Using FreeRadius to Authorize Oracle Connections

Posted in: Oracle, Technical Track

Introduction

This article will show how to configure the FreeRadius RADIUS server for use in authorizing Oracle connections.

The implementation is very basic:

  • no 2FA
  • simple passwords

Clearly, this is not ready for production use. It is important to first get the basic system working.

With a known working baseline, the system can then be refined to add features:

  • 2FA
  • better passwords
  • more granularity. currently, the scope is the entire client network
  • use a database as a backing store for FreeRadius, rather than configuration files

References

References are listed early, for convenience.

Oracle notes

Installing and Configuring RADIUS and Oracle9i R2 (9.2.0) Advanced Security Option (ASO) on Linux (Doc ID 272804.1)
Enabling RADIUS Authentication and Accounting (Doc ID 132820.1)
Radius Overview (Doc ID 132812.1)

Online documentation

Configuring Radius Authentication
SQLNET.ORA Parameters

FreeRadius – Home
FreeRadius – Pre-built Packages
FreeRadius – github
FreeRadius – Wiki

Building the Radius Server

At first, I attempted to use Oracle Linux 7.6 to build a Radius Server using FreeRadius.

I could not locate any binary distributions that could be successfully installed on Linux 7.6.

Next, I tried building from source. There were a number of supporting libraries that needed to be installed before even attempting to compile FreeRadius.

When I saw that the dependency list included glibc, I gave up. The installed glibc was the latest version available from the Linux Repos. Having tried in the past to build a later version of glibc, and failing miserably, it was time to choose another platform.

As nearly everything on the system is dependent on glibc, it is quite difficult to build and install glibc from source.

So I decided to choose Ubuntu 19.1, in the form of Linux Mint 19.1 with the Mate interface. In case you are wondering why Linux Mint, it is because it is easy to install with the Mate interface, which I happen to prefer over others that I have tried.

I will not be covering the details of obtaining and building a VM will not be covered here. Suffice it today I used the following:

  • Virtual Box
  • Linux Mate 19.1

Once the VM was installed, ssh and FreeRadius were installed.

Created a VM from Linux Mate 19.1 (Ubuntu base)

Install software

Install OpenSSH and FreeRadius; it doesn’t get much easier than this:

# apt install -y openssh-server 
# apt install -y freeradius freeradius-utils

This installed FreeRadius 3.0.

OpenSSH was installed so I could use Putty to access the server.

Modifications to FreeRadius files

Not many changes were required.

Modify /etc/freeradius/3.0/mods-config/files/authorize to un-comment the ‘bob’ user for testing:

Validate that all is working (from the radius server).

root@radius-01:/etc/freeradius/3.0# radtest bob hello 127.0.0.1 0 testing123
Sent Access-Request Id 187 from 0.0.0.0:47728 to 127.0.0.1:1812 length 73
        User-Name = "bob"
        User-Password = "hello"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "hello"
Received Access-Accept Id 187 from 127.0.0.1:1812 to 0.0.0.0:0 length 32
        Reply-Message = "Hello, bob"

Configure for Oracle

Now the configuration for Oracle on the FreeRadius server can begin.

Add the client information

Modify the file /etc/freeradius/3.0/clients.conf

All that was needed was to add a client for Oracle.

client jks-oracle {
    # both ipaddr and ipv4addr will work as is
    ipaddr = 192.168.1.0/24
    #ipv4addr = *
    secret = secretoracle
    shortname = oracle
    nastype = other
}

This is a very broad rule, covering my entire network.

More fine grained rules can be created, but this is sufficient for now.

Create a user

A user can be added to the file /etc/freeradius/3.0/mods-config/files/authorize.

Added to the authorization file:

JKSTILL_RAD Cleartext-Password := "radius" 
    Reply-Message := "Welcome to Oracle, %{User-Name}"

Verify RADIUS is installed in Oracle

The system under test is a 19.3 19c 2 Node RAC.

