Configure Additional RADIUS Features ■ Change Default Settings

■ Configure Challenge-Response

■ Set Parameters for an Alternate RADIUS Server

Change Default Settings

Use Oracle Net Manager to change default settings (See "Starting Oracle Net Manager" on page 2-2):

1. Navigate to the Oracle Advanced Security profile (See "Navigating to the Oracle Advanced Security Profile" on page 2-2) The Oracle Advanced Security tabbed window is displayed. (Figure 6–5).

2. Click the Other Params tab.

3. From the Authentication Service list, select RADIUS. 4. Change the default setting for any of the following fields:

Caution: Setting REMOTE_OS_AUTHENT to TRUE can enable a security breach because it lets someone using a non-secure protocol, such as TCP, perform an operating system-authorized login (formerly called an OPS$ login).

Note: In addition to setting the REMOTE_OS_AUTHENT

initialization parameter file to FALSE, you should issue the startup command with a PFILE option. This ensures that the parameters from your initSID.ora are used.

See Also: Oracle Database Reference and the Oracle Database Administrator's Guide for information about setting initialization parameters on an Oracle Database server

Field Description

Port Number Specifies the listening port of the primary RADIUS server. The default value is 1645.

Enabling RADIUS Authentication, Authorization, and Accounting

Configuring RADIUS Authentication 6-11 5. Select File, Save Network Configuration.

The sqlnet.ora file is updated with the following entries: SQLNET.RADIUS_AUTHENTICATION_PORT=(PORT)

SQLNET.RADIUS_AUTHENTICATION_TIMEOUT= (NUMBER OF SECONDS TO WAIT FOR response) SQLNET.RADIUS_AUTHENTICATION_RETRIES=

(NUMBER OF TIMES TO RE-SEND TO RADIUS server) SQLNET.RADIUS_SECRET=(path/radius.key) Configure Challenge-Response

The challenge-response (asynchronous) mode presents the user with a graphical interface requesting first a password, then additional information, for example, a dynamic password that the user obtains from a token card. With the RADIUS adapter, this interface is Java-based to provide optimal platform independence.

To configure challenge-response:

1. If you are using JDK 1.1.7 or JRE 1.1.7, set the JAVA_HOME environment variable to the JRE or JDK location on the system where the Oracle client is run:

■ On UNIX, enter this command at the prompt: % setenv JAVA_HOME /usr/local/packages/jre1.1.7B

Timeout (seconds) Specifies the time the Oracle database server waits for a response from the primary RADIUS server. The default is 15 seconds.

Number of Retries Specifies the number of times the Oracle database server resends messages to the primary RADIUS server. The default is three retries.

For instructions on configuring RADIUS accounting, see: Task 5: Configure RADIUS Accounting on page 6-14.

Secret File Specifies the location of the secret key on the Oracle database server. The field specifies the location of the secret key file, not the secret key itself.

For information about specifying the secret key, see: Create the RADIUS Secret Key File on the Oracle Database Server on page 6-8.

Note: Third party vendors of authentication devices must

customize this graphical user interface to fit their particular device. For example, a smart card vendor would customize the Java interface so that the Oracle client reads data, such as a dynamic password, from the smart card. When the smart card receives a challenge, it responds by prompting the user for more information, such as a PIN.

See Also: Appendix C, "Integrating Authentication Devices Using RADIUS", for information about how to customize the

challenge-response user interface Field Description

Enabling RADIUS Authentication, Authorization, and Accounting

6-12 Oracle Database Advanced Security Administrator’s Guide

■ On Windows, select Start, Settings, Control Panel, System, Environment, and set the JAVA_HOME variable as follows:

c:\java\jre1.1.7B

2. Navigate to the Oracle Advanced Security profile in Oracle Net Manager (See "Navigating to the Oracle Advanced Security Profile" on page 2-2) The Oracle Advanced Security Other Params window is displayed. (Figure 6–5).

3. From the Authentication Service list, select RADIUS.

4. In the Challenge Response field, enter ON to enable challenge-response.

5. In the Default Keyword field, accept the default value of the challenge or enter a keyword for requesting a challenge from the RADIUS server.

6. In the Interface Class Name field, accept the default value of

DefaultRadiusInterface or enter the name of the class you have created to handle the challenge-response conversation. If other than the default RADIUS interface is used, you also must edit the sqlnet.ora file to enter SQLNET.RADIUS_

CLASSPATH=(location), where location is the complete path name of the jar file. It defaults to

$ORACLE_HOME/network/jlib/netradius.jar: $ORACLE_ HOME/JRE/lib/vt.jar

7. Select File, Save Network Configuration.

The sqlnet.ora file is updated with the following entries: SQLNET.RADIUS_CHALLENGE_RESPONSE=([ON | OFF])

SQLNET.RADIUS_CHALLENGE_KEYWORD=(KEYWORD)

SQLNET.RADIUS_AUTHENTICATION_INTERFACE=(name of interface including the package name delimited by "/" for ".")

Set Parameters for an Alternate RADIUS Server

If you are using an alternate RADIUS server, set these parameters in the sqlnet.ora file using any text editor.

SQLNET.RADIUS_ALTERNATE=(hostname or ip address of alternate radius server) SQLNET.RADIUS_ALTERNATE_PORT=(1812)

SQLNET.RADIUS_ALTERNATE_TIMEOUT=(number of seconds to wait for response) SQLNET.RADIUS_ALTERNATE_RETRIES=(number of times to re-send to radius server)

Note: This step is not required for any other JDK/JRE version.

Note: The keyword feature is provided by Oracle and supported by some, but not all, RADIUS servers. You can use this feature only if your RADIUS server supports it.

By setting a keyword, you let the user avoid using a password to verify identity. If the user does not enter a password, the keyword you set here is passed to the RADIUS server which responds with a challenge requesting, for example, a driver's license number or birth date. If the user does enter a password, the RADIUS server may or may not respond with a challenge, depending upon the configuration of the RADIUS server.

Enabling RADIUS Authentication, Authorization, and Accounting

Configuring RADIUS Authentication 6-13

Task 3: Create a User and Grant Access

To grant user access:

1. Launch SQL*Plus and execute these commands to create and grant access to a user identified externally on the Oracle database server.

SQL> CONNECT system/manager@database_name; SQL> CREATE USER username IDENTIFIED EXTERNALLY; SQL> GRANT CREATE SESSION TO USER username; SQL> EXIT

If you are using Windows, you can use the Security Manager tool in the Oracle Enterprise Manager.

2. Enter the same user in the RADIUS server's users file.