Blog | Pythian

Using FreeRadius to Authorize Oracle Connections

Written by Jared Still | Mar 18, 2020 4:00:00 AM

Introduction

This article will show how to configure the FreeRadius RADIUS server for use in authorizing Oracle connections. The implementation is very basic:
  • no 2FA
  • simple passwords
Clearly, this is not ready for production use. It is important to first get the basic system working. With a known working baseline, the system can then be refined to add features:
  • 2FA
  • better passwords
  • more granularity. currently, the scope is the entire client network
  • use a database as a backing store for FreeRadius, rather than configuration files

References

References are listed early, for convenience.

Oracle notes

Installing and Configuring RADIUS and Oracle9i R2 (9.2.0) Advanced Security Option (ASO) on Linux (Doc ID 272804.1) Enabling RADIUS Authentication and Accounting (Doc ID 132820.1) Radius Overview (Doc ID 132812.1)

Online documentation

Configuring Radius Authentication SQLNET.ORA Parameters FreeRadius - Home FreeRadius - Pre-built Packages FreeRadius - github FreeRadius - Wiki

Building the Radius Server

At first, I attempted to use Oracle Linux 7.6 to build a Radius Server using FreeRadius. I could not locate any binary distributions that could be successfully installed on Linux 7.6. Next, I tried building from source. There were a number of supporting libraries that needed to be installed before even attempting to compile FreeRadius. When I saw that the dependency list included glibc, I gave up. The installed glibc was the latest version available from the Linux Repos. Having tried in the past to build a later version of glibc, and failing miserably, it was time to choose another platform. As nearly everything on the system is dependent on glibc, it is quite difficult to build and install glibc from source. So I decided to choose Ubuntu 19.1, in the form of Linux Mint 19.1 with the Mate interface. In case you are wondering why Linux Mint, it is because it is easy to install with the Mate interface, which I happen to prefer over others that I have tried. I will not be covering the details of obtaining and building a VM will not be covered here. Suffice it today I used the following:
  • Virtual Box
  • Linux Mate 19.1
Once the VM was installed, ssh and FreeRadius were installed. Created a VM from Linux Mate 19.1 (Ubuntu base)

Install software

Install OpenSSH and FreeRadius; it doesn't get much easier than this: 
# apt install -y openssh-server 
 # apt install -y freeradius freeradius-utils
This installed FreeRadius 3.0. OpenSSH was installed so I could use Putty to access the server.

Modifications to FreeRadius files

Not many changes were required. Modify /etc/freeradius/3.0/mods-config/files/authorize to un-comment the 'bob' user for testing: Validate that all is working (from the radius server). 
root@radius-01:/etc/freeradius/3.0# radtest bob hello 127.0.0.1 0 testing123
 Sent Access-Request Id 187 from 0.0.0.0:47728 to 127.0.0.1:1812 length 73
  User-Name = "bob"
  User-Password = "hello"
  NAS-IP-Address = 127.0.1.1
  NAS-Port = 0
  Message-Authenticator = 0x00
  Cleartext-Password = "hello"
 Received Access-Accept Id 187 from 127.0.0.1:1812 to 0.0.0.0:0 length 32
  Reply-Message = "Hello, bob"

Configure for Oracle

Now the configuration for Oracle on the FreeRadius server can begin.

Add the client information

Modify the file /etc/freeradius/3.0/clients.conf All that was needed was to add a client for Oracle. 
client jks-oracle {
  # both ipaddr and ipv4addr will work as is
  ipaddr = 192.168.1.0/24
  #ipv4addr = *
  secret = secretoracle
  shortname = oracle
  nastype = other
 }
This is a very broad rule, covering my entire network. More fine grained rules can be created, but this is sufficient for now.

