Oracle Advanced Security Administrator's Guide
Release 8.1.7
Part Number A85430-01

Library
Product
Contents
Index

Go to previous page Go to next page

C
Integrating Authentication Devices Using RADIUS

This appendix describes how third party authentication vendors customize the RADIUS challenge-response user interface to fit their particular device.

This appendix contains the following sections:

About the RADIUS Challenge-Response User Interface

You can set up any authentication device that supports the RADIUS standard to authenticate Oracle users. When your authentication device uses the challenge-response mode, a graphical interface prompts the user first for a password, then for additional information--for example, a dynamic password that the user obtains from a token card. This interface is Java-based to provide optimal platform independence.

Third party vendors of authentication devices must customize this graphical user interface to fit their particular device. For example, a smart card vendor customizes the Oracle client to issue the challenge to the smart card reader. Then, when the smart card receives a challenge, it responds by prompting the user for more information, such as a PIN.

Oracle has developed a Java class for this graphic user interface. It is a set of Java code methods that implement an Oracle RADIUS interface (described below). These methods are loaded dynamically by a C-code module using the Java Native Interface, specified in release 1.1 of the Java Development Kit from JavaSoft. You can find the file OracleRadiusInterface file in the following directory:

$ORACLE_HOME/network/security/classes.

Customizing the RADIUS Challenge-Response User Interface

You customize this interface by creating your own class to handle the challenge-response conversation between the Oracle client and the RADIUS server. You then open the sqlnet.ora file, look up the SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter, and replace the name of the class listed there, namely, DefaultRadiusInterface, with the name of the new class you have just created. When you make this change in the sqlnet.ora file, the class is loaded on the Oracle client in order to handle the authentication process.

The third party must implement the Oracle RADIUS Interface, which is located in the ORACLE.NET.RADIUS package. 

public interface OracleRadiusInterface {
  public void radiusRequest();
  public void radiusChallenge(String challenge);
  public String getUserName();
  public String getPassword();
Table C-1 Server Encryption Level Setting
Parameter  Description  
radiusRequest
 

Generally, this prompts the user for a user name and password which will later be retrieved through getUserName and getPassword. 

 
getUserName
 

Extracts the user name the user enters. If this method returns an empty string, it is assumed that the user wants to cancel the operation. The user then receives a message indicating that the authentication attempt failed. 

 
getPassword
 

Extracts the password the user enters. If getUserName returns a valid string, but getPassword returns an empty string, the challenge keyword is relayed as the password from the server. If the user enters a valid password, a challenge may or may not be returned by the server. 

 
radiusChallenge
 

Presents a request sent from the RADIUS server for the user to enter more information. 

 
getResponse
 

Extracts the response the user enters. If this method returns a valid response, that information then populates the User-Password attribute in the new Access-Request packet. If an empty string is returned, the operation is aborted from both sides by returning the corresponding value. 
Go to previous page Go to next page
Oracle
Copyright © 1996-2000, Oracle Corporation.
All Rights Reserved.

Library
Product
Contents
Index