Oracle Advanced Security Administrator's Guide
Release 8.1.6
A76932-01

Library
Product
Contents
Index

Prev Next

4
Configuring RADIUS Authentication

This chapter describes how to configure Oracle8i for use with RADIUS (Remote Authentication Dial-In User Service).

This chapter covers the following topics:

RADIUS Overview

RADIUS (Remote Authentication Dial-In User Service) is a client-server security protocol most widely known for enabling remote authentication and access. Oracle Advanced Security uses this industry standard in a client-server network environment.

You can enable the network to use any authentication method that supports the RADIUS standard, including token cards and smart cards, simply by installing and configuring the RADIUS feature. Moreover, when you use RADIUS, you can change the authentication method without modifying either the Oracle client or the Oracle server.

From the user's perspective, the entire authentication process takes place seamlessly and transparently. When the user seeks access to an Oracle server, the Oracle server, acting as the RADIUS client, notifies the RADIUS server. The RADIUS server then:

In an Oracle environment, as shown in Figure 4-1, the Oracle server acts as the RADIUS client; it passes information between the Oracle client and the RADIUS server. Similarly, the RADIUS server passes information between the Oracle server and the appropriate authentication server or servers. To secure authentication information during transport, RADIUS converts it to a hash value.

Figure 4-1 RADIUS in an Oracle Environment


The four components, Oracle client, Oracle server/RADIUS client, RADIUS server, and authentication server, can reside on the same machine or on separate machines. When the Oracle client and Oracle server reside on the same machine, they share the same sqlnet.ora file.

RADIUS server vendors are often the authentication server vendors as well, and therefore authentication can be processed on the RADIUS server. For example, the Security Dynamics ACE/Server is a RADIUS server and an authentication server. It authenticates the user's passcode itself.

More Information:

For information about the sqlnet.ora file, see Net8 Administrator's Guide. 

Table 4-1 lists each RADIUS component and the information it stores.

Table 4-1 RADIUS Authentication Components

Component  Stored Information 

Oracle client 

Configuration setting for communicating through RADIUS 

Oracle server/
RADIUS client 

Configuration settings for passing information between the Oracle client and the RADIUS server

The secret key file 

RADIUS server 

Authentication and authorization information for all users

Each client's name or IP address

Each client's shared secret

Unlimited number of menu files enabling users already authenticated to select different login options without reconnecting 

Authentication
server or servers 

User authentication information such as passcodes and PINs, depending on the authentication method in use

Note: The RADIUS server and authentication server can be one in the same. 

RADIUS Authentication Modes

User authentication can take place in either of two ways:

Synchronous Authentication Mode

In the synchronous mode, RADIUS allows you to use various authentication methods, including passwords, SecurID token cards, and smart cards. Figure 4-2 shows the sequence in which synchronous authentication occurs.

Figure 4-2 Synchronous Authentication Sequence


Example: Synchronous Authentication with SecurID Token Cards

With SecurID authentication, each user has a token card which displays a dynamic number that changes every sixty seconds. To gain access to the Oracle server/RADIUS client, the user enters a valid passcode that includes both a personal identification number (PIN) and the dynamic number currently displayed on the user's SecurID card. The Oracle server passes this authentication information from the Oracle client to the RADIUS server, which in this case is the authentication server for validation. Once the authentication server (Security Dynamics ACE/Server) validates the user, it sends an "accept" packet to the Oracle server, which, in turn, passes it to the Oracle client. The user is now authenticated and able to access the appropriate tables and applications.

More Information:

For more information on SecurID token cards, see Chapter 1, "Introduction to Oracle Advanced Security" and Chapter 7, "Configuring SecurID Authentication". See also the documentation provided by Security Dynamics. 

Challenge-Response (Asynchronous) Authentication Mode

When the system uses the asynchronous mode, the user does not need to enter a user name and password at the SQL*Plus CONNECT string. Instead, a graphical user interface asks the user for this information later in the process.

Figure 4-3 shows the sequence in which challenge-response, or asynchronous, authentication occurs.

Note:

If the RADIUS server is the authentication server, Steps 3, 4, and 5, and Steps 9, 10, and 11 in Figure 4-3 are combined. 

