two-factor) authentication. Reference implementations can be used in their current states, or they can customized to meet your deployment requirements.

The following README files describes how to implement basic two-factor authentication based on your implementation requirements:

/opt/aaa/examples/sqlaccess/oracle-1/: To implement basic two-factor authentication using the Oracle database server and OCI client, when the token information is stored in the Oracle database.
opt/aaa/examples/sqlaccess/mysql-1/: To implement basic two-factor authentication using the MySQL database server and MySQL Unix ODBC client, when the token information is stored in the MySQL database.




	NOTE: The HP-UX AAA Server supports only the token information that is stored in the SQL database. After using the sample reference implementation and before deploying your implementation in a production environment, default passwords for database user, test user, and the shared secret of the test user must be changed.

For more information, see the “OATH Standards-Based OTP Authentication” chapter in the HP-UX AAA Server A.07.01 Administrator’s Guide

Web-Based User Database Administration Manager

The User Database Administration Manager is a web-based interface to manage the user information stored in the SQL database. This interface is implemented using HTML, PHP5 , Javascript and can be customized to meet your deployment requirements. Using this interface, an administrator can add users, modify credentials of users, and delete user information. The interface also enables the administrator to manage profiles of users who use OATH standards-based OTP tokens.

For information on how to configure the User Database Administration Manager based on requirements, see the README file available at:

/opt/aaa/examples/sqlaccess/userdb/

For more information on the User Database Administration Manager, see the “SQL Access” chapter in the HP-UX AAA Server A.07.01 Administrator’s Guide

HP-UX AAA Server SDK

HP-UX AAA Server A.07.01 supports the SDK to customize the way the HP-UX AAA Server processes RADIUS requests. This kit is useful in creating plug-ins to extend or even replace server processes, such as how an authentication or accounting request is handled. Using this SDK, plug-ins can also be created to handle tasks such as customized logging of accounting requests, and pre- and post-authentication tasks.

For more information on HP-UX AAA Server SDK, see the HP-UX AAA Server A.07.01 Administrator’s Guide

Advanced Policy Engine

Advanced Policy Engine is an updated policy engine that provides extended syntax for complex policy actions to manipulate RADIUS requests and replies based on attribute content. Policy modules are invoked using the FSM. These modules can be executed at any time during the processing of the RADIUS packet. The FSM files and the HP-UX AAA Server are updated with the following predefined policy definition files, which can be used to define policies without modifying the FSM:

Request Ingress Policy
Reply Egress Policy
Proxy Egress Policy
Proxy Ingress Policy

The Advanced Policy Engine is compatible with the legacy Group policy syntax. It enables quick and easy configuration of a variety of dynamic access control policies, including combinations of time, date, password expiry, and other user-defined attributes.

For more information on Advanced Policy Engine, see the HP-UX AAA Server A.07.01 Administrator’s Guide .

What is New in This Version

Technical documentation

» Table of Contents

OATH Standards-Based OTP Authentication

Web-Based User Database Administration Manager

HP-UX AAA Server SDK

Advanced Policy Engine