Written by: ilmarkerm

Category: Blog entry

Published: May 15, 2023

I’ve been using the old good Radius authentication protocol to authenticate database accounts (created for humans) with Active Directory credentials. It may sound strange use case, specially since Oracle also advertises its own Active Directory integration (Centrally Managed Users) and also there is Kerberos. I’ve had the following problems with them:

• CMU – in order to use Active Directory passwords, AD schema needs to be modified and AD filter installed on AD side. I think the latter removes this feature from consideration.
• Kerberos – passwordless login is very tempting and if you get it running on Oracle side – definetly a feature to consider. But deploying at scale and maintaining it is a nightmare, almost impossible to automate.

Radius on the other hand – Windows domain controllers have Radius server built in and it is also very easy to deploy at large scale and maintain on Oracle database side.

Configure database server

First add the following to database sqlnet.ora. File /u01/app/oracle/radius.key is a simple text file containing just the Radius secret. 10.0.0.1 and 10.0.0.2 are my Radius servers running on Windows, both using port 1812.

# Radius authentication settings
SQLNET.RADIUS_AUTHENTICATION_PORT = 1812
SQLNET.RADIUS_SECRET=/u01/app/oracle/radius.key
SQLNET.RADIUS_AUTHENTICATION = 10.0.0.1
SQLNET.RADIUS_ALTERNATE = 10.0.0.2

In the database itself set parameter os_authent_prefix to empty string:

alter system set os_authent_prefix='' scope=spfile;

And create the database users IDENTIFIED EXTERNALLY, and database username must match WInodws AD username.

CREATE USER ilmker IDENTIFIED EXTERNALLY;

Configure the client

The bad thing with Radius authenticated users is that the database client must also support Radius. Oracle thick driver supports it just fine, also JDBC thin driver.

When using Oracle thick client (Instatnt client), turn on Radius authentication by adding it to sqlnet.ora:

$ cat ORACLE_CLIENT_HOME/network/admin/sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES=(RADIUS)

After that you can use this client to log into the database using both database authenticated users and Radius authenticated users.

JDBC thin driver is a little bit trickier (tested using 21c JDBC driver)

To use Radius add the following Java VM option – but the problem with that is that you cannot use database authenticated users after turning on this option.

-Doracle.net.authentication_services='(RADIUS)'

If you want to use it with SQL Developer, add the following to product.conf file

AddVMOption -Doracle.net.authentication_services='(RADIUS)'

As mentioned earlier this would disable database authenticated accounts, so in case of SQL Developer changing product.conf is not desirable.

Since 19c JDBC thin driver, it is also possible to change Java properties within the connection string using EasyConnect syntax:

tcp://oracle.db.example.com:1521/application_service.domain?oracle.net.authentication_services='(RADIUS)'

One bug that I discovered in JDBC thin driver support for Radius (and Oracle is still working on it) – if you use Radius together with TCPS and database server has also enabled Oracle Native Encryption – you will get the following error from JDBC driver IO Error: Checksum fail

This is rather strange error, since when using TCPS – Oracle Native Encryption should be turned off automatically, but this error comes from Native encryption checksumming. To get around it, have to disable Native Encryption checksumming from the client side – which can also be done from inside the connection string.

tcps://oracle.db.example.com:1523/application_service.domain?oracle.net.authentication_services='(RADIUS)'&oracle.net.crypto_checksum_client=REJECTED