Figure 4-3 Asynchronous Authentication Sequence


Example: Asynchronous Authentication with Smart Cards

With smart card authentication, the user logs in by inserting the smart card--a plastic card (like a credit card) with an embedded integrated circuit for storing information--into a hardware device which reads the card. The Oracle client sends the login information contained in the smart card to the authentication server by way of the Oracle server/RADIUS client and the RADIUS server. The authentication server sends back a challenge to the Oracle client, by way of the RADIUS server and the Oracle server, prompting the user for authentication information. The information could be, for example, a PIN as well as additional authentication information contained on the smart card.

The Oracle client sends the user's response to the authentication server by way of the Oracle server and the RADIUS server. If the user has entered a valid number, the authentication server sends an "accept" packet back to the Oracle client by way of the RADIUS server and the Oracle server. The user is now authenticated and authorized to access the appropriate tables and applications. If the user has entered incorrect information, the authentication server sends back a message rejecting the user's access.

Example: Asynchronous Authentication with ActivCard Tokens

One particular ActivCard token is a hand-held device with a keypad and which displays a dynamic password. When the user seeks access to an Oracle server by entering a password, the information is passed to the appropriate authentication server by way of the Oracle server/RADIUS client and the RADIUS server. The authentication server sends back a challenge to the client--by way of the RADIUS server and the Oracle server. The user types that challenge into the token, and the token displays a number for the user to send in response.

The Oracle client then sends the user's response to the authentication server by way of the Oracle server and the RADIUS server. If the user has typed a valid number, the authentication server sends an "accept" packet back to the Oracle client by way of the RADIUS server and the Oracle server. The user is now authenticated and authorized to access the appropriate tables and applications. If the user has entered an incorrect response, the authentication server sends back a message rejecting the user's access.

Enabling RADIUS Authentication and Accounting

To enable RADIUS authentication and accounting, perform the following general tasks as described in this section:

Task 1: Install RADIUS on the Oracle Server and on the Oracle Client

RADIUS is installed with Oracle Advanced Security during a typical installation of Oracle8i.

More Information:

For information on installing Oracle Advanced Security and the RADIUS adapter, see the platform-specific installation documentation for Oracle8i. 

Task 2: Configure RADIUS Authentication

This step contains the following topics:

Unless otherwise indicated, perform these configuration tasks by using the Net8 Assistant or by using any text editor to modify the sqlnet.ora file.

Basic RADIUS Configuration on the Oracle Client

Perform the following steps to configure the client for RADIUS authentication:

  1. Start Net8 Assistant as follows:

    • On UNIX, run netasst from $ORACLE_HOME/bin.

    • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

  2. In the navigator's pane, expand Local > Profile.

  3. From the list in the right pane, select Oracle Advanced Security.

    The Oracle Advanced Security tabbed pages appear.

  4. Click the Authentication tab.


  5. From the Available Methods list, select RADIUS.

  6. Click the right-arrow button [>] to move RADIUS to the Selected Methods list. Move any other methods you want to use in the same way.

  7. Arrange the selected methods in order of required usage by selecting a method in the Selected Methods list, and clicking Promote or Demote to position it in the list. For example, put RADIUS at the top of the list for it to be the first service used.

  8. Choose File > Save Network Configuration.

    The sqlnet.ora file updates with the following entry: 

    SQLNET.AUTHENTICATION_SERVICES=(RADIUS)

Basic RADIUS Configuration on the Oracle Server

Perform the following tasks as described in this section:

Create the RADIUS Secret Key File on the Oracle Server

Perform the following steps to create the RADIUS secret key file on the Oracle server.

  1. Obtain the RADIUS secret key from the RADIUS server. The administrator of the RADIUS server creates a shared secret key for each RADIUS client, which can be as simple as "test123".

  2. On the Oracle server, create a directory $ORACLE_HOME/network/security on UNIX or $ORACLE_HOME\network\security on Windows NT.

  3. Create the file radius.key to hold the shared secret from the RADIUS server. Place the file in the directory you just created, namely, $ORACLE_HOME/network/security on UNIX or $ORACLE_HOME\network\security on Windows NT.

  4. Copy the shared secret key and paste it (and nothing else) into the radius.key file created on the Oracle server.

    More Information:

    For information on obtaining the secret key, see the administration documentation for the RADIUS server. 

    Note:

    For security reasons, Oracle Corporation recommends that you change this file to root access only. 

