RADIUS authentication

markdba123

If I'm not in the correct discussion group, please let me know.

I'm running a X5-2 ODA box with DB=12.1.0.2, GRID=18.3.0.0.0 in a 2-node RAC configuration.

We are working on a project where we will authenticate database access via a RADIUS server (I'm on the db side and another coworker is on the windows side).

After initial testing, it seems that Oracle is not communicating with RADIUS.

Below is my example radius sqlnet.ora file

##

## For RADIUS/DUO/MFA

##

SQLNET.AUTHENTICATON_SERVICES=RADIUS

SQLNET.RADIUS_AUTHENTICATION=RADIUS_server_<ip address>

SQLNET.RADIUS_AUTHENTICATION_PORT=<port>

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=60

SQLNET.RADIUS_AUTHENTICATION_RETRIES=3

SQLNET.RADIUS_SECRET=/u01/app/oracle/product/12.1.0.2/dbhome_1/network/security/radius.key

SQLNET.RADIUS_CLASSPATH=/u01/app/oracle/product/12.1.0.2/dbhome_1/network/jlib/netradius6.jar

SQLNET.RADIUS_CHALLENGE_RESPONSE=OFF

##SQLNET.RADIUS_CHALLENGE_KEYWORD=()

SQLNET.RADIUS_SEND_ACCOUNTING=OFF

One question is:  which sqlnet.ora file should be modified?  The one under GRID ownership or the one under ORACLE ownership?

Has anyone successfully implemented this?

Any help would be greatly appreciated.

Cheer,
Mark

BPeaslandDBA

Pretty much every time I modify sqlnet.ora, I make the change in both GRID_HOME and RDBMS_HOME.

Cheers,

Brian

Arsalan Dehghanisariyarghan

Nodes TNS listeners run from the Grid Oracle home (default), but the connections are owned by the operating system account for the RDBMS Oracle home.

This means the SQLNET.ORA file for the RDBMS Oracle home must have the parameter set. So, you are looking for RDBMS and GRID home sqlnet.ora file synchronization options.

Regards

pmdba

The simple rule of thumb is that parameters that affect the listener (i.e. inbound to the database) are set in the .ora files in the GRID_HOME. Parameters that affect connections from the DB to other DBs or services (i.e. outbound from the database) are set in the DB_HOME. If you're not sure, do as Brian suggests and put the settings in both.

markdba123

Thank you for all the help.

I've tried setting both GRID and ORACLE sqlnet.ora files but when we test the Oracle side doesn't contact the RADIUS server at all (we are watching the authproxy.log file).

Is there something I'm missing?  Is there any additional software that needs to be installed or configured on the Oracle side?

Mark

Arsalan Dehghanisariyarghan

Hello markdba123

Is it possible to put the contents of the log file showing what error occurs during the connection?

About configure radius authentication for database users links below are useful to you to check steps to be performed on the radius server and steps to be performed on the database server.

How To Configure Radius Authentication For Database Users (Doc ID 2140300.1)

Enabling RADIUS Authentication and Accounting (Doc ID 132820.1)

HTH

Arsalan

markdba123

Hi Arsalan,

If you mean the response I get while trying to log in....

C:\WINDOWS\system32>sqlplus [email protected]

SQL*Plus: Release 9.2.0.1.0 - Production on Wed May 20 12:25:41 2020

Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.

Enter password:

ERROR:

ORA-01017: invalid username/password; logon denied

Enter user-name:

I just noticed that I'm using the 9i client... could that be the issue?

I've also had some re-edits to my sqlnet.ora file since I can't seem to type very well:

##

## For RADIUS/DUO/MFA

##

SQLNET.RADIUS_AUTHENTICATION=radius

SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface

SQLNET.RADIUS_AUTHENTICATION=<ip_address)

SQLNET.RADIUS_AUTHENTICATION_PORT=<port>

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=60

SQLNET.RADIUS_AUTHENTICATION_RETRIES=6

SQLNET.RADIUS_SECRET=$ORACLE_HOME/network/security/radius.key

SQLNET.RADIUS_CHALLENGE_RESPONSE=OFF

SQLNET.RADIUS_SEND_ACCOUNTING=OFF

The radius client never seems to get a response from the Oracle database.

I'm getting more and more confused.

Any help would be greatly appreciated.

Cheers,
Mark

Arsalan Dehghanisariyarghan

Markdba123, Oracle says:

Connecting to the database fails for RADIUS authenticated users with ORA-01017: invalid username/password; Connecting to database works for internally authenticated users.

A possible cause is that *ASO is not installed on the client*.

ASO is not installed by default and can only be installed as part of a custom install.

Solution:

Install ASO on the client.

Reference:

Connecting to Database Fails with ORA-1017 using RADIUS Authenticated Users (Doc ID 168293.1)

HTH

Arsalan

markdba123

interesting... I didn't think that the client need to changed.

So I installed 12c (12.1.0.2) client with everything including ASO.

My database sqlnet.ora now is:

NAMES.DEFAULT_DOMAIN = world

SQLNET.ALLOWED_LOGON_VERSION_SERVER = 8

##

## For RADIUS/DUO/MFA

##

SQLNET.RADIUS_AUTHENTICATION=radius

SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface

SQLNET.RADIUS_AUTHENTICATION=10.0.12.65

SQLNET.RADIUS_AUTHENTICATION_PORT=1812

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=60

SQLNET.RADIUS_AUTHENTICATION_RETRIES=6

SQLNET.RADIUS_SECRET=$ORACLE_HOME/network/security/radius.key

SQLNET.RADIUS_CHALLENGE_RESPONSE=OFF

SQLNET.RADIUS_SEND_ACCOUNTING=OFF

and my local client sqlnet.ora is now:

SQLNET.AUTHENTICATION_SERVICES= (RADIUS)

NAMES.DIRECTORY_PATH= (TNSNAMES)

NAMES.DEFAULT_DOMAIN = WORLD

TRACE_LEVEL_CLIENT = OFF

and I still get the ORA-01017: invalid username/password; logon denied error message.

Arsalan Dehghanisariyarghan

Can I ask what the set value of these two parameters is in the database?

remote_os_authent=?

os_authent_prefix=?

Regards,

markdba123

remote_os_authent=false

os_authent_prefix=

Mark