Network Admin   «Prev  Next»

Lesson 8 Configuring and using RADIUS adapter
Objective Configure RADIUS adapter.

Configuring and using RADIUS Adapter

Configuring RADIUS for use with Oracle Application Server and Oracle Net Services involves several steps, which we will look at in this lesson. The following series of images below describe how to install and configure RADIUS for Oracle.
The RADIUS (Remote Authentication Dial-In User Service) adapter is still supported in Oracle Database 23c and can be useful in specific enterprise scenarios.
Support in Oracle 23c:
  • Oracle Database 23c includes support for RADIUS authentication. You can configure Oracle clients and servers to use RADIUS for user authentication.
  • Starting with Oracle Database 23ai (which is the on-premises version of 23c), the older RADIUS API based on RFC 2138 is deprecated. Oracle 23ai introduces an updated RADIUS API based on RFC 6613 and RFC 6614, which Oracle recommends migrating to.
  • You can configure RADIUS on the Oracle client using Oracle Net Manager by modifying the sqlnet.ora file.
  • Similarly, you configure RADIUS on the Oracle Database server by creating a RADIUS secret key file and modifying parameters in the sqlnet.ora file.
  • Oracle 23c also supports RADIUS two-factor authentication.

Useful Enterprise Scenarios for RADIUS:
RADIUS is a widely used standard protocol for centralized Authentication, Authorization, and Accounting (AAA). It is particularly useful in enterprise environments for:
  • Network Access Control: RADIUS is commonly used to control access to network devices such as switches, routers, and wireless access points. When a user tries to connect to the network, their credentials are sent to a RADIUS server for verification.
  • Wireless Authentication (WPA2-Enterprise): In enterprise Wi-Fi networks, RADIUS is often used with WPA2-Enterprise to provide strong authentication using individual user credentials instead of a shared password. This enhances security and allows for better access control and auditing.
  • VPN Access: RADIUS can be used to authenticate users connecting to a Virtual Private Network (VPN), ensuring that only authorized users can establish secure remote connections to the corporate network.
  • Centralized User Management: By using a RADIUS server integrated with an identity store like Active Directory or LDAP, organizations can manage user access to various network resources from a central point. This simplifies administration and ensures consistent security policies.
  • Accounting and Auditing: RADIUS servers can track network usage, including connection time, data transferred, and services accessed. This information can be valuable for billing, capacity planning, and security auditing.
  • Multi-Factor Authentication (MFA): RADIUS can be integrated with various MFA methods, adding an extra layer of security to the authentication process.

Oracle 23c Security Features:
While RADIUS provides external authentication capabilities, Oracle 23c itself includes several new and enhanced security features, such as:
  • SQL Firewall: Provides real-time protection against SQL injection attacks by monitoring and blocking unauthorized SQL statements.
  • Longer Passwords: Increases the maximum length of database passwords to 1024 bytes, enhancing password strength.
  • Audit Access to Sensitive Columns: Allows for creating policies to audit access to specific sensitive columns.
  • TLS 1.3 Support: Supports the latest version of Transport Layer Security for secure communication.
  • Microsoft Azure AD Integration: Enables Azure Active Directory users to use their Azure AD credentials to access Oracle databases.
  • Developer Role and Schema Privileges: Simplifies privilege management for developers.

In summary, the RADIUS adapter continues to be a relevant and supported component in Oracle 23c, particularly for enterprises needing centralized authentication and access control for network resources, including the database. Oracle 23c also provides a range of its own security enhancements to protect the database itself.
As of Oracle Database 23c, configuring a RADIUS Adapter is not strictly necessary in most cases because Oracle has introduced more modern and flexible authentication mechanisms, but the RADIUS adapter is still supported and useful in specific enterprise scenarios.
✅ When is the RADIUS Adapter Still Necessary in 23c?
Oracle 23c continues to support RADIUS-based authentication for backward compatibility and integration with existing enterprise infrastructure. You would still configure the RADIUS adapter if:
  1. Your organization uses a centralized RADIUS authentication server (e.g., Cisco ISE, Microsoft NPS) for database logins via network authentication.
  2. You are supporting multi-factor authentication (MFA) or one-time passwords (OTP) using RADIUS-based identity systems.
  3. You want to extend support for external authentication without transitioning to newer methods like Kerberos, SAML, or OAuth2.
  4. You are running hybrid environments where legacy applications depend on the RADIUS-based login flow.
❌ When You May Not Need RADIUS Anymore
Oracle 23c offers more modern alternatives to RADIUS:
  • Kerberos/Active Directory authentication
  • Oracle Identity Cloud Service (IDCS) integration
  • OAuth2 and OpenID Connect
  • SSL/TLS-based X.509 certificate authentication
  • Pluggable Database (PDB)-level identity control

