The RADIUS protocol follows client-server architecture. The
client sends user information to the HP-UX AAA server using Access-Request
or accounting-Request messages. The HP-UX AAA server will process
the request locally, or, if acting as a proxy server, forward (proxy)
the request to a secondary RADIUS Server.
When processing a RADIUS request locally, the HP-UX AAA server
can utilize additional external services (LDAP, external database
access, DHCP, two factor authentication providers, etc.) to service
the request.
The processing of RADIUS requests is usually configured on
a per-realm basis. A realm is a group of users sharing a common
component in the Network Access Identifier (NAI) attribute in the
RADIUS request (e.g.,"example.org" is the realm component for "username@example.org").
In Figure 1-1, an example Internet Service Provider (ISP)
uses four HP-UX AAA servers to handle user requests. User organizations
are grouped into realms. Each user connects to one of the ISP's
servers through a local Network Access Server (NAS). The NAS will
send a RADIUS Access-Request containing the user's credentials to
one of the HP-UX AAA servers. In turn the HP-UX AAA server will
access user and policy information from the repository specified
for the user's realm. The repository can be in flat text files associated
with the HP-UX AAA Server, an external database or LDAP Server,
or an HP-UX Unix user repository.
When authenticating users stored in replicated LDAP directory
servers or databases, the server can be configured to perform load
balancing and failover to achieve greater scalability and availability.
Printable version
