| Line 65: | Line 65: | ||
* NAS-Identifier: If you choose a NAS-Identifier, an ACCESS-REQUEST only from the [[NAS Identifier | NAS-Identifier]] passes to this PTA. In other words, It does not refer to the remote database to validate users who requested from other NAS-Identifiers. | * NAS-Identifier: If you choose a NAS-Identifier, an ACCESS-REQUEST only from the [[NAS Identifier | NAS-Identifier]] passes to this PTA. In other words, It does not refer to the remote database to validate users who requested from other NAS-Identifiers. | ||
| − | + | === References === | |
| − | |||
Revision as of 14:40, 16 April 2021
RADIUS > Settings > PTA
A pass-through authentication enables the RADIUS server to confer with another entity(e.g. windows security database, oracle, and so on) to validate the user's username and password.[1]
The imRAD directly connects to a customer database, and then executes a query to validate a user.
By this setting, a user can be authenticated without migration the user information from a customer database to the imRAD database.
You can add up to 4 entities and we support the following.
* MariaDB * MySql * Oracle 11g ~ 19c * Microsoft SQL Server 2014 ~ 2019 * Tibero 6 * PostgreSQL 12 * SYBASE
The imRAD decrypts the password in the ACCESS-REQUEST from a user, and then executes a stored function with two arguments after connecting a remote databgase.
One argument is the User-Name and another is the User-Password decrypted as plaintext.
So, You must prepare a stored function to validate a user.
If an ACCESS-REQUEST is encrypted to an EAP method of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result.
If more than 2 PTAs exist, the imRAD RADIUS executes each query until validate a user.
Edit PTA
You can add a new entity by click "Add" button at the right bottom below the PTA list. If there are 4 entities, It does not show the "Add" button. If you want to change or delete a entity, click the 
icon in front of each entity.
| Item | Required | Description |
|---|---|---|
| Name | No | It is the display name of a remote entity to distinguish it from others. |
| DBMS Type | Yes | Choose one of them. |
| Server address | Yes | Input the IP address of the database. |
| Port | Yes | Input the port number to connect the database. |
| Username | Yes | Input a username to access the database. |
| Password | Yes | Input a password to access the database.[2] |
| Database | Yes | If a DBMS is Oracle, Input a SID. Otherwise, input the name of database or schema that executes a stored function. |
| PTA Query | Yes | Input a query to validate a user. Please refer to the below "Stored Function examples" for details. |
Stored Function examples
When a user is valid, the result must be 'OK' in a "SELECT" query which calls a stored function.
You have to input the User-Name argument as "##SU_NAME##" and the User-Password argument as "##U_PWD##"
# Using a user defined Mysql stored function that returns 'Y' when the User-Name and User-Password match. SELECT 'OK' WHERE test(##SU_NAME##, ##U_PWD##) = 'Y' # Using a user defined Oracle stored function(i.e. FNC_USER) that returns 1 when the User-Name and User-Password match. SELECT 'OK' FROM DUAL WHERE FNC_USER(##SU_NAME##, ##U_PWD##) = 1 # Using a user defined MS-SQL stored function that returns 'OK' when the User-Name and User-Password match. SELECT dbo.fnc_mssql_user(##SU_NAME##, ##U_PWD##)
Advanced
- NAS-Identifier: If you choose a NAS-Identifier, an ACCESS-REQUEST only from the NAS-Identifier passes to this PTA. In other words, It does not refer to the remote database to validate users who requested from other NAS-Identifiers.