These options are more integrated into cloud and zero-trust architectures.
Summary
Scenario Use RADIUS Adapter?
Legacy external authentication system (e.g., OTP, RSA SecurID) ✅ Yes
Centralized enterprise RADIUS infrastructure ✅ Yes
Moving to Oracle Cloud or IDCS ❌ No
New apps using OAuth2/OpenID ❌ No
Internal only apps with local database authentication ❌ No

Practical Oracle Cloud Infrastructure

Step-by-step procedure to migrate from RADIUS Adapter to "Oracle Identity Cloud Service (IDCS)" in Oracle 23c

Migrating from a RADIUS adapter to Oracle Identity Cloud Service (IDCS) in Oracle 23c involves several key steps, including setting up IDCS, federating identities, and configuring Oracle Database for cloud-based identity authentication. This procedure assumes you're moving toward a federated identity and centralized user management strategy.
🔁 Migration from RADIUS Adapter to Oracle IDCS in Oracle 23c
🔧 Prerequisites
  • You must have Oracle 23c installed and configured.
  • You need access to an Oracle Cloud tenancy with IDCS (Oracle Identity Cloud Service) enabled.
  • Your database should have Oracle Advanced Security licensed for identity federation.
  • Ensure wallet and certificate infrastructure is in place for secure communications.

📘 STEP-BY-STEP PROCEDURE
  1. Identify all users and applications using RADIUS authentication.
  2. Review sqlnet.ora and confirm RADIUS is set: 
    • SQLNET.AUTHENTICATION_SERVICES = (RADIUS)
  3. Review the RADIUS configuration file (radius.ora) and authentication flow.
  4. Set Up Oracle IDCS:
    • Log in to Oracle Cloud Console.
    • Navigate to Identity & Security → IdentityOracle Identity Cloud Service.
    • Create a new application:
      • Choose App type: “Confidential Application” for server-side access.
      • Define redirect URIs, client ID, and client secret.
    • Configure Users & Groups:
      • Migrate existing RADIUS users to IDCS using CSV import, LDAP sync, or manual creation.
      • Assign users to appropriate roles and groups.
  • Enable OAuth 2.0 Identity Federation in Oracle 23c:
    • Create a wallet and import IDCS CA certificate: 
       
orapki wallet create -wallet /path/to/wallet -auto_login
orapki wallet add -wallet /path/to/wallet -trusted_cert -cert idcs_cert.pem
    • Edit sqlnet.ora on the DB server: 
       
SQLNET.AUTHENTICATION_SERVICES = (TCPS)
WALLET_LOCATION = (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/path/to/wallet)))
SQLNET.ALLOW_WEAK_CRYPTO = FALSE
  • Register the Oracle Database with IDCS:
    • In IDCS, go to Resources → Databases → Register Database.
    • Provide:
      • Database name
      • Listener port
      • Connection string
      • Download the IDCS metadata (JSON or XML)
  • Map IDCS Users to Database Roles:
    • In Oracle Database 23c: 
       
CREATE USER "cloud_user@example.com" IDENTIFIED GLOBALLY;
GRANT CONNECT, RESOURCE TO "cloud_user@example.com";
    • You can also create enterprise roles and map them: 
       
CREATE ROLE idcs_app_role;
GRANT idcs_app_role TO "cloud_user@example.com";
  • Test Authentication with IDCS:
    • Use SQL*Plus with Oracle Wallet and an OAuth2 token: 
       
sqlplus /@dbalias
    • Use cloud-based user credentials from IDCS to log in.
  • Decommission RADIUS Adapter:
    • Remove RADIUS from sqlnet.ora: 
       
SQLNET.AUTHENTICATION_SERVICES = (TCPS)
    • Remove or archive radius.ora and any RADIUS logs.
    • Inform security and network teams of deprecation.

