Oracle Advanced Security Administrator's Guide
Release 8.1.5
A67766-01

Library
Product
Contents
Index

Prev Next

3
Configuring RADIUS Authentication

This chapter tells you how to configure Oracle8i for use with RADIUS (Remote Authentication Dial-In User Service).

This chapter covers the following topics:

RADIUS Overview

RADIUS (Remote Authentication Dial-In User Service) is a client-server security protocol most widely known for enabling remote authentication and access. The Oracle Advanced Security option uses this emerging standard in a client-server network environment.

You can enable your network to use any authentication method that supports the RADIUS standard--including token cards and smartcards--simply by installing and configuring the RADIUS adapter. Moreover, when you use RADIUS, you can change your authentication method without modifying either the Oracle client or the Oracle server.

From the user's perspective, the entire authentication process takes place seamlessly and transparently. When the user seeks access to an Oracle server, the Oracle server, acting as the RADIUS client, notifies the RADIUS server. The RADIUS server then:

RADIUS in an Oracle Environment

Figure 3-1 RADIUS in an Oracle Environment


In an Oracle environment (Figure 3-1), the Oracle server acts as the RADIUS client; it passes information between the Oracle client and the RADIUS server. Similarly, the RADIUS server passes information between the Oracle server and the appropriate authentication server(s). To secure authentication information during transport, RADIUS converts it to a hash value.

The four components-- Oracle client, Oracle server/RADIUS client, RADIUS server, and authentication server--can reside on the same machine or on separate machines. When the Oracle client and Oracle server reside on the same machine, they share the same sqlnet.ora file.

More Information:

For information about the sqlnet.ora file, see Net8 Administrator's Guide  

The following table lists each component and the information it stores.

Component   Stored Information  

Oracle client  

configuration setting for communicating through RADIUS  

Oracle server/
RADIUS client  

configuration settings for passing information between the Oracle client and the RADIUS server

the secret key file  

RADIUS server  

authentication and authorization information for all users

each client's name or IP address

each client's shared secret

an unlimited number of menu files enabling users already authenticated to select different login options without reconnecting  

Authentication
Server(s)  

user authentication information such as passcodes and PINs, depending on the authentication method in use  

RADIUS Authentication Modes

User authentication can take place in either of two ways:

Synchronous Authentication Mode

In the synchronous mode, RADIUS allows you to use various authentication methods, including passwords, SecurID token cards, and smartcards.

Figure 3-2 shows the sequence in which synchronous authentication occurs.

Figure 3-2 Synchronous Authentication Sequence


Example: Synchronous Authentication with SecurID Token Cards

With SecurID authentication, each user has a token card which displays a dynamic number that changes every sixty seconds. To gain access to the Oracle server/RADIUS client, the user enters a valid passcode which includes both a personal identification number (PIN) and the dynamic number currently displayed on his or her SecurID card. The Oracle server/RADIUS client passes this authentication information from the Oracle client to the RADIUS server, and the RADIUS server, in turn, passes it to the authentication server for validation. Once the authentication server (Security Dynamics ACE/Server) validates the user, it sends an "accept" packet to the RADIUS server. The RADIUS server passes this to the Oracle server/RADIUS client, which, in turn, passes it to the Oracle client. The user is now authorized and able to access the appropriate tables and applications.

More Information:

For more information on SecurID token cards, see "Authentication Methods Supported" and Chapter 6, "Configuring SecurID Authentication". See also documentation provided by your SecurID vendor.  

Challenge-Response (Asynchronous) Authentication Mode

Figure 3-3 shows the sequence in which challenge-response, or asynchronous, authentication occurs.

Note:

When your system uses the asynchronous mode, the user does not need to enter a user name and password at the SQL*Plus CONNECT string. Instead, a graphical user interface asks the user for this information later in the process.  

