1. Cloud Control Security Guide
  2. Security Best Practices for Database Management in Enterprise Manager
  3. Kerberos and RADIUS Authentication
  4. RADIUS

RADIUS

You can log into a target database as a database user that is externally authenticated using RADIUS. Although the entire process is transparent from an Enterprise Manager client perspective, specific connection parameters need to be specified via JDBC during the database login. The database itself acts as a RADIUS client and passes information from the database client (Enterprise Manager) to the RADIUS server to authenticate the user. RADIUS-based login only supports synchronous authentication mode.

Note:

Choosing the RADIUS authentication option requires users who log into the target database be aware that RADIUS authentication is necessary.

Synchronous Login

Enterprise manager supports one-time database login using RADIUS by setting following OMS properties:

emctl set property -name oracle.sysman.db.enable_radius_auth -value true

AND

emctl set property -name oracle.sysman.db.multiCredTypeLogin -value true

Enabling the RADIUS authentication type provides a full-fledged RADIUS credential type that will prompt for the username and password, as shown in the following graphic.


Graphic shows the RADIUS selection options from Enterprise Manager.

Co-existance with an Earlier Version of Radius Authentication

If you are using the existing option of specifying the OMS RADIUS property and used the Enable Radius checkbox in the database login UI, set the following OMS properties as shown below to revert back to the original behavior for RADIUS credentials.

emctl set property -name oracle.sysman.db.multiCredTypeLogin -value false (or unset this property if previously set via emctl delete property -name oracle.sysman.db.multiCredTypeLogin)

emctl add property -name oracle.sysman.db.enable_radius_auth -value true

Upgrade Implications

If you are currently using this feature via the OMS RADIUS property being set, an upgrade to the latest version will NOT result in any visible changes, by default. You can explicitly enable the new RADIUS credential type and enable multi-login support with both the DBCredsType and DBRadiusCredsType options being displayed in the drop-down selection for one-time login by explicitly setting emctl set property -name oracle.sysman.db.multiCredTypeLogin -value true

You will need to unset the OMS property for multiCredTypeLogin mentioned above to false (or delete the property) to revert to original behavior if desired or will now need to define new named credentials of type DBRadiusCreds to log in to target database using RADIUS

Setting the following parameters will return RADIUS authentication to the original Enterprise Manager 13c Release 4 behavior on the one-time login screen.


Graphic shows the original EM 13.4 RADIUS login

emctl set property -name oracle.sysman.db.multiCredTypeLogin -value false

OR

emctl delete property -name oracle.sysman.db.multiCredTypeLogin

You must also ensure the follwing property continues to be set:

emctl add property -name oracle.sysman.db.enable_radius_auth -value false (or remove the property)