On January 27th, this site will be read-only as we migrate to Oracle Forums for an improved community experience. You will not be able to initiate activity until January 30th, when you will be able to use this site as normal.

    Forum Stats

  • 3,889,585 Users
  • 2,269,760 Discussions
  • 7,916,785 Comments

Discussions

Categories

RADIUS authentication

markdba123
markdba123 OhioMember Posts: 19 Blue Ribbon
edited May 21, 2020 5:15PM in Database Security - General

If I'm not in the correct discussion group, please let me know.

I'm running a X5-2 ODA box with DB=12.1.0.2, GRID=18.3.0.0.0 in a 2-node RAC configuration.

We are working on a project where we will authenticate database access via a RADIUS server (I'm on the db side and another coworker is on the windows side).

After initial testing, it seems that Oracle is not communicating with RADIUS.

Below is my example radius sqlnet.ora file

##

## For RADIUS/DUO/MFA

##

SQLNET.AUTHENTICATON_SERVICES=RADIUS

SQLNET.RADIUS_AUTHENTICATION=RADIUS_server_<ip address>

SQLNET.RADIUS_AUTHENTICATION_PORT=<port>

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=60

SQLNET.RADIUS_AUTHENTICATION_RETRIES=3

SQLNET.RADIUS_SECRET=/u01/app/oracle/product/12.1.0.2/dbhome_1/network/security/radius.key

SQLNET.RADIUS_CLASSPATH=/u01/app/oracle/product/12.1.0.2/dbhome_1/network/jlib/netradius6.jar

SQLNET.RADIUS_CHALLENGE_RESPONSE=OFF

##SQLNET.RADIUS_CHALLENGE_KEYWORD=()

SQLNET.RADIUS_SEND_ACCOUNTING=OFF

One question is:  which sqlnet.ora file should be modified?  The one under GRID ownership or the one under ORACLE ownership?

Has anyone successfully implemented this?

Any help would be greatly appreciated.


Cheer,
Mark

· Share on TwitterShare on Facebook
«1

Answers

  • BPeaslandDBA
    BPeaslandDBA Member Posts: 4,615 Blue Diamond
    edited May 14, 2020 4:47PM

    Pretty much every time I modify sqlnet.ora, I make the change in both GRID_HOME and RDBMS_HOME.

    Cheers,

    Brian

    markdba123
    · Share on TwitterShare on Facebook
  • Arsalan Dehghanisariyarghan
    Arsalan Dehghanisariyarghan Oracle DBA Team Leader / Oracle App DBA / EDA Member Posts: 372 Bronze Trophy
    edited May 14, 2020 5:38PM

    Nodes TNS listeners run from the Grid Oracle home (default), but the connections are owned by the operating system account for the RDBMS Oracle home.

    This means the SQLNET.ORA file for the RDBMS Oracle home must have the parameter set. So, you are looking for RDBMS and GRID home sqlnet.ora file synchronization options.

    Regards

    markdba123
    · Share on TwitterShare on Facebook
  • pmdba
    pmdba Member Posts: 103 Bronze Badge
    edited May 15, 2020 7:30AM

    The simple rule of thumb is that parameters that affect the listener (i.e. inbound to the database) are set in the .ora files in the GRID_HOME. Parameters that affect connections from the DB to other DBs or services (i.e. outbound from the database) are set in the DB_HOME. If you're not sure, do as Brian suggests and put the settings in both.

    markdba123
    · Share on TwitterShare on Facebook
  • markdba123
    markdba123 OhioMember Posts: 19 Blue Ribbon
    edited May 19, 2020 11:20AM

    Thank you for all the help.

    I've tried setting both GRID and ORACLE sqlnet.ora files but when we test the Oracle side doesn't contact the RADIUS server at all (we are watching the authproxy.log file).

    Is there something I'm missing?  Is there any additional software that needs to be installed or configured on the Oracle side?

    Mark

    · Share on TwitterShare on Facebook
  • Arsalan Dehghanisariyarghan
    Arsalan Dehghanisariyarghan Oracle DBA Team Leader / Oracle App DBA / EDA Member Posts: 372 Bronze Trophy
    edited May 19, 2020 12:14PM

    Hello markdba123

    Is it possible to put the contents of the log file showing what error occurs during the connection?

    About configure radius authentication for database users links below are useful to you to check steps to be performed on the radius server and steps to be performed on the database server.