Figure 3-3 Asynchronous Authentication Sequence


Example: Asynchronous Authentication with Smartcards

With smartcard authentication, the user logs in by inserting the smartcard--a plastic card (like a credit card) with an embedded integrated circuit for storing information--into a hardware device which reads the card. The Oracle client sends this login information contained in the smartcard to the authentication server by way of the Oracle server/RADIUS client and the RADIUS server. The authentication server sends back a challenge to the Oracle client--by way of the RADIUS server and the Oracle server/RADIUS client--prompting the user for authentication information. That information could be, for example, a PIN as well as additional authentication information contained on the smartcard.

The Oracle client then sends the user's response to the authentication server by way of the Oracle server/RADIUS client and the RADIUS server. If the user has entered a valid number, the authentication server sends an "accept" packet back to the Oracle client by way of the RADIUS server and the Oracle server/RADIUS client. The user is now authenticated and authorized to access the appropriate tables and applications. If the user has entered incorrect information, the authentication server sends back a message rejecting the user's access.

Example: Asynchronous Authentication with ActivCard Tokens

One particular ActivCard token is a hand held device with a keypad and which displays a dynamic password. When the user seeks access to an Oracle server by entering his or her password, the information is passed to the appropriate authentication server by way of the Oracle server/RADIUS client and the RADIUS server. The authentication server sends back a challenge to the client--by way of the RADIUS server and the Oracle server/RADIUS client. The user enters that challenge into the token, and the token then displays a number for the user to send in response.

The Oracle client then sends the user's response to the authentication server by way of the Oracle server/RADIUS client and the RADIUS server. If the user has entered a valid number, the authentication server sends an "accept" packet back to the Oracle client by way of the RADIUS server and the Oracle server/RADIUS client. The user is now authenticated and authorized to access the appropriate tables and applications. If the user has entered an incorrect response, the authentication server sends back a message rejecting the user's access.

Enabling RADIUS Authentication and Accounting

To enable RADIUS authentication and accounting, you perform the following general tasks, each of which is explained in the next several pages:

Step 1: Install RADIUS on the Oracle server and the Oracle client

Step 2: Configure RADIUS authentication

Step 3: Add the RADIUS client name to the RADIUS server database

Step 4: Create and grant access to a user

Step 5: Configure RADIUS Accounting

Step 6: Configure the authentication server for use with RADIUS.

Step 7: Configure the RADIUS server for use with the authentication server

Step 8: Create and grant roles

Step 9: Specify the RADIUS secret key on the Oracle server

Step 1: Install RADIUS on the Oracle server and the Oracle client

You install the RADIUS adapter along with the Oracle Advanced Security option during a typical installation of Oracle8i.

More Information:

For information on installing Oracle Advanced Security and the RADIUS adapter, see your platform-specific installation documentation for Oracle8i.  

Step 2: Configure RADIUS authentication

This section discusses the following topics.

Unless otherwise indicated, you perform these configuration tasks by using the Net8 Assistant or by using any text editor to modify the sqlnet.ora file.

Using Net8 Assistant

This graphical interface tool makes it easy to set parameters in the sqlnet.ora file and other Oracle8i configuration files.

To launch Net8 Assistant:
To begin configuring the Oracle Advanced Security option using Net8 Assistant:

In the Net8 Assistant's left pane, click the Profile folder. Then go to the drop down list box at the top of the right pane, and select Advanced Security Option. The tabbed pages for the Oracle Advanced Security option appear.

To save changes with Net8 Assistant:

Go to the menu bar and click File > Save Network Configuration.

Basic RADIUS Configuration on the Oracle Client

Set the SQLNET.AUTHENTICATION_SERVICES parameter.

Figure 3-4 Using Net 8 Assistant to Set the Authentication Services Parameter


Use the Net8 Assistant...   ... or modify SQLNET.ORA  

Refer to Figure 3-4.

  1. Select the Authentication tab.

  2. In the Available Methods list, select RADIUS.

  3. Move RADIUS to the Selected Methods list by clicking the right arrow button [>]. Move any other methods you want to use in the same way.

  4. Arrange the selected methods in order of desired use. To do this, select a method in the Selected Methods list, then click [Promote] or [Demote] to position it in the list. For example, if you want RADIUS to be the first service used, put it at the top of the list.

