1. ACLI Configuration Guide
  2. Getting Started
  3. User Accounts
  4. RADIUS Authentication

RADIUS Authentication

A security feature that extends beyond the designation of ACLI User and Superuser privileges, the User Authentication and Access control feature supports authentication using your RADIUS server(s). In addition, you can set two levels of privilege, one for all privileges and more limited set that is read-only.

User authentication configuration also allows you to use local authentication, localizing security to the Oracle® Enterprise Session Border Controller ACLI log-in modes. These modes are User and Superuser, each requiring a separate password.

The components involved in the RADIUS-based user authentication architecture are the Oracle® Enterprise Session Border Controller and your RADIUS server(s). In these roles:

  • The Oracle® Enterprise Session Border Controller restricts access and requires authentication via the RADIUS server; the Oracle® Enterprise Session Border Controller communicates with the RADIUS server using either port 1812 or 1645, but does not know if the RADIUS server listens on these ports
  • Your RADIUS server provides an alternative method for defining Oracle® Enterprise Session Border Controller users and authenticating them via RADIUS; the RADIUS server supports the VSA called ACME_USER_CLASS, which specifies what kind of user is requesting authentication and what privileges should be granted.

    The Oracle® Enterprise Session Border Controller also supports the use of the Cisco Systems Inc.™ Cisco-AVPair vendor specific attribute (VSA). This attribute allows for successful administrator login to servers that do not support the Oracle authorization VSA. While using RADIUS-based authentication, the Oracle® Enterprise Session Border Controller authorizes you to enter Superuser mode locally even when your RADIUS server does not return the ACME_USER_CLASS VSA or the Cisco-AVPair VSA. For this VSA, the Vendor-ID is 1 and the Vendor-Type is 9. The list below shows the values this attribute can return, and the result of each:

    • shell:priv-lvl=15—User automatically logged in as an administrator
    • shell:priv-lvl=1—User logged in at the user level, and not allowed to become an administrator
    • Any other value—User rejected

When RADIUS user authentication is enabled, the Oracle® Enterprise Session Border Controller communicates with one or more configured RADIUS servers that validates the user and specifies privileges. On the Oracle® Enterprise Session Border Controller, you configure:

  • What type of authentication you want to use on the Oracle® Enterprise Session Border Controller
  • If you are using RADIUS authentication, you set the port from which you want the Oracle® Enterprise Session Border Controller to send messages
  • If you are using RADIUS authentication, you also set the protocol type you want the Oracle® Enterprise Session Border Controller and RADIUS server to use for secure communication

Although most common set-ups use two RADIUS servers to support this feature, you are allowed to configure up to six. Among other settings for the server, there is a class parameter that specifies whether the Oracle® Enterprise Session Border Controller should consider a specific server as primary or secondary. As implied by these designation, the primary servers are used first for authentication, and the secondary servers are used as backups. If you configure more than one primary and one secondary server, the Oracle® Enterprise Session Border Controller will choose servers to which it sends traffic in a round-robin strategy. For example, if you specify three servers are primary, the Oracle® Enterprise Session Border Controller will round-robin to select a server until it finds an appropriate one; it will do the same for secondary servers.

The VSA attribute assists with enforcement of access levels by containing one of the three following classes:

  • None—All access denied
  • User—Monitoring privileges are granted; your user prompt will resemble ORACLE>
  • Admin—All privileges are granted (monitoring, configuration, etc.); your user prompt will resemble ORACLE#

After it selects a RADIUS server, the Oracle® Enterprise Session Border Controller initiates communication and proceeds with the authentication process. The authentication process between the Oracle® Enterprise Session Border Controller and the RADIUS server takes place using one of three methods, all of which are defined by RFCs:

Protocol RFC
PAP (Password Authentication Protocol) B. Lloyd and W. Simpson, PPP Authentication Protocols, RFC 1334, October 1992
CHAP (Challenge Handshake Authentication Protocol) B. Lloyd and W. Simpson, PPP Authentication Protocols, RFC 1334, October 1992

W. Simpson, PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994, August 1996

MS-CHAP-V2 G. Zorn, Microsoft PPP CHAP Extensions, Version 2, RFC 2759, January 2000

Note:

MS-CHAP-V2 support includes authentication only; password exchange is not supported or allowed on the Oracle® Enterprise Session Border Controller.
Illustration of SBC and RADIUS server communications.

