 |
» |
|
|
|
Generally, a realm is a group of
users who share a common characteristic, such as being customers
of the same Internet Service Provider (ISP). If you want to authenticate
all users that belong to a realm by the same authentication type,
you must identify the realm in the server configuration by matching
it to the location of the authentication system and the system's
protocol. While you can specify authentication types for individual
users, the HP-UX AAA configuration includes a default user
entry that specifies the authentication type as Realm. This authentication
type directs the server to use the realm information to determine where
the user information is stored and how a request should be processed. The authfile is a list of the realms that are recognized by
the AAA server. Unless the default installation of the configuration
files was changed, the authfile file can be found in the /etc/opt/aaa directory. | | | |  | IMPORTANT: Configuration files have a maximum input line length
of 255 characters. No checking is done to insure that a configuration
statement has not exceeded this limit. | | | | |
| | | |  | NOTE: The order of the entries is important; the first entry
that matches the request will be used to authenticate the user.
The server will ignore the remaining entries; therefore, you should
list the most specific entries first and the default entry should
be last. | | | | |
Syntax
of a Realm Entry | |
Name (Alias,...) -Protocol -{BIN|CIS} Authentication-Type DNS-or-Filename Filter-ID - Name
Should be replaced with a
realm name to be mapped. This name does not have to be a DNS host
name, although it is highly recommended that the realm name match
a domain name so the user recognizes the user@realm syntax that
resembles their email address. - (Alias,...)
Represents an optional parenthesized
list of one or more aliases, delimited by a comma, which indicates
the preferred authentication realm name. - {BIN|CIS}
Indicate how the user name
from the Access-Request should be accepted. The BIN keyword
indicates that the user name should be accepted "as is." The
CIS keyword indicates that the user name should be converted to
all uppercase characters. These keywords are optional. - -Protocol
The authentication protocol
to which the entry is applicable. By default, an entry applies to
all authentication protocols, but this option will restrict the entry
to the specific protocol. Valid keywords are: -DFLT,
default, matches all protocol types.
- Authentication-Type
Identifies
by a case-sensitive keyword, the type of authentication
to be performed for this realm name. Table 15-3 Realm Entry Authentication -Type Keyword Meanings | Keyword | Meaning |
|---|
| Allow | Always allow requests. | | Blackhole | Drop every request for the realm into a black
hole. No request will be accepted or rejected. | | Deny | Reject all requests. | | EAP | Uses the Extensible Authentication
Protocol to perform authentication, using profiles stored in a flat
file. This authentication requires an extended authfile entry and
cannot be specified by the Authentication-Type attribute in
a user or realm file. | | File | Flat file lookup with encrypted or clear-text
passwords in users file format. | | Oracle | Authentication using an Oracle database. This authentication
requires an extended authfile entry and cannot be used in a users
or realm file. | | Passwd | For checking the local Unix /etc/passwd file. | | PROLDAP | Authenticate using an LDAP accessible
directory service, based on binding to the server on behalf of the
user being authenticated. This authentication requires an extended
authfile entry and cannot be specified by the Authentication-Type
attribute in a user or realm file. | | RADIUS | Forward the Proxy
request to the specified RADIUS server. | | SecurID | RSA SecurID® identification
and authentication. | | Slow | Slow down an authentication AATV configured
for a realm. | | Unix-PW | Same as Passwd. |
| | | | | NOTE: DNS-or-Filename is
dependent upon the authentication type: | | | | |
For the File
authentication type, the parameter specifies the name of a realm
file to use (without the .users extension). Refer to “authfile ” and “Realm Files ” for a description of realm files. For the Allow and Deny authentication
types, the parameter must be filled with a dummy string to allow
correct parsing of the entry. For the Blackhole and Slow
authentication types, the parameter must be filled with a dummy
string to allow correct parsing of the entry. For EAP, it specifies the
name of the realm file to use (without the .users extension). Refer to “authfile ” and “Realm Files ” for a description of realm files. An authfile entry for
the EAP authentication type requires an extended authfile entry. For Oracle or ProLDAP, it
specifies the DNS name and port of one or more instances of the
appropriate database or directory. An authfile entry for Oracle
or ProLDAP authentication types requires an extended authfile entry. For Passwd or Unix-PW
authentication, DNS-or-Filename is not required.
The server will automatically check the local /etc/passwd file for a matching Unix user. For RADIUS, it specifies
the DNS name of the machine running the remote server that should
receive a forwarded Access-Request. The attribute-value
pairs returned by the remote RADIUS server are propagated back to
the NAS.
| | | | | NOTE: If DNS-or-Filename specifies the DNS
name of the local server for RADIUS authentication, the request
is handled as a local Passwd request. | | | | |
- Filter-ID
Allows the optional specification
of a packet filter name to be associated with authentication through
this realm name. It will override any explicit filter name specified
in the users file.
Special
Entries | |
A few special entries might be used. When specifying the primary realm for an entry,
you can use a wild card syntax, *.realm. This syntax provides shorthand for associating
several related realms with a single authentication type. For example,
a company may have several branches, eastern.company.com, western.company.com, and central.company.com. The wild card entry for that company would define *.company.com as the realm and would match all three of these
realms. It is highly recommended that any such wild card entry be
listed after entries that are more specific. This order allows the
preceding, specific entries to override the wild card entry. A DEFAULT entry may be included in this file, which indicates
how to handle authentication requests for realm names not explicitly
specified. Usually it will identify a remote RADIUS server where
to relay the request. The following example tells this RADIUS server to pass requests
with authentication realm names that did not appear in this file
along to another RADIUS server. DEFAULT RADIUS main-radius.server.net |
A NULL entry may also be included in this file to indicate
how to handle authentication requests that do not identify a realm
name, but are being handled with the Realm authentication type. The following example, tells the server to forward requests
that do not have a realm name to the notthere.proxy.com remote server. NULL RADIUS notthere.proxy.com |
flatland.org File anotherrealm flatland
flatland.org RADIUS nothere.proxy.com |
|
Printable version
