RADIUS Authentication

A security feature that extends beyond the designation of ACLI User and Superuser privileges, the User Authentication and Access control feature supports authentication using your RADIUS server(s). In addition, you can set two levels of privilege, one for all privileges and more limited set that is read-only.

User authentication configuration also allows you to use local authentication, localizing security to the Oracle® Enterprise Session Border Controller ACLI log-in modes. These modes are User and Superuser, each requiring a separate password.

The components involved in the RADIUS-based user authentication architecture are the Oracle® Enterprise Session Border Controller and your RADIUS server(s). In these roles:

  • The Oracle® Enterprise Session Border Controller restricts access and requires authentication via the RADIUS server; the Oracle® Enterprise Session Border Controller communicates with the RADIUS server using either port 1812 or 1645, but does not know if the RADIUS server listens on these ports
  • Your RADIUS server provides an alternative method for defining Oracle® Enterprise Session Border Controller users and authenticating them via RADIUS; the RADIUS server supports the VSA called ACME_USER_CLASS, which specifies what kind of user is requesting authentication and what privileges should be granted.

    The Oracle® Enterprise Session Border Controller also supports the use of the Cisco Systems Inc.™ Cisco-AVPair vendor specific attribute (VSA). This attribute allows for successful administrator login to servers that do not support the Oracle authorization VSA. While using RADIUS-based authentication, the Oracle® Enterprise Session Border Controller authorizes you to enter Superuser mode locally even when your RADIUS server does not return the ACME_USER_CLASS VSA or the Cisco-AVPair VSA. For this VSA, the Vendor-ID is 1 and the Vendor-Type is 9. The list below shows the values this attribute can return, and the result of each:

    • shell:priv-lvl=15—User automatically logged in as an administrator
    • shell:priv-lvl=1—User logged in at the user level, and not allowed to become an administrator
    • Any other value—User rejected

When RADIUS user authentication is enabled, the Oracle® Enterprise Session Border Controller communicates with one or more configured RADIUS servers that validates the user and specifies privileges. On the Oracle® Enterprise Session Border Controller, you configure:

  • What type of authentication you want to use on the Oracle® Enterprise Session Border Controller
  • If you are using RADIUS authentication, you set the port from which you want the Oracle® Enterprise Session Border Controller to send messages
  • If you are using RADIUS authentication, you also set the protocol type you want the Oracle® Enterprise Session Border Controller and RADIUS server to use for secure communication

Although most common set-ups use two RADIUS servers to support this feature, you are allowed to configure up to six. Among other settings for the server, there is a class parameter that specifies whether the Oracle® Enterprise Session Border Controller should consider a specific server as primary or secondary. As implied by these designation, the primary servers are used first for authentication, and the secondary servers are used as backups. If you configure more than one primary and one secondary server, the Oracle® Enterprise Session Border Controller will choose servers to which it sends traffic in a round-robin strategy. For example, if you specify three servers are primary, the Oracle® Enterprise Session Border Controller will round-robin to select a server until it finds an appropriate one; it will do the same for secondary servers.

The VSA attribute assists with enforcement of access levels by containing one of the three following classes:

  • None—All access denied
  • User—Monitoring privileges are granted; your user prompt will resemble ORACLE>
  • Admin—All privileges are granted (monitoring, configuration, etc.); your user prompt will resemble ORACLE#

Once it has selected a RADIUS server, the Oracle® Enterprise Session Border Controller initiates communication and proceeds with the authentication process. The authentication process between the Oracle® Enterprise Session Border Controller and the RADIUS server takes place uses one of three methods, all of which are defined by RFCs:

Protocol RFC
PAP (Password Authentication Protocol) B. Lloyd and W. Simpson, PPP Authentication Protocols, RFC 1334, October 1992
CHAP (Challenge Handshake Authentication Protocol) B. Lloyd and W. Simpson, PPP Authentication Protocols, RFC 1334, October 1992

W. Simpson, PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994, August 1996

MS-CHAP-V2 G. Zorn, Microsoft PPP CHAP Extensions, Version 2, RFC 2759, January 2000

Note:

MS-CHAP-V2 support includes authentication only; password exchange is not supported or allowed on the Oracle® Enterprise Session Border Controller.
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents