Setup RADIUS Proxy

Learn how to setup and install RADIUS Proxy as well as to test that it's working.

Before You Begin

  • Enable RADIUS Proxy. Oracle must enable this feature for you. To learn about the features that Oracle must enable for you and how to enable them, see Service Request Features for Oracle Identity Cloud Service.
  • Install the latest Postman client.
  • Download the Oracle Identity Cloud Service RADIUS Proxy Postman collection.
  • Review these checkpoints. As you are setting up RADIUS Proxy, use the following checkpoints to verify that your configuration is correct at each step of the process.
    1. Check that the RADIUS Proxy and the RADIUS Proxy Client App are activated in Identity Cloud Service.
    2. Check the IP address of Database and port number of RADIUS Proxy are correctly configured in the RADIUS App.
    3. Check the RADIUS Agent is up and running.
    4. Check the proxy server is up and running.
    5. Check the database is up.

RADIUS Proxy Mapping

RADIUS Proxy and RADIUS Proxy Listener has a 1-1 mapping, for example for each RADIUS Proxy there is one RADIUS Proxy Listener. Multiple Oracle DB RADIUS clients can be mapped to one RADIUS Proxy, that is, a RADIUS Proxy has a 1-n mapping with Oracle DB RADIUS clients.

If an administrator configures multiple Oracle DB RADIUS clients, then that many Oracle Database RADIUS apps need to be created in Oracle Identity Cloud Service-one for each Oracle DB RADIUS client. For example, if an administrator has configured four Oracle DB RADIUS clients to one RADIUS Proxy, then in Oracle Identity Cloud Service there must be four Oracle Database RADIUS apps configured-one for each Oracle DB client.

To setup RADIUS Proxy:
  1. Download the latest RADIUS Proxy Installer from Oracle Identity Cloud Service.
    1. In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then Downloads.
    2. Choose Identity Cloud Service RADIUS Proxy for Linux, and then click Download.
  2. Create the RADIUS App from the RADIUS App Template. Note: For REST go to RADIUS Proxy, RADIUS App, Search, and then Search all apps (with search criteria).
    1. In the Identity Cloud Service console, expand the Navigation Drawer, click Applications, Add, and then App Catalog.
    2. Search for the Oracle Database Radius App Template and click Add.
    3. Complete the App details similar to the example below.
      • Name: dbserver
      • Description: App representing the Oracle database server as a RADIUS client
      • IP Address of Oracle Database server: 10.242.230.122 (This is the IP address where the database is installed.)
      • Port of RADIUS Proxy: 1812 (The port number on which RADIUS Proxy should listen for requests from this Oracle database. The same port number should be configured in the RADIUS settings of Oracle Database.)
      • Secret key: testing123 (The secret key used to secure communication between RADIUS Proxy and the Oracle Database server. The same key should be configured in the RADIUS settings of Oracle Database.)
    4. Click Add, Activate, and then click the Users tab.

      Note:

      Assign the Users, who should be allowed to login to Oracle Database, to this RADIUS App by clicking Assign Users. Instead of assigning individual users, a Group which contains those users, can also be assigned. Click the Groups tab, and then Assign Groups.

      Note : Create the group name in the Oracle Identity Cloud instance according to the following format defined in Step 3C: Configure the RADIUS Server in Configuring RADIUS Authentication: ORA_databaseSID_rolename[_[A]|[D]].

      For every role in Oracle database to be identified by Oracle Identity Cloud Service, create a corresponding group using the format above. Assign a user to this group in Oracle Identity Cloud Service so that the respective database user is associated with the respective database role.

  3. Create a RADIUS Proxy in Oracle Identity Cloud Service.
    1. Register a Client Application. See Register a Client Application.
    2. Open Postman and import the Oracle Identity Cloud Service RADIUS Proxy.postman_collection.json collection to execute the REST requests in this section.
    3. Import the Oracle Identity Cloud Service RADIUS Proxy Example Environment with Variables.postman_environment.json environment file which contains the environment variables used in the collection.
    4. Set the following environment variables.

      For HOST, use the Oracle Identity Cloud Service address, for example, https://example.identity.acmecorp.com.

      For CLIENT_ID and CLIENT_SECRET, use the values that you copied in Step a above.

      Note:

      Other environment variables are automatically set when REST requests are executed. Just make sure that following REST requests are executed in the same order.
    5. Obtain an access token. To make API calls to Oracle Identity Cloud Service, you must authenticate your client against Oracle Identity Cloud Service, and then obtain an OAuth access token. The access token provides a session between a client (in this case, Postman) and Oracle Identity Cloud Service. By default, the access token has a timeout interval of 60 minutes, and then you must request a new access token to perform additional REST API calls. To obtain an OAuth access token, execute the request in the Postman collection under RADIUS Proxy, OAuth Token, and then Obtain access_token (client credentials).
    6. Create the RADIUS Proxy by using a POST Operation. Go to RADIUS Proxy, Create, and then Create a RADIUS Proxy.

      End point: admin/v1/RadiusProxies/ {{RPid}}

      { 
      "displayName": "Acme RADIUS Proxy", 
      "description": "This is a RADIUS Proxy used for authentication of database users", 
      "type":
      "proxy", 
      "timeout": 20, 
      "noOfWorkerThreads": 10, 
      "schemas" :
      ["urn:ietf:params:scim:schemas:oracle:idcs:RadiusProxy"] 
      }
    7. Use this Patch Operation to activate the RADIUS Proxy. Go to RADIUS Proxy, Lifecycle, and then Activate a RADIUS Proxy.

      End point: /admin/v1/RadiusProxies/{{RPid}}

      { 
      "Operations":[ 
      { 
      "op": "replace",
      "path": "active", 
      "value": true 
      } ],
      "schemas": [
      "urn:ietf:params:scim:api:messages:2.0:PatchOp" ] }
    8. Create the RADIUS Proxy Listener using a POST Operation. Go to RADIUS Proxy, RADIUS Proxy Listeners, Create, and then Create a RADIUS Proxy Listener.

      End point: {{HOST}}/admin/v1/RadiusProxyListeners

      { 
      “description”: “Brief description for this RADIUS Proxy Listener.”,
      “displayName”: “RP1_L1”, 
      “hostName”: “<HostName of the machine in which RADIUS Proxy will be installed.>”, 
      “radiusProxySettings”:“{\”key1\”: \”value1\”, \”key2\”: \”value2\”}”, 
      “radiusProxy”:
      { “value” : “<ID of RadiusProxy which is created above.>” 
      }, 
      “schemas” : [“urn:ietf:params:scim:schemas:oracle:idcs:RadiusProxyListener”]
      
      }
    9. Get the dbserver App ID. Perform a GET call on admin/v1/Apps?filter=displayName eq "dbserver". Fetch the App ID from the response of this GET call. Go to RADIUS Proxy, RADIUS App, Search, and then Search all apps (with search criteria).
      You can also get the App ID from the URL of the dbserver.
    10. Create a RADIUS Proxy Mapping using a POST Operation. Go to RADIUS Proxy, RADIUS Proxy Mappings, Create, and then Create a RADIUS Proxy Mapping.

      End point: {{HOST}}/admin/v1/RadiusProxyMappings/

      Note:

      For "value" below, the ID is the ID of Radius Proxy which you created above.
      {
      "description": "RADIUS Proxy mapping for Database server",
      "radiusProxy": {
      "value" : "<RadiusProxyID>"
      },
      "radiusApp": {
      "value": "<<ID of RADIUS App obtained above.>"
      },
      "schemas" : ["urn:ietf:params:scim:schemas:oracle:idcs:RadiusProxyMapping"]
      }
      
    11. GET client_id and clientSecret of the RADIUS Proxy. This is required during RADIUS Proxy installation. RADIUS Proxy will use these credentials to authenticate with Oracle Identity Cloud Service. Go to RADIUS Proxy, Search, Create, Get client ID, and client secret of the App corresponding to RADIUS Proxy.