 

Set the following parameter:

SQLNET.AUTHENTICATION_SERVICES=(RADIUS)  

Basic RADIUS Configuration on the Oracle Server

Do the following tasks, each of which is described below.

Set the authentication services parameter

The SQLNET.AUTHENTICATION_SERVICES parameter sets the authentication method(s) you want to use.

Figure 3-5 Using Net8 Assistant to Set the Authentication Services Parameter


Use the Net8 Assistant...   ... or modify SQLNET.ORA  

Refer to Figure 3-5.

  1. Select the Authentication tab.

  2. In the Available Methods list, select RADIUS.

  3. Move RADIUS to the Selected Methods list by clicking the right arrow button [>].

  4. Arrange the selected methods in order of desired use. To do this, select a method in the Selected Methods list, then click [Promote] or [Demote] to position it in the list. For example, if you want RADIUS to be the first service used, put it at the top of the list.

 

Set the following parameter:

SQLNET.AUTHENTICATION_SERVICES=RADIUS)  

Set the primary RADIUS server host name parameter

The SQLNET.RADIUS_AUTHENTICATION parameter sets the location of the primary RADIUS server. The default is the local host.

Figure 3-6 Using Net8 Assistant to Set the Primary Radius Server Host Name Parameter


Use the Net8 Assistant...   ... or modify SQLNET.ORA  

Refer to Figure 3-6.

  1. Click the Other Params tab.

  2. In the Authentication Service list, select RADIUS

  3. In the Host Name box, the default is localhost. Accept this default or type the host name of your primary RADIUS server.

 

Set the following parameter:

SQLNET.RADIUS_AUTHENTICATION=
(HOST NAME OR IP ADDRESS OF RADIUS SERVER)  

Set Oracle server initialization parameters

Configure the file init<sid>.ora which you can find in the directory $ORACLE_BASE\ADMIN\DB_NAME\PFILE. Specify the following values in this file: 

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Caution:

Setting REMOTE_OS_AUTHENT to TRUE may create a security hole because it allows someone using a non-secure protocol (for example, TCP) to perform an operating system-authorized login (formerly referred to as an OPS$ login).  

More Information:

For information on setting initialization parameters on the Oracle server, see Oracle8i Reference and Oracle8i Administrator's Guide.  

Add the classpath parameter in SQLNET.ORA

If you use the challenge-response authentication mode, RADIUS presents the user with a Java-based graphical interface requesting first a password, then additional information--for example, a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH parameter in the sqlnet.ora file to set the path for the Java classes for that graphical interface.

Use a text editor to add the following parameter to the file sqlnet.ora. 

SQLNET.RADIUS_CLASSPATH=path/netradius.jar:path/ewt-opt-3_1_8_1.zip

For example: 

SQLNET.RADIUS_CLASSPATH=/ohome/network_src/jlib/

                        netradius.jar:/ohome/network_src/jlib

                        /ewt-opt-3_1_8_1.zip

Configuration of Additional RADIUS Features

You can make the following additional RADIUS configurations by using the Net8 Assistant, or by modifying the file sqlnet.ora.

Set the listening port of the primary RADIUS server

Do this by setting the SQLNET.RADIUS_AUTHENTICATION_PORT parameter. The default is 1645.

Figure 3-7 Using Net8 Assistant to Set the Listening Port Of the Primary Radius Server


Use the Net8 Assistant...   ... or modify SQLNET.ORA  

Refer to Figure 3-7.

  1. Select the Other Params tab.

  2. In the Authentication Service list, select RADIUS.

  3. In the Port Number box, the default is 1645. Accept this default or type the listening port number of your primary RADIUS server.

 

Set the following parameter:

SQLNET.RADIUS_AUTHENTICATION_
PORT=(1645)  

Configure the time for the Oracle server to wait for responses from the primary RADIUS server

Do this by setting the SQLNET.RADIUS_AUTHENTICATION_ TIMEOUT parameter.

