Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX AAA Server A.06.00 Administration and Authentication Guide: HP-UX 11.0, 11i v1 > Chapter 15 Configuration Files

clients
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The server configuration must include all the clients (NASs, RADIUS proxy servers, and other network devices) that can communicate with the AAA server. If a client is not included in the configuration, the server discards its messages.

The /etc/opt/aaa/clients file contains the identifying information for these clients.

IMPORTANT: Configuration files have a maximum input line length of 255 characters.
No checking is done to insure that a configuration statement has not exceeded this limit.

Syntax of a Client Entry

Name Shared-Secret Type=vendor:{NAS|PROXY}options Version Prefix

Name

Network location of the client or server as follows:

  • An IP address (in dotted-quad notation), or a valid Domain Name System (DNS) host name. When specifying Name as a DNS host name, you should use the name returned by the hostname command.

  • It may optionally be followed by a colon and a UDP/TCP port number. For example: flatland.com:1812. This port number value overrides the radiusd command line options. The accounting UDP port number is assumed one greater than the authentication UDP port number.

Shared-Secret

Encryption key, or shared secret between the client in this entry and this server. The Key field must be less than 255 characters. A request from a client for which the server does not have a shared secret will be silently discarded.

Type

Network hardware that the client entry defines, specified as a network access device or proxy server in the format vendor:{NAS|PROXY}options. Type may also indicate the hardware vendor and/or additional message-handling options. At a minimum {NAS|PROXY} must be specified to indicate whether the server will receive Access-Requests from the client or forward them to the client as proxy requests. A vendor name, followed by a colon, may precede the NAS or PROXY keyword. The server will prune vendor-specific attributes for a given vendor if that vendor's name is not properly defined in the vendors file, and its attributes are not properly defined in the dictionary file. When no vendor is specified, the default, Merit, will be used.

NOTE: There is a special vendor, NONE, that may be used to prune all vendor-specific attributes before a message is returned to a NAS. This may be used to help prevent problems that might occur if an non-encapsulated vendor attribute is not correctly mapped in the vendors file.
Options

One or more message-handling options, each prefixed with a plus character, may be appended to the NAS or PROXY keyword. The following options are valid:

Table 15-2 Valid Client Entry Options

Option Meaning
ACCT_RFC Verifies that the Accounting-Request conforms to the Accounting RFC. Nonconforming messages are dropped.
APPEND When receiving a response from a remote server, append all the forwarded A-V pairs to new A-V pairs included in the response. This flag is useful when a proxy server does not return all of the A-V pairs that it received.
CHECK_ALL Checks all attributes to determine if the request is a duplicate (for messages from a proxy server). This may be necessary if the remote server sends nonstandard messages that cannot easily be detected as duplicates.
DEBUG Dump packets into the server's debug output file.
DUMMY This is a dummy entry.
NO_CHECK Does not check all attributes to determine if the request is a duplicate (for messages from a NAS). This can be set to increase server performance if you know that the client sends standard messages that can easily be detected as duplicates.
NOENCAPS Do not encapsulate vendor response (if the client requires non encapsulated A-V pairs).
OLDCHAP For clients that perform pre-RFC CHAP.
PRUNE Flag that forces pruning, as if the NAS flag were set.
RAD_RFC Verifies that the Access-Request conforms to the RADIUS RFC. Nonconforming messages are dropped.

 

NOTE: When Type includes a NAS or PRUNE flag, any attributes configured for pruning in the dictionary will not be returned to the client.
Version

When specified must be V1.

Prefix

Specifies a text string prefix that may be used to select a users file and/or authfile file that is different from the standard users file or authfile file, to be used for requests from the associated client. This feature allows different RADIUS clients to share the same server, but use different authentication databases on this server. The prefix is prefixed to the configuration file name. (For example, for a client with the prefix aaa., the server would attempt to authenticate users in files named aaa.users and aaa.authfile).

Local Host Entry

You should have a local host entry that specifies the DNS name of the local server, the shared secret used by the local server when talking to itself, and Type as Merit:Proxy.

DNS Names

Make sure that your DNS is configured correctly (with both forward and reverse entries) for your AAA Server machine(s). The AAA Server program determines the name of the machine that it is running on. If this name does not match your local DNS server's database, you will not be able to correctly configure the clients file and will experience problems with some server operations.

Examples 

flatland.org     f52tl     type=Ascend:NAS
216.27.61.137    secret    type=Ascend+USR:NAS+RAD_RFC+ACCT_RFC v1 aaa. 
flatlink.com     f25lt     type=Merit:Proxy


aaa.config
  		 


authfile  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.