PAP Handshake

For PAP, user credentials are sent to the RADIUS server include the user name and password attribute. The value of the User-Password attribute is calculated as specified in RFC 2865.

PAP Client Request Example

Radius Protocol
Code: Access Request (1)
  Packet identifier: 0x4 (4)
  Length: 61
  Authenticator: 0x0000708D00002C5900002EB600003F37
  Attribute value pairs
    t:User Name(1) l:11, value:”TESTUSER1”
      User-Name: TESTUSER1
    t:User Password (2) l:18, value:739B3A0F25094E4B3CDA18AB69EB9E4
    t:NAS IP Address(4) l:6, value:168.192.68.8
      Nas IP Address: 168.192.68.8(168.192.68.8)
    t:NAS Port(5) l:6, value:118751232

PAP RADIUS Response

Radius Protocol
  Code: Access Accept (2)
  Packet identifier: 0x4 (4)
  Length: 20
  Authenticator: 0x36BD589C1577FD11E8C3B5BB223748

CHAP Handshake

When the authentication mode is CHAP, the user credentials sent to the RADIUS server include “username,” “CHAP-Password,” and “CHAP-Challenge.” The “CHAP-Password” credential uses MD-5 one way. This is calculated over this series of the following values, in this order: challenge-id (which for the Oracle® Enterprise Session Border Controller is always 0), followed by the user password, and then the challenge (as specified in RFC 1994, section 4.1).

CHAP Client Request Example

Radius Protocol
  Code: Access Request (1)
  Packet identifier: 0x5 (5)
  Length: 80
  Authenticator: 0x0000396C000079860000312A00006558
  Attribute value pairs
    t:User Name(1) l:11, value:”TESTUSER1”
      User-Name: TESTUSER1
    t:CHAP Password (3) l:19, value:003D4B1645554E881231ED7A137DD54FBF
    t:CHAP Challenge (60) l:18, value: 000396C000079860000312A00006558
    t:NAS IP Address(4) l:6, value:168.192.68.8
      Nas IP Address: 168.192.68.8(168.192.68.8)
    t:NAS Port(5) l:6, value:118751232

CHAP RADIUS Response

Radius Protocol
  Code: Access Accept (2)
  Packet identifier: 0x4 (4)
  Length: 20
  Authenticator: 0x3BE89EED1B43D91D80EB2562E9D65392

MS-CHAP-v2 Handshake

When the authentication method is MS-CHAP-v2, the user credentials sent to the RADIUS server in the Access-Request packet are:

  • username
  • MS-CHAP2-Response—Specified in RFC 2548, Microsoft vendor-specific RADIUS attributes
  • MS-CHAP2-Challenge—Serves as a challenge to the RADIUS server

If the RADIUS authentication is successful, the Access-Accept packet from the RADIUS server must include an MS-CHAP2-Success attribute calculated using the MS-CHAP-Challenge attribute included in the Access-Request. The calculation of MS-CHAP2-Success must be carried out as specified in RFC 2759. The Oracle® Enterprise Session Border Controller verifies that the MS-CHAP2-Success attribute matches with the calculated value. If the values do not match, the authentication is treated as a failure.

MS-CHAP-v2 Client Request Example

Some values have been abbreviated. 