Figure 3-8 Using Net8 Assistant to Configure the Time for the Oracle Server to Wait for Responses from the Primary Radius Server


Use the Net8 Assistant...   ... or modify SQLNET.ORA  

Refer to Figure 3-8.

  1. Select the Other Params tab.

  2. In the Authentication Service list, select RADIUS

  3. In the Timeout (seconds) box, the default is 15 seconds. Accept this default or type the number of seconds the Oracle server should wait for responses from the primary RADIUS server.

 

Set the following parameter:

SQLNET.RADIUS_AUTHENTICATION_
TIMEOUT=(NUMBER OF SECONDS TO WAIT FOR RESPONSE)  

Set the number of times the Oracle server should resend messages to the primary RADIUS server

Do this by setting the SQLNET.RADIUS_AUTHENTICATION_ RETRIES parameter. The default is 3.

Figure 3-9 Using Net8 Assistant to Set the Number of Times the Oracle Server Should Resend Messages to the Primary Radius Server


Use the Net8 Assistant...   ... or modify SQLNET.ORA  

Refer to Figure 3-9.

  1. Select the Other Params tab.

  2. In the Authentication Service list, select RADIUS

  3. In the Number of Retries box, the default is 3. Accept this default or type the number of times the Oracle server should resend messages to the primary RADIUS server.

 

Set the following parameter:

SQLNET.RADIUS_AUTHENTICATION_
RETRIES=(NUMBER OF TIMES TO RE-SEND TO RADIUS SERVER)  

More Information:

For instructions on configuring RADIUS accounting, see "Step 5: Configure RADIUS Accounting".  

Set the location of the secret key on the Oracle Server

Do this by setting the SQLNET.RADIUS_SECRET parameter.

Note:

This parameter sets the location of the secret key; it does not specify the secret key itself.  

More Information:

For information on specifying the secret key, see "Step 9: Specify the RADIUS secret key on the Oracle server".  

Note:

For security reasons, Oracle recommends that you change this file to root access only.  

Figure 3-10 Using Net8 Assistant to Set the Location Of The Secret Key on the Oracle Server


Use the Net8 Assistant...   ... or modify SQLNET.ORA  

Refer to Figure 3-10.

  1. Select the Other Params tab.

  2. In the Authentication Service list, select RADIUS

  3. In the Secret File box, type the pathname of the secret key file.

 

Set the following parameter:

SQLNET.RADIUS_SECRET=(path/RADIUS.KEY)  

Configure challenge-response

The challenge-response (asynchronous) mode presents the user with a graphical interface requesting first a password, then additional information--for example, a dynamic password that the user obtains from a token card. With the RADIUS adapter, this interface is Java-based to provide optimal platform independence.

Note:

Third party vendors of authentication devices must customize this graphical user interface to fit their particular device. For example, a smartcard vendor would customize the Java interface so that the Oracle client reads data, such as a dynamic password, from the smartcard. Then, when the smartcard receives a challenge, it responds by prompting the user for more information, for example, a PIN.  

More Information:

For information on how to customize the challenge-response user interface, see Appendix C, "Integrating Authentication Devices Using RADIUS"  

To configure challenge-response, do the following tasks, each of which is described below:

Set the JAVA_HOME environment variable

Set this environment variable to the JRE or JDK location on the system where the Oracle client is to run.

On UNIX:

At the command prompt, type the following: 

Unix% setenv JAVA_HOME /usr/local/packages/jre1.1.7B

On Windows NT:

  1. Click the Start button > Settings > ControlPanel > System > Environment.

  2. Set the variable JAVA_HOME to: c:\java\jre1.1.7B

Set configuration parameters

Set the following three parameters in the sqlnet.ora file as described below:

Figure 3-11 Using Net8 Assistant to Configure Challenge-Response


Use the Net8 Assistant...   ... or modify SQLNET.ORA  

Refer to Figure 3-11.

  1. Select the Other Params tab.

  2. In the Authentication Service list, select RADIUSI

  3. In the Challenge Response box, the default is OFF. Accept this default or type ON to enable challenge-response.

  4. In the Default Keyword1 box, the default is challenge. Accept this default or type the keyword for requesting a challenge from the RADIUS server.