Create a user

A user can be added to the file /etc/freeradius/3.0/mods-config/files/authorize. Added to the authorization file: 
JKSTILL_RAD Cleartext-Password := "radius" 
  Reply-Message := "Welcome to Oracle, %{User-Name}"

Verify RADIUS is installed in Oracle

The system under test is a 19.3 19c 2 Node RAC.
Note: Changes to the DB server must be made on each node. Some of the references are rather old, such as this note: Installing and Configuring RADIUS and Oracle9i R2 (9.2.0) Advanced Security Option (ASO) on Linux (Doc ID 272804.1). While there may be some useful information in older documentation, you may find parts that no longer apply. For instance, the note specifies this lib should be present: 
[oracle@hostname Oracle_Home/lib]$ ls -l libnrad9.so 
 -rwxr-xr-x 1 oracle dba 41987 Jun 23 2003 libnrad9.so
This does not exist in a 19c install and is not required. If you find something that doesn't match your system when reviewing an old document such as 272804.1, don't immediately assume there is a problem, as it may just be that some parts of old documentation no longer apply. I suspect it is not really necessary to perform the check with adapters, but I did so anyway for completeness. Login as the oracle user:   
[oracle@19c01 admin]$ adapters
 
 Installed Oracle Net transport protocols are:
 
  IPC
  BEQ
  TCP/IP
  SSL
  RAW
  SDP/IB
  ExaDirect
 
 Installed Oracle Net naming methods are:
 
  Local Naming (tnsnames.ora)
  Oracle Directory Naming
  Oracle Host Naming
 
 Installed Oracle Advanced Security options are:
 
  RC4 40-bit encryption
  RC4 56-bit encryption
  RC4 128-bit encryption
  RC4 256-bit encryption
  DES40 40-bit encryption
  DES 56-bit encryption
  3DES 112-bit encryption
  3DES 168-bit encryption
  AES 128-bit encryption
  AES 192-bit encryption
  AES 256-bit encryption
  MD5 crypto-checksumming
  SHA-1 crypto-checksumming
  Kerberos v5 authentication
  RADIUS authentication
 
 [oracle@19c01 admin]$ cd $ORACLE_HOME/bin
 [oracle@19c01 bin]$ adapters ./oracle
 
 Oracle Net transport protocols linked with ./oracle are:
 
  IPC
  BEQ
  TCP/IP
  SSL
  SDP/IB
  ExaDirect
  RAW
 
 Oracle Net naming methods linked with ./oracle are:
 
  Local Naming (tnsnames.ora)
  Oracle Directory Naming
  Oracle Host Naming
 
 Oracle Advanced Security options linked with ./oracle are:
 
  RC4 40-bit encryption
  RC4 56-bit encryption
  RC4 128-bit encryption
  RC4 256-bit encryption
  DES40 40-bit encryption
  DES 56-bit encryption
  3DES 112-bit encryption
  3DES 168-bit encryption
  AES 128-bit encryption
  AES 192-bit encryption
  AES 256-bit encryption
  MD5 crypto-checksumming
  SHA-1 crypto-checksumming
  Kerberos v5 authentication
  RADIUS authentication

sqlnet.ora at the server

As per Configuring RADIUS Authentication: These changes must be made in the sqlnet.ora for the database, not grid.   
QLNET.RADIUS_AUTHENTICATION_PORT = 1812
 
 SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, RADIUS)
 
 SQLNET.RADIUS_AUTHENTICATION = 192.168.1.216
 
 SQLNET.RADIUS_SECRET=/u01/app/oracle/product/19.0.0/dbhome_1/network/security/radius.key
 
 ADR_BASE = /u01/app/oracle

radius.key

The file radius.key contains the secret added earlier in clients.conf on the FreeRadius server: 
oracle@rac19c01 admin]$ cat /u01/app/oracle/product/19.0.0/dbhome_1/network/security/radius.key
 secretoracle
 
 [oracle@rac19c01 admin]$ chmod 600 /u01/app/oracle/product/19.0.0/dbhome_1/network/security/radius.key

Database parameters

The default for os_authent_prefix is ops$, which must be changed to an empty string. Counterintuitively, the remote_os_authent parameter must be set to FALSE. As per the Oracle note Enabling RADIUS Authentication and Accounting (Doc ID 132820.1), this is due to a possible security breach if the parameter is set to TRUE. The default is FALSE, but I include it here for completeness.   
alter system set os_authent_prefix='' scope=spfile sid='*';
 alter system set remote_os_authent = false scope = spfile sid='*';
Then restart the database.