Set RADIUS Parameters in the sqlnet.ora File

To configure RADIUS parameters on the server:

  1. Start Net8 Assistant:

    • On UNIX, run netasst from $ORACLE_HOME/bin.

    • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

  2. In the navigator's pane, expand Local > Profile.

  3. From the list in the right pane, select Oracle Advanced Security.

    The Oracle Advanced Security tabbed pages appear.

  4. Click the Authentication tab.


  5. From the Available Methods list, select RADIUS.

  6. Move RADIUS to the Selected Methods list by clicking the right-arrow button [>].

  7. Arrange the selected methods in order of desired use. To do this, select a method in the Selected Methods list, then click Promote or Demote to position it in the list. For example, if you want RADIUS to be the first service used, put it at the top of the list.

  8. Click the Other Params tab.


  9. From the Authentication Service list, select RADIUS.

  10. In the Host Name field, accept the localhost as the default primary RADIUS server or enter another host name.

    Note:

    Ensure that the default value of the Secret File field is valid. 

  11. Choose File > Save Network Configuration.

    The sqlnet.ora file updates with the following entries: 

    SQLNET.AUTHENTICATION_SERVICES=service
SQLNET.RADIUS_AUTHENTICATION=location

    where service is RADIUS and location is the host name or IP address of the RADIUS server.

Set Oracle Server Initialization Parameters

Configure the initialization parameter file which you can find in the directory $ORACLE_BASE\admin\db_name\pfile on UNIX and ORACLE_BASE/admin/db_name/pfile on Windows NT. Specify the following values in this file: 

REMOTE_OS_AUTHENT=FALSE
OS_AUTHENT_PREFIX=""

Caution:

Setting REMOTE_OS_AUTHENT to TRUE can allow a security breach because it allows someone using a non-secure protocol, such as TCP, to perform an operating system-authorized login (formerly referred to as an OPS$ login). 

More Information:

For information on setting initialization parameters on the Oracle server, refer to the Oracle8i Reference and the Oracle8i Administrator's Guide. 

Configuration of Additional RADIUS Features

Perform the following tasks as described in this section:

Change Default Settings

Perform the following steps to change default settings using the Net8 Assistant.

  1. Start Net8 Assistant as follows:

    • On UNIX, run netasst from $ORACLE_HOME/bin.

    • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

  2. In the navigator's pane, expand Local > Profile.

  3. From the list in the right pane, select Oracle Advanced Security.

    The Oracle Advanced Security tabbed pages appear.

  4. Click the Other Params tab.


  5. From the Authentication Service list, select RADIUS.

  6. Change the default setting for any of the following fields described in the following table:

    Field  Description 

    Port Number 

    Specifies the listening port of the primary RADIUS server. The default value is 1645. 

    Timeout (seconds) 

    Specifies the time the Oracle server waits for a response from the primary RADIUS server. The default is 15 seconds. 

    Number of Retries 

    Specifies the number of times the Oracle server resends messages to the primary RADIUS server. The default is three retries.

    More Information: For instructions on configuring RADIUS accounting, see "Task 5: Configure RADIUS Accounting" in this chapter. 

    Secret File 

    Specifies the location of the secret key on the Oracle server. The field specifies the location of the secret key file, not the secret key itself.

    More Information: For information on specifying the secret key, see "Create the RADIUS Secret Key File on the Oracle Server".

    Note: For security reasons, Oracle Corporation recommends that you change this file to root access only. 

  7. Choose File > Save Network Configuration.

    The sqlnet.ora file updates with the following entries: 

    SQLNET.RADIUS_AUTHENTICATION_PORT=(PORT)
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=
    
(NUMBER OF SECONDS TO WAIT FOR RESPONSE)
SQLNET.RADIUS_AUTHENTICATION_RETRIES=
    
(NUMBER OF TIMES TO RE-SEND TO RADIUS SERVER)
SQLNET.RADIUS_SECRET=(path/radius.key)
Configure Challenge-Response

The challenge-response (asynchronous) mode presents the user with a graphical interface requesting first a password, then additional information--for example, a dynamic password that the user obtains from a token card. With the RADIUS adapter, this interface is Java-based to provide optimal platform independence.

Note:

Third party vendors of authentication devices must customize this graphical user interface to fit their particular device. For example, a smart card vendor would customize the Java interface so that the Oracle client reads data, such as a dynamic password, from the smart card. When the smart card receives a challenge, it responds by prompting the user for more information, such as a PIN. 

