Using FreeRadius to Authorize Oracle Connections
Introduction
This article will show how to configure the FreeRadius RADIUS server for use in authorizing Oracle connections. The implementation is very basic:- no 2FA
- simple passwords
- 2FA
- better passwords
- more granularity. currently, the scope is the entire client network
- use a database as a backing store for FreeRadius, rather than configuration files
References
References are listed early, for convenience.Oracle notes
Installing and Configuring RADIUS and Oracle9i R2 (9.2.0) Advanced Security Option (ASO) on Linux (Doc ID 272804.1) Enabling RADIUS Authentication and Accounting (Doc ID 132820.1) Radius Overview (Doc ID 132812.1)Online documentation
Configuring Radius Authentication SQLNET.ORA Parameters FreeRadius - Home FreeRadius - Pre-built Packages FreeRadius - github FreeRadius - WikiBuilding the Radius Server
At first, I attempted to use Oracle Linux 7.6 to build a Radius Server using FreeRadius. I could not locate any binary distributions that could be successfully installed on Linux 7.6. Next, I tried building from source. There were a number of supporting libraries that needed to be installed before even attempting to compile FreeRadius. When I saw that the dependency list included glibc, I gave up. The installed glibc was the latest version available from the Linux Repos. Having tried in the past to build a later version of glibc, and failing miserably, it was time to choose another platform. As nearly everything on the system is dependent on glibc, it is quite difficult to build and install glibc from source. So I decided to choose Ubuntu 19.1, in the form of Linux Mint 19.1 with the Mate interface. In case you are wondering why Linux Mint, it is because it is easy to install with the Mate interface, which I happen to prefer over others that I have tried. I will not be covering the details of obtaining and building a VM will not be covered here. Suffice it today I used the following:- Virtual Box
- Linux Mate 19.1
Install software
Install OpenSSH and FreeRadius; it doesn't get much easier than this:# apt install -y openssh-server # apt install -y freeradius freeradius-utilsThis installed FreeRadius 3.0. OpenSSH was installed so I could use Putty to access the server.
Modifications to FreeRadius files
Not many changes were required. Modify/etc/freeradius/3.0/mods-config/files/authorize to un-comment the 'bob' user for testing: Validate that all is working (from the radius server).
root@radius-01:/etc/freeradius/3.0# radtest bob hello 127.0.0.1 0 testing123 Sent Access-Request Id 187 from 0.0.0.0:47728 to 127.0.0.1:1812 length 73 User-Name = "bob" User-Password = "hello" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello" Received Access-Accept Id 187 from 127.0.0.1:1812 to 0.0.0.0:0 length 32 Reply-Message = "Hello, bob"
Configure for Oracle
Now the configuration for Oracle on the FreeRadius server can begin.Add the client information
Modify the file/etc/freeradius/3.0/clients.conf All that was needed was to add a client for Oracle.
client jks-oracle {
# both ipaddr and ipv4addr will work as is
ipaddr = 192.168.1.0/24
#ipv4addr = *
secret = secretoracle
shortname = oracle
nastype = other
}
This is a very broad rule, covering my entire network. More fine grained rules can be created, but this is sufficient for now.
Create a user
A user can be added to the file/etc/freeradius/3.0/mods-config/files/authorize. Added to the authorization file:
JKSTILL_RAD Cleartext-Password := "radius"
Reply-Message := "Welcome to Oracle, %{User-Name}"
Verify RADIUS is installed in Oracle
The system under test is a 19.3 19c 2 Node RAC.
[oracle@hostname Oracle_Home/lib]$ ls -l libnrad9.so -rwxr-xr-x 1 oracle dba 41987 Jun 23 2003 libnrad9.soThis does not exist in a 19c install and is not required. If you find something that doesn't match your system when reviewing an old document such as 272804.1, don't immediately assume there is a problem, as it may just be that some parts of old documentation no longer apply. I suspect it is not really necessary to perform the check with
adapters, but I did so anyway for completeness. Login as the oracle user:
[oracle@19c01 admin]$ adapters Installed Oracle Net transport protocols are: IPC BEQ TCP/IP SSL RAW SDP/IB ExaDirect Installed Oracle Net naming methods are: Local Naming (tnsnames.ora) Oracle Directory Naming Oracle Host Naming Installed Oracle Advanced Security options are: RC4 40-bit encryption RC4 56-bit encryption RC4 128-bit encryption RC4 256-bit encryption DES40 40-bit encryption DES 56-bit encryption 3DES 112-bit encryption 3DES 168-bit encryption AES 128-bit encryption AES 192-bit encryption AES 256-bit encryption MD5 crypto-checksumming SHA-1 crypto-checksumming Kerberos v5 authentication RADIUS authentication [oracle@19c01 admin]$ cd $ORACLE_HOME/bin [oracle@19c01 bin]$ adapters ./oracle Oracle Net transport protocols linked with ./oracle are: IPC BEQ TCP/IP SSL SDP/IB ExaDirect RAW Oracle Net naming methods linked with ./oracle are: Local Naming (tnsnames.ora) Oracle Directory Naming Oracle Host Naming Oracle Advanced Security options linked with ./oracle are: RC4 40-bit encryption RC4 56-bit encryption RC4 128-bit encryption RC4 256-bit encryption DES40 40-bit encryption DES 56-bit encryption 3DES 112-bit encryption 3DES 168-bit encryption AES 128-bit encryption AES 192-bit encryption AES 256-bit encryption MD5 crypto-checksumming SHA-1 crypto-checksumming Kerberos v5 authentication RADIUS authentication