    How To Configure Radius Authentication For Database Users (Doc ID 2140300.1)

    Enabling RADIUS Authentication and Accounting (Doc ID 132820.1)

    HTH

    Arsalan

    · Share on TwitterShare on Facebook
  • markdba123
    markdba123 OhioMember Posts: 19 Blue Ribbon
    edited May 20, 2020 12:32PM

    Hi Arsalan,

    If you mean the response I get while trying to log in....

    C:\WINDOWS\system32>sqlplus [email protected]

    SQL*Plus: Release 9.2.0.1.0 - Production on Wed May 20 12:25:41 2020

    Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.

    Enter password:

    ERROR:

    ORA-01017: invalid username/password; logon denied

    Enter user-name:

    I just noticed that I'm using the 9i client... could that be the issue?

    I've also had some re-edits to my sqlnet.ora file since I can't seem to type very well:

    ##

    ## For RADIUS/DUO/MFA

    ##

    SQLNET.RADIUS_AUTHENTICATION=radius

    SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface

    SQLNET.RADIUS_AUTHENTICATION=<ip_address)

    SQLNET.RADIUS_AUTHENTICATION_PORT=<port>

    SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=60

    SQLNET.RADIUS_AUTHENTICATION_RETRIES=6

    SQLNET.RADIUS_SECRET=$ORACLE_HOME/network/security/radius.key

    SQLNET.RADIUS_CHALLENGE_RESPONSE=OFF

    SQLNET.RADIUS_SEND_ACCOUNTING=OFF

    The radius client never seems to get a response from the Oracle database.

    I'm getting more and more confused.

    Any help would be greatly appreciated.


    Cheers,
    Mark

    · Share on TwitterShare on Facebook
  • Arsalan Dehghanisariyarghan
    Arsalan Dehghanisariyarghan Oracle DBA Team Leader / Oracle App DBA / EDA Member Posts: 372 Bronze Trophy
    edited May 20, 2020 12:48PM

    Markdba123, Oracle says:

    Connecting to the database fails for RADIUS authenticated users with ORA-01017: invalid username/password; Connecting to database works for internally authenticated users.

    A possible cause is that *ASO is not installed on the client*.

    ASO is not installed by default and can only be installed as part of a custom install.

    Solution:

    Install ASO on the client.

    Reference:

    Connecting to Database Fails with ORA-1017 using RADIUS Authenticated Users (Doc ID 168293.1)

    HTH

    Arsalan

    · Share on TwitterShare on Facebook
  • markdba123
    markdba123 OhioMember Posts: 19 Blue Ribbon
    edited May 21, 2020 10:35AM

    interesting... I didn't think that the client need to changed.

    So I installed 12c (12.1.0.2) client with everything including ASO.

    My database sqlnet.ora now is:

    NAMES.DEFAULT_DOMAIN = world

    SQLNET.ALLOWED_LOGON_VERSION_SERVER = 8

    ##

    ## For RADIUS/DUO/MFA

    ##

    SQLNET.RADIUS_AUTHENTICATION=radius

    SQLNET.RADIUS_AUTHENTICATION_INTERFACE=DefaultRadiusInterface

    SQLNET.RADIUS_AUTHENTICATION=10.0.12.65

    SQLNET.RADIUS_AUTHENTICATION_PORT=1812

    SQLNET.RADIUS_AUTHENTICATION_TIMEOUT=60

    SQLNET.RADIUS_AUTHENTICATION_RETRIES=6

    SQLNET.RADIUS_SECRET=$ORACLE_HOME/network/security/radius.key

    SQLNET.RADIUS_CHALLENGE_RESPONSE=OFF

    SQLNET.RADIUS_SEND_ACCOUNTING=OFF

    and my local client sqlnet.ora is now:

    SQLNET.AUTHENTICATION_SERVICES= (RADIUS)

    NAMES.DIRECTORY_PATH= (TNSNAMES)

    NAMES.DEFAULT_DOMAIN = WORLD

    TRACE_LEVEL_CLIENT = OFF

    and I still get the ORA-01017: invalid username/password; logon denied error message.

    · Share on TwitterShare on Facebook
  • Arsalan Dehghanisariyarghan
    Arsalan Dehghanisariyarghan Oracle DBA Team Leader / Oracle App DBA / EDA Member Posts: 372 Bronze Trophy
    edited May 21, 2020 2:11PM

    Can I ask what the set value of these two parameters is in the database?

    remote_os_authent=?

    os_authent_prefix=?

    Regards,

    · Share on TwitterShare on Facebook
  • markdba123
    markdba123 OhioMember Posts: 19 Blue Ribbon
    edited May 21, 2020 3:03PM

    remote_os_authent=false

    os_authent_prefix=

    Mark

    · Share on TwitterShare on Facebook