More Information:

For information on how to customize the challenge-response user interface, see Appendix C, "Integrating Authentication Devices Using RADIUS"

To configure challenge-response, perform the following steps.

  1. Set the JAVA_HOME environment variable to the JRE or JDK location on the system where the Oracle client is to run:

    • On UNIX, enter the following at the command prompt:

    • % setenv JAVA_HOME /usr/local/packages/jre1.1.7B

    • On Windows NT, choose Start> Settings > Control Panel > System > Environment, and set the JAVA_HOME variable to the following: 

      c:\java\jre1.1.7B
  2. If you use the challenge-response authentication mode, RADIUS presents a Java-based graphical interface requesting a password and additional information, such as a dynamic password that the user obtains from a token card. Add the SQLNET.RADIUS_CLASSPATH parameter in the sqlnet.ora file to set the path for the Java classes for the graphical interface.

    Use a text editor to add the following parameter to the sqlnet.ora file: 

    SQLNET.RADIUS_CLASSPATH=(location of netradius.jar) and (location of JRE 
rt.jar)

    The following is an example of setting the path for the Java classes: 

    SQLNET.RADIUS_CLASSPATH=/ohome/network_src/jlib/
    
                      netradius.jar:/usr/local/packages/jre1.1.7B/lib/rt.jar
  3. Start Net8 Assistant as follows:

    • On UNIX, run netasst from $ORACLE_HOME/bin.

    • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

  4. In the navigator's pane, expand Local > Profile.

  5. From the list in the right pane, select Oracle Advanced Security.

    The Oracle Advanced Security tabbed pages appear.

  6. Click the Other Params tab.


  7. From the Authentication Service list, select RADIUS.

  8. In the Challenge Response field, enter ON to enable challenge-response.

  9. In the Default Keyword1 field, accept the default value of the challenge or enter a keyword for requesting a challenge from the RADIUS server.

  10. In the Interface Class Name field, accept the default value of DefaultRadiusInterface or enter name of the class you have created to handle the challenge-response conversation between the Oracle client and the RADIUS server.

  11. Choose File > Save Network Configuration.

    The sqlnet.ora file updates with the following entries: 

    SQLNET.RADIUS_CHALLENGE_RESPONSE=([ON | OFF])
SQLNET.RADIUS_CHALLENGE_KEYWORD=(KEYWORD)
SQLNET.RADIUS_AUTHENTICATION_INTERFACE=(name of interface including the 
package name delimited by "/" for ".")
Set Parameters for an Alternate RADIUS Server

If you are using an alternate RADIUS server, set the following parameters in the sqlnet.ora file using any text editor. 

SQLNET.RADIUS_ALTERNATE=(HOSTNAME OR IP ADDRESS OF ALTERNATE RADIUS SERVER)
SQLNET.RADIUS_ALTERNATE_PORT=(1645)
SQLNET.RADIUS_ALTERNATE_TIMEOUT=(NUMBER OF SECONDS TO WAIT FOR RESPONSE)
SQLNET.RADIUS_ALTERNATE_RETRIES=(NUMBER OF TIMES TO RE-SEND TO RADIUS SERVER)

Task 3: Add the RADIUS Client Name to the RADIUS Server Database

You can use virtually any RADIUS server, that complies with the standards in the Internet Engineering Task Force (IETF) RFC #2138, Remote Authentication Dial In User Service (RADIUS) and RFC #2139 RADIUS Accounting. Because RADIUS servers vary, consult the documentation for your particular RADIUS server for any unique interoperability requirements.

Perform the following steps to add the RADIUS client name to a Livingston RADIUS server.

  1. Open the clients file, which can be found at /etc/raddb/clients. The following text and table appear: 

    @ (#) clients 1.1 2/21/96 Copyright 1991 Livingston Enterprises Inc

This file contains a list of clients which are allowed to make 
authentication requests and their encryption key. The first field is a valid 
hostname. The second field (separated by blanks or tabs) is the encryption 
key.

Client Name                     Key
  2. In the CLIENT NAME column, enter the host name or IP address of the host on which the Oracle server is running. In the KEY column, type the shared secret.

    The value you enter in the CLIENT NAME column, whether it is the client's name or IP address, depends on the RADIUS server.

