Configure Additional RADIUS Features ■ Change Default Settings

■ Configure Challenge-Response

■ Set Parameters for an Alternate RADIUS Server Change Default Settings

Use Oracle Net Manager to change default settings (See"Starting Oracle Net Manager" on page 2-2):

1. Navigate to the Oracle Advanced Security profile (See"Navigating to the Oracle Advanced Security Profile" on page 2-3) The Oracle Advanced Security tabbed window appears (Figure 5–5).

2. Choose the Other Params tab.

3. From the Authentication Service list, select RADIUS.

4. Change the default setting for any of the following fields:

Caution: SettingREMOTE_OS_AUTHENT to TRUE can enable a security breach because it lets someone using a non-secure protocol, such as TCP, perform an operating system-authorized login

(formerly called anOPS$ login).

See Also: Oracle Database Reference and the Oracle Database Administrator's Guide, for information about setting initialization parameters on an Oracle Database server

Field Description

Port Number Specifies the listening port of the primary RADIUS server. The default value is 1645.

Timeout (seconds) Specifies the time the Oracle database server waits for a response from the primary RADIUS server. The default is 15 seconds.

5. Choose File > Save Network Configuration.

Thesqlnet.ora file is updated with the following entries:

SQLNET.RADIUS_AUTHENTICATION_PORT=(PORT) SQLNET.RADIUS_AUTHENTICATION_TIMEOUT= (NUMBER OF SECONDS TO WAIT FOR response) SQLNET.RADIUS_AUTHENTICATION_RETRIES=

(NUMBER OF TIMES TO RE-SEND TO RADIUS server) SQLNET.RADIUS_SECRET=(path/radius.key) Configure Challenge-Response

The challenge-response (asynchronous) mode presents the user with a graphical interface requesting first a password, then additional information—for example, a dynamic password that the user obtains from a token card. With the RADIUS adapter, this interface is Java-based to provide optimal platform independence.

Number of Retries Specifies the number of times the Oracle database server resends messages to the primary RADIUS server. The default is three retries.

For instructions on configuring RADIUS accounting, see:Task 5: Configure RADIUS Accounting on page 5-19.

Secret File Specifies the location of the secret key on the Oracle database server. The field specifies the location of the secret key file, not the secret key itself.

For information about specifying the secret key, see:Create the RADIUS Secret Key File on the Oracle Database Server on page 5-11.

Note: Third party vendors of authentication devices must

customize this graphical user interface to fit their particular device. For example, a smart card vendor would customize the Java interface so that the Oracle client reads data, such as a dynamic password, from the smart card. When the smart card receives a challenge, it responds by prompting the user for more information, such as a PIN.

To configure challenge-response:

1. If you are using JDK 1.1.7 or JRE 1.1.7, set the JAVA_HOME environment variable to the JRE or JDK location on the system where the Oracle client is run: ■ On UNIX, enter this command at the prompt:

% setenv JAVA_HOME /usr/local/packages/jre1.1.7B

■ On Windows, choose Start> Settings > Control Panel > System > Environment, and set the JAVA_HOME variable as follows:

c:\java\jre1.1.7B

2. Navigate to the Oracle Advanced Security profile in Oracle Net Manager (See "Navigating to the Oracle Advanced Security Profile" on page 2-3) The Oracle Advanced Security Other Params window appears (Figure 5–5).

3. From the Authentication Service list, select RADIUS.

4. In the Challenge Response field, enter ON to enable challenge-response.

5. In the Default Keyword field, accept the default value of the challenge or enter a keyword for requesting a challenge from the RADIUS server.

See Also: Appendix C, "Integrating Authentication Devices Using RADIUS", for information about how to customize the

challenge-response user interface

6. In the Interface Class Name field, accept the default value of

DefaultRadiusInterfaceor enter the name of the class you have created to handle the challenge-response conversation. If other than the default RADIUS interface is used, you also must edit thesqlnet.ora file to enter

SQLNET.RADIUS_CLASSPATH=(location), wherelocation is the complete path name of the jar file. It defaults to

$ORACLE_HOME/network/jlib/netradius.jar: $ORACLE_ HOME/JRE/lib/vt.jar

7. Choose File > Save Network Configuration.

Thesqlnet.ora file is updated with the following entries: SQLNET.RADIUS_CHALLENGE_RESPONSE=([ON | OFF])

SQLNET.RADIUS_CHALLENGE_KEYWORD=(KEYWORD)

SQLNET.RADIUS_AUTHENTICATION_INTERFACE=(name of interface including the

package name delimited by "/" for ".")

Set Parameters for an Alternate RADIUS Server

If you are using an alternate RADIUS server, set these parameters in the

sqlnet.ora file using any text editor.

SQLNET.RADIUS_ALTERNATE=(hostname or ip address of alternate radius server) SQLNET.RADIUS_ALTERNATE_PORT=(1812)

SQLNET.RADIUS_ALTERNATE_TIMEOUT=(number of seconds to wait for response) SQLNET.RADIUS_ALTERNATE_RETRIES=(number of times to re-send to radius server)

Note: The keyword feature is provided by Oracle and supported by some, but not all, RADIUS servers. You can use this feature only if your RADIUS server supports it.

By setting a keyword, you let the user avoid using a password to verify identity. If the user does not enter a password, the keyword you set here is passed to the RADIUS server which responds with a challenge requesting, for example, a driver's license number or birth date. If the user does enter a password, the RADIUS server may or may not respond with a challenge, depending upon the configuration of the RADIUS server.