  5. In the Interface Class Name box, the default is DefaultRadiusInterface. Accept this default or type the name of the class you have created to handle the challenge-response conversation between the Oracle client and the RADIUS server.

 

Set the following parameters:

SQLNET.RADIUS_CHALLENGE_RESPONSE=
([ON | OFF])

SQLNET.RADIUS_CHALLENGE_KEYWORD=(KEYWORD)

SQLNET.RADIUS_AUTHENTICATION_INTERFACE=(package_name, delimited by a slash mark (/) rather than by a period (.) and followed by radius_interface_name)

For example:

SQLNET.RADIUS_AUTHENTICATION_INTERFACE=vendor/net/
ActivCardRadiusInterface  
1 The keyword feature is provided by Oracle and supported by some, but not all, RADIUS servers. You can use this feature only if your RADIUS server supports it.

By setting a keyword, you allow the user not to use a password to verify his or her identity. If the user does not enter a password, the keyword you set here is passed to the RADIUS server which responds with a challenge requesting, for example, a driver's license number or birth date. If the user does enter a password, the RADIUS server may or may not respond with a challenge depending on the configuration of the RADIUS server.

Set parameters for an alternate RADIUS server

If you are using an alternate RADIUS server, set the following parameters in the file sqlnet.ora by using any text editor. 

SQLNET.RADIUS_ALTERNATE=(HOSTNAME OR IP ADDRESS OF ALTERNATE RADIUS SERVER)

SQLNET.RADIUS_ALTERNATE_PORT=(1645)

SQLNET.RADIUS_ALTERNATE_TIMEOUT=(NUMBER OF SECONDS TO WAIT FOR RESPONSE)
SQLNET.RADIUS_ALTERNATE_RETRIES=(NUMBER OF TIMES TO RE-SEND TO RADIUS SERVER)

Step 3: Add the RADIUS client name to the RADIUS server database

The RADIUS client is your Oracle server. See Figure 3-1.

Adding the RADIUS Client Name to the Livingston RADIUS Server, Version 2.0

Note:

You can use virtually any RADIUS server that complies with the standards in the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting. Because RADIUS servers vary, you should consult the documentation for your particular RADIUS server for any unique interoperability requirements.  

The clients file on the RADIUS server stores each RADIUS client's name or IP address and its shared secret. The pathname for this file is: /etc/raddb/clients.

To add the RADIUS client name to the Livingston RADIUS Server 2.0 database:
  1. Open the clients file in any text editor. The following text and table appear: 

    @ (#) clients 1.1 2/21/96 Copyright 1991 Livingston Enterprises Inc

This file contains a list of clients which are allowed to make 
authentication requests and their encryption key. The first field is a 
valid hostname. The second field (separated by blanks or tabs) is the 
encryption key.

Client Name                     Key
  2. In the CLIENT NAME column, enter the client's name or IP address. In the KEY column, enter the shared secret.

    Note:

    The value you enter in the CLIENT NAME column--whether it is the client's name or IP address--depends on your RADIUS server. See your RADIUS documentation.  

  3. Save and close the clients file.

    More Information:

    See the administration documentation for your RADIUS server.  

Step 4: Create and grant access to a user

  1. Create and grant access to a user identified externally on the Oracle server.

    You can do this by launching SQL*Plus and typing the following commands: 

    SQL> CONNECT system/manager@database_name;
SQL> CREATE USER username IDENTIFIED EXTERNALLY;
SQL> GRANT CREATE SESSION TO USER username;
SQL> EXIT

    If you are using a Windows NT platform, you can do this by using the Security Manager tool of the Oracle Enterprise Manager.

    More Information:

    See Oracle8i Administrator's Guide and Oracle8i Distributed Database Systems.  

  2. Enter that same user in the RADIUS server's users file.

    More Information:

    See the administration documentation for your RADIUS server.  