Add an Oracle user to FreeRadius

A user JKSTILL_RAD was created in the authorization configuration file, with a completely non-secure password of radius. Please, don't use simple passwords for production use. The following was added to /etc/freeradius/3.0/mods-config/files/authorize: 
## Oracle Users - username must be uppercase
 
 JKSTILL_RAD Cleartext-Password := "radius"
  Reply-Message := "Welcome to Oracle, %{User-Name}"
As noted in the comment, the username must be in uppercase. Radius usernames are case sensitive, and as Oracle stores usernames in upper case, the user name here must also be in upper case.

Test the username

The following test was performed on the FreeRadius server: 
root@radius-01:/etc/freeradius/3.0# radtest jkstill_rad radius 127.0.0.1 0 testing123
 Sent Access-Request Id 200 from 0.0.0.0:56423 to 127.0.0.1:1812 length 81
  User-Name = "jkstill_rad"
  User-Password = "radius"
  NAS-IP-Address = 127.0.1.1
  NAS-Port = 0
  Message-Authenticator = 0x00
  Cleartext-Password = "radius"
 Received Access-Accept Id 200 from 127.0.0.1:1812 to 0.0.0.0:0 length 52
  Reply-Message = "Welcome to Oracle, jkstill_rad"
OK, that all worked!

Create a user in the database

This part is simple enough. I logged into the database of choice, and created the user jkstill_rad as follows: 
SQL> create user jkstill_rad identified externally; 
 SQL> grant create session, connect, resource to jkstill_rad;
In case you are wondering about that lower case username; Oracle will convert it to upper case internally.

Configure the client

The only thing left to do before testing is to modify the sqlnet.ora at the client-side. The following line is all that needs to be added: 
SQLNET.AUTHENTICATION_SERVICES= (radius)

Testing the connection

The final step: does it work? 
echo "set heading off
 > select
 > 'DB_NAME : ' || name name,
 > 'SESSION_USER : ' || sys_context('USERENV','SESSION_USER') session_user,
 > 'AUTHENTICATED_IDENTITY : ' || sys_context('USERENV','AUTHENTICATED_IDENTITY') auth_id,
 > 'AUTHENTICATION_METHOD : ' || sys_context('USERENV','AUTHENTICATION_METHOD') auth_method,
 > 'LDAP_SERVER_TYPE : ' || sys_context('USERENV','LDAP_SERVER_TYPE') ldap_type,
 > 'ENTERPRISE_IDENTITY : ' || sys_context('USERENV','ENTERPRISE_IDENTITY') ent_id
 > from v\$database;" | sqlplus -L jkstill_rad/radius@//rac19c-scan:1521/pdb1.jks.com
 
 SQL*Plus: Release 12.1.0.2.0 Production on Thu Mar 12 18:23:23 2020
 
 Copyright (c) 1982, 2014, Oracle. All rights reserved.
 
 Last Successful login time: Thu Mar 12 2020 18:08:08 -07:00
 
 Connected to:
 Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
 
 JKSTILL_RAD@//rac19c-scan:1521/pdb1.jks.com > JKSTILL_RAD@//rac19c-scan:1521/pdb1.jks.com > 2 3 4 5 6 7 8
 DB_NAME : CDB
 SESSION_USER : JKSTILL_RAD
 AUTHENTICATED_IDENTITY : JKSTILL_RAD
 AUTHENTICATION_METHOD : RADIUS
 LDAP_SERVER_TYPE :
 ENTERPRISE_IDENTITY : JKSTILL_RAD
 
 
 1 row selected.

Success! If you have a need to use external authorization for your Oracle databases, the FreeRadius server is up to the task. Really, this was not difficult to configure. The most difficult task is just locating the relevant documentation. Later articles will detail how to add a database back-end and 2FA authentication to FreeRadius.

Oracle Database Consulting Services

Ready to optimize your Oracle Database for the future?
View full post