Oracle RADIUS Adapter

One of the security options supported with the OAS option of Network Services is the Remote Authentication Dial-In User Service, or RADIUS^[1] protocol. This protocol is popular in Web applications that require user identification with passwords. It is also being used with a variety of security devices that check fingerprints, retina scans, or that use a smart card for security access. Oracle can be configured with the Advanced Security option to implement authentication using RADIUS. Oracle Net Services uses RADIUS as an intermediate layer between the user and the database server.

✅ Key Benefits in This Architecture

Feature	Benefit
Advanced Security	Encrypted traffic, centralized credential handling
IDCS Integration	Federated identity, cloud-native SSO, MFA
Authentication Server	Legacy system compatibility and policy enforcement
Oracle 23c	Seamless global user access with audit compliance

This model enables scalable, secure, and cloud-ready authentication in distributed Oracle environments, replacing brittle legacy mechanisms like RADIUS.

Configuring "Oracle Identity Cloud Service (IDCS)" with "Oracle Database 23c" involves integrating modern identity management with traditional database authentication flows. This configuration allows administrators to centralize user authentication, enforce multi-factor policies, and align with identity federation protocols such as 1) OAuth 2.0, 2) OpenID Connect, and 3) SAML 2.0^[2]. The process begins by registering Oracle Database as a resource within IDCS. This is typically done by creating a Confidential Application in the IDCS console, where administrators define client credentials (Client ID and Secret), assign scopes, and configure redirect URIs if necessary. This setup prepares IDCS to issue access tokens that can be validated by Oracle Database during authentication requests.
On the Oracle 23c side, you must enable Oracle Advanced Security, configure SSL/TLS communication, and set up a wallet that contains trusted root certificates for IDCS. The sqlnet.ora file is updated to support TCPS^[3] (TLS/SSL) and specify wallet locations. Once the security layer is in place, Oracle 23c can accept token-based authentication, validate them against IDCS, and use global users (`IDENTIFIED GLOBALLY`) for access control. The database maps these authenticated identities to internal roles and privileges using standard `GRANT` statements. Administrators can optionally configure centralized auditing to track access by federated users, enhancing compliance and traceability across hybrid environments.
To complete the configuration, developers or users accessing the database must acquire an access token from IDCS using the OAuth 2.0 `client_credentials` or `password` grant type. This token is included in the authentication request to Oracle 23c, either via SQL\*Plus, Oracle SQL Developer, or custom applications using Oracle JDBC drivers that support OAuth tokens. Oracle 23c will validate the token and associate it with a global database user. By leveraging IDCS, organizations benefit from unified identity lifecycle management, reduced attack surface, and easier integration with third-party SaaS services or enterprise directories like Microsoft Active Directory or LDAP.

Here is a "step-by-step configuration guide" to set up Oracle Database 23c authentication using Oracle Identity Cloud Service (IDCS) and Advanced Security, replacing the older RADIUS-based system:
🔧 Step-by-Step Configuration: Oracle 23c + IDCS + Advanced Security
✅ Prerequisites

• Oracle Database 23c installed and running.
• Oracle Identity Cloud Service (IDCS) instance available.
• Oracle Advanced Security option licensed and enabled.
• Access to Oracle Wallet Manager (OWM) or orapki CLI.
• SSL/TLS certificates from IDCS.
• Admin credentials in both DB and IDCS.

📘 Step 1: Enable Advanced Security in Oracle 23c

1. Edit sqlnet.ora:
   

   SQLNET.AUTHENTICATION_SERVICES = (TCPS)
   SSL_VERSION = 1.2
   WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/wallet)))
   

2. Create wallet and import IDCS certificate:
   

   orapki wallet create -wallet /u01/app/oracle/wallet -auto_login
   orapki wallet add -wallet /u01/app/oracle/wallet -trusted_cert -cert idcs_root_ca.pem
   

3. Restart the listener if using SSL ports:
   

   lsnrctl reload
   

📘 Step 2: Register Oracle DB with IDCS

1. Log in to Oracle Cloud Console → Identity → Applications.
2. Create a new Confidential Application:
   • Set redirect URIs (if needed).
   • Record Client ID and Client Secret.
   • Enable Resource Owner Password Credentials grant (if applicable).
3. Configure Oracle as a protected resource:
   • Scope: urn:opc:idm:__myscope__
   • Audience: your-database-service-name

1. Create a global user in Oracle:
   

   CREATE USER "cloud_user@example.com" IDENTIFIED GLOBALLY;
   GRANT CONNECT TO "cloud_user@example.com";
   

2. Define identity federation with IDCS: Use DBMS_LDAP, DBMS_AUTH, or federation tools to point Oracle 23c to IDCS.

📘 Step 4: Test Authentication with OAuth2 Tokens

1. Use OAuth client credentials to get access token:
   

   curl -X POST https://idcs.example.com/oauth2/v1/token \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "grant_type=client_credentials&client_id=XYZ&client_secret=ABC&scope=urn:opc:idm:myscope"
   

2. Connect to Oracle using token-based login: Use sqlplus, JDBC, or Oracle SQL Developer with federated login support.

📘 Step 5: Secure Auditing and Access Controls

1. Enable Unified Auditing:
   

   ALTER SYSTEM SET AUDIT_TRAIL = DB, EXTENDED SCOPE = SPFILE;
   SHUTDOWN IMMEDIATE;
   STARTUP;
   