Step 5: Configure RADIUS Accounting

RADIUS Accounting logs information about access to the Oracle server and stores it in a file on the RADIUS accounting server. You can use this feature only if both your RADIUS server and authentication server support it

To enable or disable RADIUS accounting, you do the following:

Set RADIUS Accounting on the Oracle Server

Do this by setting the SQLNET.RADIUS_SEND_ACCOUNTING parameter on the Oracle server.

Figure 3-12 Using Net8 Assistant to Set RADIUS Accounting

Use the Net8 Assistant...   ... or modify SQLNET.ORA  

Refer to Figure 3-12.

  1. Select the Other Params tab.

  2. In the Authentication Service list, select RADIUSI

  3. In the Send Accounting box, type ON to enable accounting or OFF to disable it. Default is OFF.

 

Set the following parameter:

SQLNET.RADIUS_SEND_ACCOUNTING= ON  

Configure the RADIUS Accounting Server

RADIUS Accounting consists of an accounting server residing on either the same host as the RADIUS authentication server or on a separate host.

More Information:

For information on configuring RADIUS accounting, see the administration documentation for your RADIUS server.  

Step 6: Configure the authentication server for use with RADIUS

More Information:

For instructions on configuring the authentication server, see the documentation for your authentication server. The section "Related Publications" contains a list of possible resources.  

Step 7: Configure the RADIUS server for use with the authentication server

More Information:

See the documentation for your RADIUS server.  

Step 8: Create and grant roles

If your RADIUS server supports vendor type attribute, you can manage roles by storing them in the RADIUS server. The Oracle server downloads these roles when there is a CONNECT request using RADIUS.

To use this feature, configure roles on both the Oracle server and the RADIUS server.

To configure roles on the Oracle server:
  1. Use a text editor to set the initialization parameter OS_ROLES in the init.ora file on the Oracle server.

  2. Stop and restart the Oracle server.

  3. Use the IDENTIFIED EXTERNALLY syntax to create on the Oracle server each role you want the RADIUS server to manage.

    More Information: See Oracle8i Administrator's Guide.  

To configure roles on the RADIUS server:

Create role names with the following format: 

ORA_DatabaseName.DatabaseDomainName_RoleName

Parameter   Description  

DatabaseName  

The name of the Oracle server for which the role is being created. This is the same as the value of the db_name initialization parameter.  

DatabaseDomainName  

The name of the domain to which the Oracle server belongs. The value is the same as the value of the db_domain initialization.  

RoleName  

The name of the role that you created in the Oracle server.  

For example: 

ORA_JULIETDB.US.ORACLE.COM_MANAGER

More Information:

See the administration documentation for your RADIUS server.  

Step 9: Specify the RADIUS secret key on the Oracle server

Do this by performing the following tasks:

  1. Obtain the RADIUS secret key from your RADIUS server. The administrator of the RADIUS server creates a shared secret key for each RADIUS client, which could be as simple as the text'test123'.

  2. On the Oracle server, create a directory $ORACLE_HOME/SECURITY.

  3. Create the file radius.key to hold the shared secret from the RADIUS server. Place it in the directory you just created, namely,
    $ORACLE_HOME/SECURITY.

  4. Copy the shared secret key and paste it (and nothing else) into the radius.key file you just created on the Oracle server.

    More Information:

    For information on obtaining your secret key, see the administration documentation for your RADIUS server.  

Using any text editor, open the file radius.key located in the path $ORACLE_HOME/SECURITY. Enter the RADIUS secret key and save the file.

Note:

For security reasons, Oracle recommends that you change this file to root access only.  

Logging in to the Database

If you are using the synchronous authentication mode, launch SQL*Plus and, at the prompt, type the following: 

CONNECT username/password@database_alias

Note that you can log in with this command only when challenge-response is turned to OFF.

If you are using the challenge-response (asynchronous) mode, launch SQL*Plus and, at the prompt, type the following: 

CONNECT/@database_alias

Note that you can log in with this command only when challenge-response is turned to ON.


Prev
Next
Oracle
Copyright © 1999 Oracle Corporation.
All Rights Reserved.

Library
Product
Contents
Index