Note: Changes to the DB server must be made on each node.

Some of the references are rather old, such as this note: Installing and Configuring RADIUS and Oracle9i R2 (9.2.0) Advanced Security Option (ASO) on Linux (Doc ID 272804.1). While there may be some useful information in older documentation, you may find parts that no longer apply.

For instance, the note specifies this lib should be present:

[oracle@hostname Oracle_Home/lib]$ ls -l libnrad9.so 
-rwxr-xr-x 1 oracle dba 41987 Jun 23 2003 libnrad9.so

This does not exist in a 19c install and is not required.

If you find something that doesn’t match your system when reviewing an old document such as 272804.1, don’t immediately assume there is a problem, as it may just be that some parts of old documentation no longer apply.

I suspect it is not really necessary to perform the check with adapters, but I did so anyway for completeness.

Login as the oracle user:

 

[oracle@19c01 admin]$ adapters

Installed Oracle Net transport protocols are:

    IPC
    BEQ
    TCP/IP
    SSL
    RAW
    SDP/IB
    ExaDirect

Installed Oracle Net naming methods are:

    Local Naming (tnsnames.ora)
    Oracle Directory Naming
    Oracle Host Naming

Installed Oracle Advanced Security options are:

    RC4 40-bit encryption
    RC4 56-bit encryption
    RC4 128-bit encryption
    RC4 256-bit encryption
    DES40 40-bit encryption
    DES 56-bit encryption
    3DES 112-bit encryption
    3DES 168-bit encryption
    AES 128-bit encryption
    AES 192-bit encryption
    AES 256-bit encryption
    MD5 crypto-checksumming
    SHA-1 crypto-checksumming
    Kerberos v5 authentication
    RADIUS authentication

[oracle@19c01 admin]$ cd $ORACLE_HOME/bin
[oracle@19c01 bin]$ adapters ./oracle

Oracle Net transport protocols linked with ./oracle are:

    IPC
    BEQ
    TCP/IP
    SSL
    SDP/IB
    ExaDirect
    RAW

Oracle Net naming methods linked with ./oracle are:

    Local Naming (tnsnames.ora)
    Oracle Directory Naming
    Oracle Host Naming

Oracle Advanced Security options linked with ./oracle are:

    RC4 40-bit encryption
    RC4 56-bit encryption
    RC4 128-bit encryption
    RC4 256-bit encryption
    DES40 40-bit encryption
    DES 56-bit encryption
    3DES 112-bit encryption
    3DES 168-bit encryption
    AES 128-bit encryption
    AES 192-bit encryption
    AES 256-bit encryption
    MD5 crypto-checksumming
    SHA-1 crypto-checksumming
    Kerberos v5 authentication
    RADIUS authentication

sqlnet.ora at the server

As per Configuring RADIUS Authentication:

These changes must be made in the sqlnet.ora for the database, not grid.

 

QLNET.RADIUS_AUTHENTICATION_PORT = 1812

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, RADIUS)

SQLNET.RADIUS_AUTHENTICATION = 192.168.1.216

SQLNET.RADIUS_SECRET=/u01/app/oracle/product/19.0.0/dbhome_1/network/security/radius.key

ADR_BASE = /u01/app/oracle

radius.key

The file radius.key contains the secret added earlier in clients.conf on the FreeRadius server:

oracle@rac19c01 admin]$ cat  /u01/app/oracle/product/19.0.0/dbhome_1/network/security/radius.key
secretoracle

[oracle@rac19c01 admin]$ chmod 600  /u01/app/oracle/product/19.0.0/dbhome_1/network/security/radius.key

Database parameters

The default for os_authent_prefix is ops$, which must be changed to an empty string.

Counterintuitively, the remote_os_authent parameter must be set to FALSE. As per the Oracle note Enabling RADIUS Authentication and Accounting (Doc ID 132820.1), this is due to a possible security breach if the parameter is set to TRUE.

The default is FALSE, but I include it here for completeness.