2. Create roles mapped to IDCS groups:
   

   CREATE ROLE idcs_analyst;
   GRANT SELECT ON important_table TO idcs_analyst;
   GRANT idcs_analyst TO "cloud_user@example.com";
   

✅ Summary Checklist

Task	Status
Wallet created and IDCS cert imported	✅
IDCS application registered and secrets retrieved	✅
Oracle user mapped to federated ID	✅
OAuth2 tested and working	✅
Unified auditing configured	✅

RADIUS is a widely accepted protocol and is definitely a key player in network security, primarily focusing on authentication, authorization, and accounting (AAA).
Areas where RADIUS is widely used and provides security:

• Network Access Control: This is RADIUS's core strength. It's extensively used for securing access to:
  • Wireless Networks (Wi-Fi): Often as the backend for WPA2/WPA3-Enterprise using 802.1X.
  • Virtual Private Networks (VPNs): Authenticating remote users before granting access to internal resources.
  • Wired Networks (Ethernet): Again, often in conjunction with 802.1X for port-based access control.
  • Network Devices: Authenticating administrators accessing routers, switches, and other infrastructure.
• Internet Service Providers (ISPs): For authenticating and managing user access to the internet and related services like DSL and broadband.

Areas where RADIUS has a presence but might not be the primary or most robust solution for "securing":

• Internet Applications: While RADIUS can be used for authentication in some web applications (often via a RADIUS client or agent), it's not the most common or feature-rich protocol for securing modern web applications. Protocols like OAuth 2.0, SAML, and OpenID Connect are generally preferred for their flexibility in handling diverse authentication and authorization scenarios in web environments.
• Directory Access Services: RADIUS can authenticate users against directory services like LDAP or Active Directory. However, it doesn't provide the comprehensive security and management capabilities for accessing and managing directory information itself. Protocols like LDAP and Kerberos are fundamental for securing directory access.
• Firewalls: RADIUS can be used to authenticate administrators who need to manage firewall configurations. It can also be used in some cases to authenticate users trying to pass through the firewall. However, the core security functions of a firewall (packet filtering, stateful inspection, intrusion prevention, etc.) are separate from the authentication protocol.

In summary: RADIUS is a cornerstone protocol for network access security. It excels at centralizing authentication, authorization, and accounting for various network access methods. While it can play a role in authenticating users for internet applications, directory services, and firewall administration, it's not typically the primary protocol responsible for securing these broader categories in their entirety. More specialized protocols often handle the specific security requirements of these applications and services.

The following diagram shows how the Oracle database, Network Services, and RADIUS worked in the pre Oracle 9i infrastructure.

Client	For this scenario, let us say the client is using a Web browser and has started an application that prompts for the username and password. Once the user types this in, the information goes to Oracle Net Services.
Oracle Net Services	Oracle Net Services has Oracle Advanced Security in place, so before anything goes to the database, Oracle Net Services first passes it through the Advanced Security. Advanced Security takes the username and password and transmits it to the RADIUS Server.
RADIUS Server	The RADIUS Server receives the username and password and sends it on to the Authentication Server. Depending on the implementation (by a third party, not Oracle), the RADIUS Server and the Authentication Server may be within the same software.
Oracle Server	Once the user's identity has been validated, Oracle Net Services passes the request on to the database server. The database server logs the user in, processes whatever request for data has been made, and returns the information to Oracle Net Services, which in turn returns that data to the client.
Authentication Server	The Authentication Server validates the user's name and password and returns an "Accepted" or "Rejected" flag to the RADIUS Server.

• Remote Authentication Dial-In User Service (RADIUS)
  Remote Authentication Dial-In User Service (RADIUS) is a lightweight protocol used for authentication as well as authorization and accounting services. In an Oracle environment, the Oracle server acts as the client to a RADIUS server when an authorization request is sent from an Oracle client. Any authentication method that supports the RADIUS standard, whether it be 1) token cards, 2) smart cards, or 3) SecurID ACE, can easily be added to the RADIUS server as a new authentication method without any changes being made on the client or server configuration files, such as sqlnet.ora.

The next lesson covers configuration of the RADIUS adapter for Network Services.

[1]RADIUS:Acronym for Remote Authentication Dial-In User Service, a client-server security protocol that is used primarily with the Internet.

[2]SAML: SAML (Security Assertion Markup Language) is an XML-based open standard for securely exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). Within Oracle Identity Cloud Service (IDCS) authentication in Oracle 23c, SAML enables single sign-on (SSO), allowing users to authenticate once with IDCS and then seamlessly access Oracle 23c resources and other SAML-enabled applications without re-entering credentials. This federation of identities simplifies user management and enhances security by centralizing authentication.

[3]TCPS: TCPS (Transmission Control Protocol Secure) is a protocol used to establish secure, encrypted connections, often leveraging SSL/TLS, for data transfer. Within the context of Oracle Identity Cloud Service (IDCS), TCPS can be utilized to secure communication pathways between IDCS and other components or services, ensuring the confidentiality and integrity of the data exchanged.