    • ✅ Final Checklist
    Task Status
    IDCS configured and accessible
    Users migrated to IDCS
    OAuth federation set up with wallet and certificates
    Database users mapped to IDCS identities
    Legacy RADIUS decommissioned

    As an Oracle 23c consultant, here's how I would describe the migration process from RADIUS to Oracle Identity Cloud Service (IDCS), as illustrated in the diagram:
    In the legacy setup, users authenticate through the RADIUS Adapter, which acts as a bridge between external authentication servers (e.g., RSA SecurID or Microsoft NPS) and the Oracle 23c database. This configuration, while reliable, is increasingly being replaced by cloud-native identity services to align with zero-trust security models and centralized identity governance. The diagram shows a red migration path that indicates we are decoupling Oracle 23c from the RADIUS layer and transitioning authentication responsibilities to Oracle Identity Cloud Service (IDCS). IDCS becomes the new centralized identity provider, supporting modern protocols such as OAuth 2.0, OpenID Connect, and SAML. Once IDCS is fully integrated:
    • Users authenticate via IDCS, not through RADIUS.
    • The Oracle 23c database receives federated identity tokens (validated via wallet/certificate-based trust), and users are mapped to global database accounts.
    • This setup ensures secure, scalable, and auditable access with minimal dependency on aging infrastructure.
    Ultimately, this migration modernizes the identity architecture, reduces administrative overhead, and prepares the environment for hybrid or full cloud deployments. It's a critical step toward future-proofing Oracle identity and access management.
    There are several more tasks you can do to fine-tune the RADIUS software, including setting up audit trails and log files. These are optional and depend on the specific vendor's requirements, so we do not cover them here. The following section the steps for configuring RADIUS in order.

    Steps to configure RADIUS Adapter

    1. Install RADIUS support in OAS.
    2. Configure Net8 using sqlnet.ora file.
    3. Create secret key file in Oracle's Security directory.
    4. Configure Oracle8i Server using the init.ora file.
    5. Configure RADIUS Server to see Oracle8i as a RADIUS client.
    6. Create users in Oracle8i.
    7. Set up user accounts in RADIUS Server.

    Question: Which of the following statements is true about RADIUS?
    1. The RADIUS server and the Oracle server can be on the same machine.
    2. The RADIUS server and the Oracle server must be on different machines.
    3. The RADIUS server and the authentication server must be on different machines.
    4. None of the above is true.


    Answer:
    The correct answer is:
    The RADIUS server and the Oracle server can be on the same machine.
    Explanation:
    RADIUS (Remote Authentication Dial-In User Service) is a protocol used to provide centralized Authentication, Authorization, and Accounting (AAA). While it is common to separate concerns by placing the RADIUS server and the Oracle database on different machines for scalability and security, there is no technical requirement preventing them from being on the same machine. Therefore, the statement that they *must* be on different machines is false.
    Diagram showing how Oracle and RADIUS interacts during Authentication
    radius_interaction
    The diagram illustrates the interaction between a **Client**, **Oracle Database**, and a **RADIUS Server** during the authentication process. Here’s a step-by-step breakdown of the interaction:
    1. Client Sends Credentials to Oracle
      • The user initiates a connection to the Oracle Database by entering their credentials (e.g., username/password).
      • These credentials are passed from the client application to the Oracle server.
    2. Oracle Forwards Authentication Request to RADIUS Server
      • Oracle is configured to use external authentication via RADIUS.
      • It forwards the authentication request, including the user's credentials, to the RADIUS server.
      • This is typically done over UDP (port 1812) using the RADIUS protocol.
    3. RADIUS Server Responds to Oracle
      • The RADIUS server verifies the credentials against its internal user database or a linked authentication backend (e.g., LDAP, Active Directory).
      • It then sends back a response to the Oracle server:
        • Access-Accept if authentication is successful.
        • Access-Reject if authentication fails.
      • Based on this response, Oracle either allows or denies the client session.

    This setup allows centralized user management and integrates Oracle with enterprise identity infrastructure.

    The next lesson is the module conclusion.
    SEMrush Software