sqlnet.ora at the server
As per Configuring RADIUS Authentication: These changes must be made in the sqlnet.ora for the database, not grid.QLNET.RADIUS_AUTHENTICATION_PORT = 1812 SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, RADIUS) SQLNET.RADIUS_AUTHENTICATION = 192.168.1.216 SQLNET.RADIUS_SECRET=/u01/app/oracle/product/19.0.0/dbhome_1/network/security/radius.key ADR_BASE = /u01/app/oracle
radius.key
The file radius.key contains the secret added earlier in clients.conf on the FreeRadius server:oracle@rac19c01 admin]$ cat /u01/app/oracle/product/19.0.0/dbhome_1/network/security/radius.key secretoracle [oracle@rac19c01 admin]$ chmod 600 /u01/app/oracle/product/19.0.0/dbhome_1/network/security/radius.key
Database parameters
The default foros_authent_prefix is
ops$, which must be changed to an empty string. Counterintuitively, the
remote_os_authent parameter must be set to
FALSE. As per the Oracle note
Enabling RADIUS Authentication and Accounting (Doc ID 132820.1), this is due to a possible security breach if the parameter is set to
TRUE. The default is
FALSE, but I include it here for completeness.
alter system set os_authent_prefix='' scope=spfile sid='*'; alter system set remote_os_authent = false scope = spfile sid='*';Then restart the database.
Add an Oracle user to FreeRadius
A userJKSTILL_RAD was created in the authorization configuration file, with a completely non-secure password of
radius. Please, don't use simple passwords for production use. The following was added to
/etc/freeradius/3.0/mods-config/files/authorize:
## Oracle Users - username must be uppercase
JKSTILL_RAD Cleartext-Password := "radius"
Reply-Message := "Welcome to Oracle, %{User-Name}"
As noted in the comment, the username must be in uppercase. Radius usernames are case sensitive, and as Oracle stores usernames in upper case, the user name here must also be in upper case.
Test the username
The following test was performed on the FreeRadius server:root@radius-01:/etc/freeradius/3.0# radtest jkstill_rad radius 127.0.0.1 0 testing123 Sent Access-Request Id 200 from 0.0.0.0:56423 to 127.0.0.1:1812 length 81 User-Name = "jkstill_rad" User-Password = "radius" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "radius" Received Access-Accept Id 200 from 127.0.0.1:1812 to 0.0.0.0:0 length 52 Reply-Message = "Welcome to Oracle, jkstill_rad"OK, that all worked!
Create a user in the database
This part is simple enough. I logged into the database of choice, and created the user jkstill_rad as follows:SQL> create user jkstill_rad identified externally; SQL> grant create session, connect, resource to jkstill_rad;In case you are wondering about that lower case username; Oracle will convert it to upper case internally.
Configure the client
The only thing left to do before testing is to modify thesqlnet.ora at the client-side. The following line is all that needs to be added:
SQLNET.AUTHENTICATION_SERVICES= (radius)
Testing the connection
The final step: does it work?echo "set heading off
> select
> 'DB_NAME : ' || name name,
> 'SESSION_USER : ' || sys_context('USERENV','SESSION_USER') session_user,
> 'AUTHENTICATED_IDENTITY : ' || sys_context('USERENV','AUTHENTICATED_IDENTITY') auth_id,
> 'AUTHENTICATION_METHOD : ' || sys_context('USERENV','AUTHENTICATION_METHOD') auth_method,
> 'LDAP_SERVER_TYPE : ' || sys_context('USERENV','LDAP_SERVER_TYPE') ldap_type,
> 'ENTERPRISE_IDENTITY : ' || sys_context('USERENV','ENTERPRISE_IDENTITY') ent_id
> from v\$database;" | sqlplus -L jkstill_rad/radius@//rac19c-scan:1521/pdb1.jks.com
SQL*Plus: Release 12.1.0.2.0 Production on Thu Mar 12 18:23:23 2020
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Last Successful login time: Thu Mar 12 2020 18:08:08 -07:00
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
JKSTILL_RAD@//rac19c-scan:1521/pdb1.jks.com > JKSTILL_RAD@//rac19c-scan:1521/pdb1.jks.com > 2 3 4 5 6 7 8
DB_NAME : CDB
SESSION_USER : JKSTILL_RAD
AUTHENTICATED_IDENTITY : JKSTILL_RAD
AUTHENTICATION_METHOD : RADIUS
LDAP_SERVER_TYPE :
ENTERPRISE_IDENTITY : JKSTILL_RAD
1 row selected.
Success! If you have a need to use external authorization for your Oracle databases, the FreeRadius server is up to the task. Really, this was not difficult to configure. The most difficult task is just locating the relevant documentation. Later articles will detail how to add a database back-end and 2FA authentication to FreeRadius.