      End point: {{HOST}}/admin/v1/Apps/{{RPOAuthClientAppId}}?attributes=clientSecret,name

      RPOAuthClientAppId: is the ID of the App corresponding to RADIUS Proxy. You can find it in the response [response.oauthClient.value] in step 3f, Create a RADIUS Proxy Mapping using a POST Operation.

      Response:
      {
      "isAliasApp": false,
      "basedOnTemplate": {
      "value": "RadiusProxyAppTemplateId"
      },
      "displayName": "Acme RADIUS Proxy",
      "name": "<client id>",
      "id": "75d525ce49ee469ba4dcac00bdfe6446",
      "clientSecret": "<client secret>"
      }
      
  4. Execute the Installer.
    1. Unzip the downloaded idcs_radius_proxy-xxxx.zip file into a folder.
    2. Name the folder <radius bin location-xxxx>. Where xxxx is the version number (for example, 20.1.3).
      Three files are extracted: FileInfo.json, idcs_radius_proxy_installer.bin, and InstallerValidation.jar. The InstallerValidation.jar file and the idcs_radius_proxy_installer.bin file are located in the same directory post extraction. They must remain in the same directory.
    3. Login as root user or run the following command as sudo: ./idcs_radius_proxy_installer.bin

      Note:

      The installer supports only Graphical User Interface mode. It does not support console mode. So, if you see the error: "Graphical installers are not supported by the VM.", then make sure X server is configured properly. Then, run this command as non root user : xhost +si:localuser:root and run installer again.
  5. Install RADIUS Proxy.
    1. Read the Welcome screen, and then click Next.
    2. Read the Information screen, and then click Next.
    3. Select the Destination Folder (default is /root/oracle_radius_proxy), where the RADIUS Proxy installer will be installed. Click Next.
    4. On the HTTP Proxy screen, select Use HTTP Proxy if RADIUS Proxy needs to use HTTP proxy to connect to Oracle Identity Cloud Service. If not, then leave this check box unchecked. Click Next.
    5. On the Oracle Identity Cloud Service screen, enter the Cloud Service URL in the following format: https://tenant-base-url. Provide the Client ID and Client Secret of the RADIUS Proxy created in Oracle Identity Cloud Service. (This is the RADIUS Proxy you created using the POST Operation above.) Click Next.
    6. On the RADIUS User and Group Information screen, provide the Username and user Group information, for example:
      • Username: <client>
      • Group: <dba>

      Oracle Identity Cloud Service RADIUS Proxy daemon will run under the specified username and group.

    7. Click Next.
    8. On the pre-install screen, verify that all the information is correct. If it's correct, click Install.
    9. When the installation is complete, click Done.
  6. Check that the RADIUS Agent and RADIUS Proxy are running. The RADIUS Agent obtains configuration data from Oracle Identity Cloud Service at regular intervals. Then, it updates the configuration files used by RADIUS Proxy.
    1. Use the following RADIUS Agent commands to check whether the agent is running:
      • python <RADIUS_PROXY_INSTALLER_LOCATION>/oracle_radius_proxy/radius_agent/scripts/src/radius_agent.py status
      • You can also use stop, start and restart if needed.
    2. Use the following command to run RADIUS Proxy: /sbin/service idcs_radiusd start
    3. Run these RADIUS Proxy commands to verify the RADIUS service is running.
      • /sbin/service idcs_radiusd status
      • You can also use stop, start and restart if needed.
  7. Optional: Use the NTRadPing Test Utility to validate that RADIUS proxy is working.
    1. Install the NTRadPing Test Utility in Windows, and then create a User in Oracle Identity Cloud Service.
    2. Use the below screenshot as an example. In the below screen shot client is the user created in Oracle Identity Cloud Service and testing123 is the secret key given in RADIUS Settings, Secret key of App Details page.

      Figure 21-1 NTRadPing Test Utility in Windows

      Screenshot of NTRadPing Test Utility in Windows
  8. Setup and Configure Oracle Database 12c. Follow the instructions at Configuring RADIUS Authentication and then use the following commands to create a user/role in the database.
  9. Setup and Configure Oracle Database 12c. For more information see Configuring RADIUS Authentication. Follow the instructions in the Configuring RADIUS Authentication section to create a user and role in the database.
    sqlplus /@orclpdb
    
    Alter system set OS_ROLES=TRUE scope=spfile;
    Alter system set OS_AUTHENT_PREFIX='' scope=spfile;
    create user ckent identified externally;
    create role dblogin identified externally;
    create role dbreadtable identified externally;
    grant create session to dblogin;
    grant select on system.help to dbreadtable;
  10. You can't add an IP address in CIDR format using the Oracle Identity Cloud Service user interface. If the IP address of the Oracle Database is in CIDR format, use the following request from the Postman collection. See Change an IP Address from CIDR Format.
  11. Set up MFA. To set up MFA in Oracle Identity Cloud Service follow these instructions: Enable and Configure Multi-Factor Authentication (MFA).

Log Files and Configuration Information

Note the following file locations for log and configuration information.

Trouble Shooting

Learn about common problems that you might encounter when using RADIUS Proxy and learn how to solve them.

/sbin/service idcs_radiusd is stopped

Use the following steps when you see that the status of /sbin/service idcs_radiusd is stopped.

  1. Check the radius agent is running by uning the following Python command: <RADIUS_PROXY_INSTALLER_LOCATION>/oracle_radius_proxy/radius_agent/scripts/src/radius_agent.py status
  2. If the status is running, check the agent logs at: <RADIUS_PROXY_INSTALLER_LOCATION>/oracle_radius_proxy/radius_agent/logs/agent.log

    If you see the below exception in the RADIUS Proxy logs (<RADIUS_PROXY_INSTALLER_LOCATION>/oracle_radius_proxy/radius_proxy/log/radius_proxy.log) file: Exception in thread "main" java.net.BindException: Cannot assign requested address at sun.nio.ch.Net.bind0(Native Method)

    The solution is to make sure the host entry is correct in RADIUS Proxy listener.

RADIUS Proxy Known Issues

Learn about RADIUS Proxy known issues you might encounter.

Changes in the RADIUS Proxy Configuration

If any RADIUS Proxy configuration is changed in Oracle Identity Cloud Service, restart RADIUS Agent and RADIUS Proxy by completing the following steps so that the new configuration is reflected:
  1. <RADIUS_PROXY_INSTALLER_LOCATION>/oracle_radius_proxy/radius_agent/scripts/src/radius_agent.py restart.
  2. Verify if the configuration is updated in: <RADIUS_PROXY_INSTALLER_LOCATION>/radius_proxy/conf/radius_proxy.conf or <RADIUS_PROXY_INSTALLER_LOCATION>/radius_proxy/conf/radius_clients.conf.
  3. /sbin/service idcs_radiusd restart.

Change an IP Address from CIDR Format

You can't add an IP address in CIDR format using the Oracle Identity Cloud Service user interface. If the IP address of the Oracle Database is in CIDR format, use the following request from the Postman collection. Go to RADIUS Proxy, RADIUS App, Modify, and then Update RADIUS App (IP Address in CIDR format).
PATCH: {{HOST}}/admin/v1/Apps/{{appid}}
{
 "schemas": [
 "urn:ietf:params:scim:api:messages:2.0:PatchOp"
 ],
 "Operations": [{
 "op": "replace",
 "path": "urn:ietf:params:scim:schemas:oracle:idcs:extension:radiusApp:App:clientIP",
 "value": "10.34.0.0/16"
 }]
}