  3. Save and close the clients file.

    More Information:

    See the administration documentation for your RADIUS server. 

Task 4: Create a User and Grant Access

  1. Perform the following steps to create and grant access to a user identified externally on the Oracle server.

    Launch SQL*Plus and enter the following commands: 

    SQL> CONNECT system/manager@database_name;
SQL> CREATE USER username IDENTIFIED EXTERNALLY;
SQL> GRANT CREATE SESSION TO USER username;
SQL> EXIT

    If you are using a Windows NT platform, you can use the Security Manager tool in the Oracle Enterprise Manager.

    More Information:

    See Oracle8i Administrator's Guide and Oracle8i Distributed Database Systems. 

  2. Enter the same user in the RADIUS server's users file.

    More Information:

    See the administration documentation for the RADIUS server. 

Task 5: Configure RADIUS Accounting

RADIUS Accounting logs information about access to the Oracle server and stores it in a file on the RADIUS accounting server. Use this feature only if both the RADIUS server and authentication server support it.

Set RADIUS Accounting on the Oracle Server

To enable or disable RADIUS accounting:

  1. Start Net8 Assistant:

    • On UNIX, run netasst from $ORACLE_HOME/bin.

    • On Windows NT, choose Start > Programs > Oracle - HOME_NAME > Network Administration > Net8 Assistant.

  2. In the navigator's pane, expand Local > Profile.

  3. From the list in the right pane, select Oracle Advanced Security.

    The Oracle Advanced Security tabbed pages appear.

  4. Click the Other Params tab.


  5. From the Authentication Service list, select RADIUS.

  6. In the Send Accounting field, enter ON to enable accounting or OFF to disable accounting.

  7. Choose File > Save Network Configuration.

    The sqlnet.ora file updates with the following entry: 

    SQLNET.RADIUS_SEND_ACCOUNTING= ON

Configure the RADIUS Accounting Server

RADIUS Accounting consists of an accounting server residing on either the same host as the RADIUS authentication server or on a separate host.

More Information:

For information on configuring RADIUS accounting, see the administration documentation for the RADIUS server. 

Task 6: Configure the Authentication Server for Use with RADIUS

More Information:

For instructions on configuring the authentication server, see the documentation for the authentication server. The "Related Publications" section in the Preface contains a list of possible resources. 

Task 7: Configure the RADIUS Server for Use with the Authentication Server

More Information:

See the documentation for the RADIUS server. 

Task 8: Create and Grant Roles

If the RADIUS server supports vendor type attributes, you can manage roles by storing them in the RADIUS server. The Oracle server downloads the roles when there is a CONNECT request using RADIUS.

To use this feature, configure roles on both the Oracle server and the RADIUS server.

Perform the following steps to configure roles on the Oracle server:

  1. Use a text editor to set the OS_ROLES parameter in the initialization parameters file on the Oracle server.

  2. Stop and restart the Oracle server.

  3. Create each role the RADIUS server is to manage on the Oracle server with IDENTIFIED EXTERNALLY.

    More Information: See Oracle8i Administrator's Guide

To configure roles on the RADIUS server, see Table 4-2 for a list of parameters and their descriptions. Enter the following to create a role name: 

ORA_DatabaseName.DatabaseDomainName_RoleName
Table 4-2

Parameter  Description 

DatabaseName 

The name of the Oracle server for which the role is being created. This is the same as the value of the DB_NAME initialization parameter. 

DatabaseDomainName 

The name of the domain to which the Oracle server belongs. The value is the same as the value of the db_domain initialization. 

RoleName 

The name of the role created in the Oracle server. 
Create a Role on the RADIUS Server

The following is an example of a role created on the RADIUS server: 

ORA_USERDB.US.ORACLE.COM_MANAGER

More Information:

See the RADIUS server administration documentation. 

Logging on to the Database

If you are using the synchronous authentication mode, launch SQL*Plus and type the following at the prompt: 

CONNECT username/password@database_alias

Note that you can log in with this command only when challenge-response is not turned to ON.

If you are using the challenge-response (asynchronous) mode, launch SQL*Plus and, at the prompt, type the following: 

CONNECT /@database_alias

Note that you can log in with this command only when challenge-response is turned to ON.

Prev Next
Oracle
Copyright © 1999 Oracle Corporation.
All Rights Reserved.

Library
Product
Contents
Index