Radius Protocol
  Code: Access Request (1)
  Packet identifier: 0x5 (5)
  Length: 80
  Authenticator: 0x0000024C000046B30000339F00000B78
  Attribute value pairs
    t:User Name(1) l:11, value:”TESTUSER1”
      User-Name: TESTUSER1
    t:Vendor Specific(26) l:24, vendor:Microsoft(311)
    t:MS CHAP Challenge(11) l:18, value:0000024C000046B30000339F00000B78
    t:Vendor Specific(26) l:58, vendor:Microsoft(311)
    t:MS CHAP2 Response(25) l:52, value:00000000024C000046B30000339F00000B78...
    t:NAS IP Address(4) l:6, value:168.192.68.8
      Nas IP Address: 168.192.68.8(168.192.68.8)
    t:NAS Port(5) l:6, value:118751232

MS-CHAP-v2 RADIUS Response

Radius Protocol
  Code: Access Accept (2)
  Packet identifier: 0x6 (6)
  Length: 179
  Authenticator: 0xECB4E59515AD64A2D21FC6D5F14D0CC0
  Attribute value pairs
    t:Vendor Specific(26) l:51, vendor:Microsoft(311)
      t:MS CHAP Success(11) l:45, value:003533s33d3845443532443135453846313...
    t:Vendor Specific(26) l:42, vendor:Microsoft(311)
      t:MS MPPE Recv Key(17) l:36, value:96C6325D22513CED178F770093F149CBBA...
    t:Vendor Specific(26) l:42, vendor:Microsoft(311)
      t:MS MPPE Send Key(16) l:36, value:9EC9316DBFA701FF0499D36A1032678143...
    t:Vendor Specific(26) l:12, vendor:Microsoft(311)
      t:MS MPPE Encryption Policy(7) l:6, value:00000001
    t:Vendor Specific(26) l:12, vendor:Microsoft(311)
      t:MS MPPE Encryption Type(8) l:6, value:00000006

Management Protocol Behavior

When you use local authentication, management protocols behave the same way that they do when you are not using RADIUS servers. When you are using RADIUS servers for authentication, management protocols behave as described in this section.

  • SSH in pass-through mode—The “user” or admin accounts are authenticated locally, not via the RADIUS server. For all other accounts, the configured RADIUS servers are used for authentication. If authentication is successful, the user is granted privileges depending on the ACME_USER_CLASS VSA attribute.
  • SSH in non-pass-through mode—When you create an SSH account on the Oracle® Enterprise Session Border Controller, you are asked to supply a user name and password. Once local authentication succeeds, you are prompted for the ACLI user name and password. If your user ACLI name is user, then you are authenticated locally. Otherwise, you are authenticated using the RADIUS server. If RADIUS authentication is successful, the privileges you are granted depend on the ACME_USER_CLASS VSA attribute.
  • SFTP in pass-through mode—If you do not configure an SSH account on the Oracle® Enterprise Session Border Controller, the RADIUS server is contacted for authentication for any user that does not have the user name user. The Oracle® Enterprise Session Border Controller uses local authentication if the user name is user.
  • SFTP in non-pass-through mode—The “user” or admin accounts are authenticated locally, not via the RADIUS server. For all other accounts, the configured RADIUS servers are used for authentication.

RADIUS Authentication Configuration

To enable RADIUS authentication and user access on your Oracle® Enterprise Session Border Controller, you need to configure global parameters for the feature and then configure the RADIUS servers that you want to use.

Global Authentication Settings

To configure the global authentication settings:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
  2. Type security and press Enter. 
    ORACLE(configure)# security
  3. Type authentication and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters. 
    ORACLE(security)# authentication
ORACLE(authentication)#

    From here, you can view the entire menu for the authentication configuration by typing a ?. You can set global parameters for authentication. You can also configure individual RADIUS servers; instructions for configuring RADIUS server appear in the next section.

  4. type—Set the type of user authentication you want to use on this Oracle® Enterprise Session Border Controller. The default value is local. The valid values are:

    • local | radius

  5. protocol—If you are using RADIUS user authentication, set the protocol type to use with your RADIUS server(s). The default is pap. The valid values are:

    • pap | chap | mschapv2

  6. source-port—Set the number of the port you want to use from message sent from the Oracle® Enterprise Session Border Controller to the RADIUS server. The default value is 1812. The valid values are:

    • 1645 | 1812

  7. allow-local-authorization—Set this parameter to enabled if you want the Oracle® Enterprise Session Border Controller to authorize users to enter Superuser (administrative) mode locally even when your RADIUS server does not return the ACME_USER_CLASS VSA or the Cisco-AVPair VSA. The default for this parameter is disabled.

RADIUS Server Settings

The parameters you set for individual RADIUS servers identify the RADIUS server, establish a password common to the Oracle® Enterprise Session Border Controller and the server, and establish trying times.

Setting the class and the authentication methods for the RADIUS servers can determine how and when they are used in the authentication process.

To configure a RADIUS server to use for authentication:

  1. Access the RADIUS server submenu from the main authentication configuration: 
    ORACLE(authentication)# radius-servers
ORACLE(radius-servers)#
  2. address—Set the remote IP address for the RADIUS server. There is no default value, and you are required to configure this address.
  3. port—Set the port at the remote IP address for the RADIUS server. The default port is set to 1812. The valid values are:

    • 1645 | 1812

  4. state—Set the state of the RADIUS server. Enable this parameter to use this RADIUS server to authenticate users. The default value is enabled. The valid values are:

    • enabled | disabled

  5. secret—Set the password that the RADIUS server and the Oracle® Enterprise Session Border Controller share. This password is transmitted between the two when the request for authentication is initiated; this ensures that the RADIUS server is communicating with the correct client.
  6. nas-id—Set the NAS ID for the RADIUS server. There is no default for this parameter.
  7. retry-limit—Set the number of times that you want the Oracle® Enterprise Session Border Controller to retry for authentication information from this RADIUS server. The default value is 3. The valid range is:

    • Minimum—1

    • Maximum—5

      If the RADIUS server does not respond within this number of tries, the Oracle® Enterprise Session Border Controller marks is as dead.

  8. retry-time—Set the amount of time (in seconds) that you want theOracle® Enterprise Session Border Controller to wait before retrying for authentication from this RADIUS server. The default value is 5. The valid range is:

    • Minimum—5

    • Maximum—10

  9. dead-time—Set the amount of time in seconds before the Oracle® Enterprise Session Border Controller retries a RADIUS server that it has designated as dead because that server did not respond within the maximum number of retries. The default is 10. The valid range is:

    • Minimum—10

    • Maximum—10000

  10. maximum-sessions—Set the maximum number of outstanding sessions for this RADIUS server. The default value is 255. The valid range is:

    • Minimum—1

    • Maximum—255

  11. class—Set the class of this RADIUS server as either primary or secondary. A connection to the primary server is tried before a connection to the secondary server is tried. The default value is primary. Valid values are:

    • primary | secondary

      The Oracle® Enterprise Session Border Controller tries to initiate contact with primary RADIUS servers first, and then tries the secondary servers if it cannot reach any of the primary ones.

      If you configure more than one RADIUS server as primary, the Oracle® Enterprise Session Border Controller chooses the one with which it communicates using a round-robin strategy. The same strategy applies to the selection of secondary servers if there is more than one.

  12. authentication-methods—Set the authentication method you want the Oracle® Enterprise Session Border Controller to use with this RADIUS server. The default value is pap. Valid values are:

    • all | pap | chap | mschapv2

      This parameter has a specific relationship to the global protocol parameter for the authentication configuration, and you should exercise care when setting it. If the authentication method that you set for the RADIUS server does not match the global authentication protocol, then the RADIUS server is not used. The Oracle® Enterprise Session Border Controller simply overlooks it and does not send authentication requests to it. You can enable use of the server by changing the global authentication protocol so that it matches.

  13. Use the management-servers attribute to identify one or more RADIUS servers available to provide AAA services.

    Servers are identified by IP address, participate in the configured management-strategy, and must have been previously configured as described above.

    The following example identifies three available RADIUS servers. The list is delimited by left and right parentheses, and list items are separated by space characters. 

    ORACLE(authentication)# management-servers (172.30.0.6 172.30.1.8 172.30.2.10)
ORACLE(authentication)#

    The following example deletes the current list. 

    ORACLE(authentication)# management-servers ()
ORACLE(authentication)#
  14. Save your work and activate your configuration.