1. Administering Oracle Radius Agent
  2. About Oracle RADIUS Agent

1 About Oracle RADIUS Agent

Topics

1.1 Introduction to Oracle RADIUS Agent

Oracle RADIUS Agent is an application layer user authentication service that uses the industry standard RADIUS (Remote Authentication Dial-In User Service) protocol. It also facilitates authorization by fetching groups and user attributes from primary authenticator such as LDAP.

Oracle RADIUS Agent is a RADIUS based authentication service that acts as an intermediary between the client application requiring authentication services and one or more authentication providers. Example application clients are VPN server, Linux server using SSH, Oracle Database, or any RADIUS based client application.

Oracle RADIUS Agent supports both single-factor authentication and multi-factor authentication. You can configure the authentication provider for primary authentication requests. Currently, standard LDAP authentication providers such as Oracle Unified Directory, Oracle Internet Directory, and Microsoft Active Directory are supported. Oracle RADIUS Agent supports multi-factor authentication used in conjunction with Oracle Advanced Authentication. It uses the challenge/response mechanism of the RADIUS protocol for handling multi-factor requests and responses. It also supports user selection of multi-factor authentication mechanisms when more than one factor is available.

Oracle RADIUS Agent makes it easier to support multiple client applications talking to a single Oracle RADIUS Agent instance, with their own specific listener ports and configurations.

The deployment for Oracle RADIUS Agent is based on a container image. The Oracle RADIUS Agent instance is stateless and can be deployed easily for high availability and scalability by using multiple container instances.

1.2 Oracle RADIUS Agent Features

Oracle RADIUS Agent has support for a wide variety of features designed to make it easy to deploy, use, and manage.

  • Password-based Primary Authentication Against LDAP

    Oracle RADIUS Agent supports any LDAPv3-compliant servers such as Oracle Unified Directory, Oracle Internet Directory, and Microsoft Active Directory.

  • Multi-factor authentication by using Oracle Advanced Authentication, which provides second factor authentication for a multi-factor authentication deployment.

  • RADIUS Agent exposes several preferences that can be set based on the deployment requirements. For example, fetching of groups, mappings for groups and users, settings for synchronous mode, and factor preferences for Oracle Advanced Authentication can be configured in preferences. For more information, see Configuration Properties.

  • Supports the following second factors:

    • Time-based One-Time Password (TOTP)

    • One-Time Password (OTP) (both SMS and email)

    • Yubikey OTP

  • Support for User Selection of Second-Factor Mechanism

    When multiple second-factor authentication mechanisms exist, the user may choose the mechanism to be used at the time of authentication.

  • Support for Asynchronous and Synchronous Multi-factor Authentication Modes

    Oracle RADIUS Agent supports both asynchronous and synchronous authentication modes with multi-factor authentication over RADIUS.

    Asynchronous mode is the challenge/response mode where the user is prompted for a second factor based on the preferences configured in Oracle Advanced Authentication. When a user has multiple authentication factors configured, RADIUS interactions are made interactive by showing the user a list of available factors to choose from. The user also has the capability to choose a preferred authentication factor to execute without going through the interactive mode.

    When using legacy applications, which may not have the necessary interfaces for multi-factor authentication, multi-factor authentication may still be executed by adding on the second factor to the primary factor as a combined authentication password and this is feasible for any pre-generated token and takes the format <password>;<second_factor>. This is synchronous mode. The ; delimiter shown here is configurable in Oracle RADIUS Agent.

  • Support for User Authorization

    Oracle RADIUS Agent supports retrieving groups and user attributes based on configurable mappings. These can be used by RADIUS clients to perform authorizations based on their needs.

  • Support for Multiple RADIUS Client Applications

    You can define global and application-scoped configurations. The application-scoped configurations support overriding specific settings from the global configuration on an application basis.

  • IPv6 Support

    Oracle RADIUS Agent supports IPv6 for all networking connections.

  • Support for Logging, Metrics, and Auditing

    Oracle RADIUS Agent makes use of java.util.logging. The log files location is configurable and you can configure it during the initial container setup. Oracle RADIUS Agent also supports custom logging.properties. In addition, you can configure log levels dynamically by calling the Oracle RADIUS Agent configuration REST API.

    Oracle RADIUS Agent generates metrics using the MicroProfile Metrics specification. As part of application-specific metrics data, Oracle RADIUS Agent generates metrics related to primary authentication, multi-factor authentication, and listener configuration. The Helidon framework also generates JVM and Helidon specific metrics.

    Oracle RADIUS Agent supports file-based audit logs. The name of the logger is oracle.idm.radius.audit.log.level and is enabled out-of-the-box. All audit logs are logged into the ora-audit%g.log file located in the logs directory. You can disable it by changing the log level of this logger to ERROR.

  • Centralized file-based configuration storage on persistent container volumes.

  • Stateless instances

    The Oracle RADIUS Agent instance is stateless and can be easily destroyed and respawned. In addition, it is easy to spawn new instances by pointing to an existing configuration in a shared container volume.

  • Load Balancing

    For high availability a number of Oracle RADIUS Agent can be deployed behind a load balancer. The load balancer must be configured for session stickiness.

  • Supports coexistence of multiple Oracle RADIUS Agents of different versions sharing the same configuration.

Note:

Oracle RADIUS Agent does not support RADIUS Accounting (RFC 2866) in this release.

1.3 Oracle RADIUS Agent Architecture and Deployment Model

A typical infrastructure utilizing Oracle RADIUS Agent consists of one or more application clients, the Oracle RADIUS Agent itself, Oracle Advanced Authentication, one or more back-end authentication providers and persistent storage volumes for use by the Oracle RADIUS Agent.

The Oracle RADIUS Agent architecture enables a flexible and scalable interface to these infrastructure components in order to provide a wide feature set along with high availability and scalability.

The system architecture for Oracle RADIUS Agent is as follows:RADIUS Architecture

The application client communicates with Oracle RADIUS Agent over UDP using the RADIUS protocol. Oracle RADIUS Agent communicates with the primary authentication provider using LDAP.

The following sections provide more information about the component interfaces:

Application Client Connections

The application client connects to the RadiusListener port of Oracle RADIUS Agent and communicates over UDP. The RadiusListener port is randomly allocated by Oracle RADIUS Agent between 1812 and 1830. This port number needs to be mapped to a local port and exposed based on deployment needs in the container.

Primary Authenticator Interface

Currently, the only supported primary authenticator protocol is LDAP. The connection between Oracle RADIUS Agent and the primary authenticator is over TCP/IP using LDAP.

Multi-factor Authenticator Interfaces

Multi-factor authentication is supported using Oracle Advanced Authentication. The connection between the Oracle RADIUS Agent and Oracle Advanced Authentication uses REST APIs over TCP/IP.

Oracle RADIUS Agent Storage

The Oracle RADIUS Agent container instance uses persistent external storage volumes mounted into the container for storing configuration data, shared secrets from client registrations, and logs. The storage volume may be shared among multiple container instances of the RADIUS agent. Instance data such as logs, is stored under an instance specific directory. You must backup the data store located on the external storage volume for the Oracle RADIUS Agent.

Note:

Instance specific data like logs and auto-generated keystores for HTTPS are stored under an instance directory.