 

alter system set os_authent_prefix='' scope=spfile sid='*';
alter system set remote_os_authent = false scope = spfile sid='*';

Then restart the database.

Add an Oracle user to FreeRadius

A user JKSTILL_RAD was created in the authorization configuration file, with a completely non-secure password of radius. Please, don’t use simple passwords for production use.

The following was added to /etc/freeradius/3.0/mods-config/files/authorize:

## Oracle Users - username must be uppercase

JKSTILL_RAD     Cleartext-Password := "radius"
        Reply-Message := "Welcome to Oracle, %{User-Name}"

As noted in the comment, the username must be in uppercase. Radius usernames are case sensitive, and as Oracle stores usernames in upper case, the user name here must also be in upper case.

Test the username

The following test was performed on the FreeRadius server:

root@radius-01:/etc/freeradius/3.0# radtest jkstill_rad radius 127.0.0.1 0 testing123
Sent Access-Request Id 200 from 0.0.0.0:56423 to 127.0.0.1:1812 length 81
        User-Name = "jkstill_rad"
        User-Password = "radius"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "radius"
Received Access-Accept Id 200 from 127.0.0.1:1812 to 0.0.0.0:0 length 52
        Reply-Message = "Welcome to Oracle, jkstill_rad"

OK, that all worked!

Create a user in the database

This part is simple enough. I logged into the database of choice, and created the user jkstill_rad as follows:

SQL> create user jkstill_rad identified externally; 
SQL> grant create session, connect, resource to jkstill_rad;

In case you are wondering about that lower case username; Oracle will convert it to upper case internally.

Configure the client

The only thing left to do before testing is to modify the sqlnet.ora at the client-side.

The following line is all that needs to be added:

SQLNET.AUTHENTICATION_SERVICES= (radius)

Testing the connection

The final step: does it work?

echo "set heading off
> select
>    'DB_NAME                : ' || name name,
>    'SESSION_USER           : ' || sys_context('USERENV','SESSION_USER') session_user,
>    'AUTHENTICATED_IDENTITY : ' || sys_context('USERENV','AUTHENTICATED_IDENTITY') auth_id,
>    'AUTHENTICATION_METHOD  : ' || sys_context('USERENV','AUTHENTICATION_METHOD') auth_method,
>    'LDAP_SERVER_TYPE       : ' || sys_context('USERENV','LDAP_SERVER_TYPE') ldap_type,
>    'ENTERPRISE_IDENTITY    : ' || sys_context('USERENV','ENTERPRISE_IDENTITY') ent_id
> from v\$database;" | sqlplus -L jkstill_rad/radius@//rac19c-scan:1521/pdb1.jks.com

SQL*Plus: Release 12.1.0.2.0 Production on Thu Mar 12 18:23:23 2020

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Last Successful login time: Thu Mar 12 2020 18:08:08 -07:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

JKSTILL_RAD@//rac19c-scan:1521/pdb1.jks.com > JKSTILL_RAD@//rac19c-scan:1521/pdb1.jks.com >   2    3    4    5    6    7    8
DB_NAME                : CDB
SESSION_USER           : JKSTILL_RAD
AUTHENTICATED_IDENTITY : JKSTILL_RAD
AUTHENTICATION_METHOD  : RADIUS
LDAP_SERVER_TYPE       :
ENTERPRISE_IDENTITY    : JKSTILL_RAD


1 row selected.

Success! If you have a need to use external authorization for your Oracle databases, the FreeRadius server is up to the task.

Really, this was not difficult to configure. The most difficult task is just locating the relevant documentation.

Later articles will detail how to add a database back-end and 2FA authentication to FreeRadius.

email

Interested in working with Jared? Schedule a tech call.

About the Author

Oracle experience: started with Oracle 7.0.13 Programming Experience: Perl, PL/SQL, Shell, SQL Also some other odds and ends that are no longer useful Systems: Networking, Storage, OS to varying degrees. Have fond memories of DG/UX

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *