EditDiscussionPage history

Difference between revisions of "Authentication DB"

 
(20 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
__FORCETOC__
 
__FORCETOC__
=== RADIUS > 설정 > 외부 데이터베이스 인증 ===
+
=== RADIUS > Settings > Authentication DB ===
 +
The authentication DB(Database) that stores user authentication information (User-Name / User-Password) consists of an internal database (local) within the imRAD N1 system and a customer database (external). When a user authentication request is received, the system checks the authentication locally in the database, and if the user is not found, it proceeds to authenticate against the external database.
  
imRAD 내부 데이터베이스에 존재하는 사용자 계정이 아닌 고객 데이터베이스 통해 인증을 처리하기 위한 기능으로 RADIUS 클라이언트(스마트폰, 테블릿, 노트북, PC 등)에서 입력한 User-Name과 User-Password가 올바른지를 외부 데이터베이스에 쿼리(Query)를 실행 해 그 결과를 확인합니다.<br>
+
==== Local Database ====
이 기능을 이용하면 고객사에 이미 구축되어있는 내부 데이터베이스를 이용하므로 별도로 사용자를 imRAD에 등록하지 않아도 고객사 내부 구성원에 대한 인증을 처리 할 수 있습니다.<ref>지원되는 DBMS 종류는 [[RADIUS 개요]]를 참고하세요.</ref><br>
+
This is the information for radiusd (RADIUS daemon service) to connect to the local database, and there is no need to modify it as it will change automatically when redundancy is configured. If the connection to the local database fails, you can store the password again and click the 'Connection Test' button to verify.<br>
외부 데이터베이스는 최대 4개까지 등록 할 수 있으며 2개 이상의 외부 데이터베이스가 등록되면 요청된 User-Name은 그 정보가 맞을때까지 모든 등록된 데이터베이스에 접속해 확인합니다.
+
[[File:스크린샷 2023-08-09 오후 2.04.13.png|600px]]
  
==== 외부 데이터베이스 인증 추가 ====
+
 
외부 데이터베이스 인증 목록 하단의 "추가" 버튼을 클릭하여 외부 데이터베이스 정보를 등록 할 수 있습니다.<br>
+
==== External Database ====
이 기능을 사용하려면 User-Name과 User-Password가 올바른지를 처리할 수 있는 Stored Function(권장) 혹은 View Table이 준비되어 있어야 합니다. Password는 복호화된 plaintext입니다.
+
The imRAD N1 can directly connect to a customer database, and then executes a query to authenticate users.
 +
By this setting, users can be authenticated without migration all user information from a customer database to the imRAD N1 database.<br>
 +
You can add up to 4 entities and we support the following.
 +
<pre>
 +
* MariaDB
 +
* MySql
 +
* Oracle 11g ~ 19c
 +
* Microsoft SQL Server 2014 ~ 2019
 +
* Tibero 6
 +
* PostgreSQL 12
 +
* SYBASE
 +
</pre>
 +
 
 +
The imRAD decrypts the password in the ACCESS-REQUEST from a user, and then executes a stored function with two arguments after connecting a remote databgase.
 +
One argument is the User-Name and another is the User-Password decrypted as plaintext.<br>
 +
So, You must prepare a stored function to validate a user.
 +
 
 +
If an ACCESS-REQUEST is encrypted to an [[RADIUS Authentication testing | EAP method ]] of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result.
 +
Therefore, for Android devices, 'Phase-2 Authentication' must use 'GTC' (General Token Card) authentication method. (MAC OS defaults to GTC.)
 +
 
 +
If more than 2 external databases exist, the imRAD RADIUS executes each query until authenticate a user.
 +
{{note|When an external database is added, the connection status will automatically change within 1 minute.}}
 +
 
 +
=====Edit Database connection attributes =====
 +
You can add a new entity by click "Add" button at the right bottom below the list. If there are 4 entities, It does not show the "Add" button. If you want to change or delete an entity, click the [[File:popup.png]] icon in front of each entity.
 
{| class="wikitable"
 
{| class="wikitable"
! 이름 !! 필수 !! 설명
+
! Item!! Required !! Description
 
|-
 
|-
| 이름 || 아니오 || 표시되는 이름입니다.
+
| style='width:150px' | Name || No || It is the display name of a remote entity to distinguish it from others.
 
|-
 
|-
| DBMS 종류 || || DBMS를 선택하세요.
+
| DBMS Type || Yes || Choose one of them.
 
|-
 
|-
| 서버 주소 || || 데이터베이스 서버 IP 주소를 입력하세요.
+
| Server address || Yes || Input the IP address of the database.
 
|-
 
|-
| 포트 || || 데이터베이스 연결 포트를 입력하세요.
+
| Port || Yes || Input the port number to connect the database.
 
|-
 
|-
| 사용자 아이디 || || 데이터베이스 연결 ID를 입력하세요.
+
| Username || Yes || Input a username to access the database.
 
|-
 
|-
| 비밀번호 || || 데이터베이스 연결 비밀번호를 입력하세요.<ref>imRAD에 저장될때 암호화되어 저장됩니다.</ref>
+
| Password || Yes || Input a password to access the database.<ref>The imRAD strongly encrypts the input password and save it.</ref>
 
|-
 
|-
| 데이터베이스 또는 SID || || DBMS가 Oracle인 경우 SID를 입력하시고 나머지는 기본 데이터베이스 혹은 대상 데이터베이스를 입력하세요.
+
| Database || Yes || If a DBMS is Oracle, Input a SID. Otherwise, input the name of database or schema that executes a stored function.
 
|-
 
|-
| 외부 DB 쿼리 || || User-Name과 Password를 확인 할 쿼리(Query)를 입력하세요.<br>쿼리 생성 방법은 아래 "외부 DB 쿼리"를 참고하세요.
+
| Query  || Yes || Input a query to validate a user. Please refer to the below "Stored Function examples" for details.
 
|-
 
|-
 
|}
 
|}
  
===== Stored Function을 이용한 외부 DB 쿼리 =====
+
===== Stored Function examples =====
결과가 올바른 경우 반드시 ''''OK''''를 반환 할 수 있도록 SELECT 구분을 사용하거니 Stored Function 내부에서 User-Name과 User-Password에 일치하는 레코드가 존재하면 'OK'를 반환하게 정의하세요.<br>
+
When a user is valid, the result must be ''''OK'''' in a "SELECT" query which calls a stored function.<br>
User-Name은 '''##SU_NAME##'''로 입력하고 User-Password는 '''##U_PWD##'''로 입력하세요.
+
You have to input the User-Name argument as "'''##SU_NAME##'''" and the User-Password argument as "'''##U_PWD##'''"
 
<pre>
 
<pre>
# mysql의 stored function인 test는 User-Name과 User-Password에 일치하는 레코드가 존재하면 'Y'를 반환
+
# Using a user defined Mysql stored function that returns 'Y' when the User-Name and User-Password match.
 
SELECT 'OK' WHERE test(##SU_NAME##, ##U_PWD##) = 'Y'
 
SELECT 'OK' WHERE test(##SU_NAME##, ##U_PWD##) = 'Y'
  
# oracle의 stored function인 FNC_USER는 User-Name과 User-Password에 일치하는 레코드가 존재하면 1을 반환
+
# Using a user defined Oracle stored function(i.e. FNC_USER) that returns 1 when the User-Name and User-Password match.
 
SELECT 'OK' FROM DUAL WHERE FNC_USER(##SU_NAME##, ##U_PWD##) = 1
 
SELECT 'OK' FROM DUAL WHERE FNC_USER(##SU_NAME##, ##U_PWD##) = 1
  
# mssql의 stored function인 fnc_mssql_user는 User-Name과 User-Password에 일치하는 레코드가 존재하면 'OK'를 반환
+
# Using a user defined MS-SQL stored function that returns 'OK' when the User-Name and User-Password match.
 
SELECT dbo.fnc_mssql_user(##SU_NAME##, ##U_PWD##)
 
SELECT dbo.fnc_mssql_user(##SU_NAME##, ##U_PWD##)
 
</pre>
 
</pre>
  
===== NAS-ID(무선랜 SSID) 기반 인증 허용 =====
+
===== Advanced =====
외부 데이터베이스를 통한 인증을 특정 NAS-ID(무선랜 SSID)에 연결된 사용자만 허용하게 하려면 외부 데이터베이스 인증 등록 혹은 상세 정보 화면 하단의 고급을 클릭 하신 후 [[NAS Identifier|NAS-Identifier]]를 선택하면 해당 [[NAS Identifier|NAS-ID]]로 연결된 사용자만 외부 데이터베이스 인증을 시도 할 수 있습니다.
+
* NAS-Identifier: If you choose a NAS-Identifier, an ACCESS-REQUEST only from the [[NAS Identifier | NAS-Identifier]] passes to this PTA. In other words, It does not refer to the remote database to validate users who requested from other NAS-Identifiers.
  
<br><hr>
+
=== References ===

Latest revision as of 14:23, 9 August 2023

RADIUS > Settings > Authentication DB

The authentication DB(Database) that stores user authentication information (User-Name / User-Password) consists of an internal database (local) within the imRAD N1 system and a customer database (external). When a user authentication request is received, the system checks the authentication locally in the database, and if the user is not found, it proceeds to authenticate against the external database.

Local Database

This is the information for radiusd (RADIUS daemon service) to connect to the local database, and there is no need to modify it as it will change automatically when redundancy is configured. If the connection to the local database fails, you can store the password again and click the 'Connection Test' button to verify.
스크린샷 2023-08-09 오후 2.04.13.png


External Database

The imRAD N1 can directly connect to a customer database, and then executes a query to authenticate users. By this setting, users can be authenticated without migration all user information from a customer database to the imRAD N1 database.
You can add up to 4 entities and we support the following. 

* MariaDB
* MySql
* Oracle 11g ~ 19c
* Microsoft SQL Server 2014 ~ 2019
* Tibero 6
* PostgreSQL 12
* SYBASE

The imRAD decrypts the password in the ACCESS-REQUEST from a user, and then executes a stored function with two arguments after connecting a remote databgase. One argument is the User-Name and another is the User-Password decrypted as plaintext.
So, You must prepare a stored function to validate a user.

If an ACCESS-REQUEST is encrypted to an EAP method of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result. Therefore, for Android devices, 'Phase-2 Authentication' must use 'GTC' (General Token Card) authentication method. (MAC OS defaults to GTC.)

If more than 2 external databases exist, the imRAD RADIUS executes each query until authenticate a user.

When an external database is added, the connection status will automatically change within 1 minute.

Edit Database connection attributes

You can add a new entity by click "Add" button at the right bottom below the list. If there are 4 entities, It does not show the "Add" button. If you want to change or delete an entity, click the Popup.png icon in front of each entity.

Item Required Description
Name No It is the display name of a remote entity to distinguish it from others.
DBMS Type Yes Choose one of them.
Server address Yes Input the IP address of the database.
Port Yes Input the port number to connect the database.
Username Yes Input a username to access the database.
Password Yes Input a password to access the database.[1]
Database Yes If a DBMS is Oracle, Input a SID. Otherwise, input the name of database or schema that executes a stored function.
Query Yes Input a query to validate a user. Please refer to the below "Stored Function examples" for details.
Stored Function examples

When a user is valid, the result must be 'OK' in a "SELECT" query which calls a stored function.
You have to input the User-Name argument as "##SU_NAME##" and the User-Password argument as "##U_PWD##" 

# Using a user defined Mysql stored function that returns 'Y' when the User-Name and User-Password match.
SELECT 'OK' WHERE test(##SU_NAME##, ##U_PWD##) = 'Y'

# Using a user defined Oracle stored function(i.e. FNC_USER) that returns 1 when the User-Name and User-Password match.
SELECT 'OK' FROM DUAL WHERE FNC_USER(##SU_NAME##, ##U_PWD##) = 1

# Using a user defined MS-SQL stored function that returns 'OK' when the User-Name and User-Password match.
SELECT dbo.fnc_mssql_user(##SU_NAME##, ##U_PWD##)
Advanced
  • NAS-Identifier: If you choose a NAS-Identifier, an ACCESS-REQUEST only from the NAS-Identifier passes to this PTA. In other words, It does not refer to the remote database to validate users who requested from other NAS-Identifiers.

References

  1. The imRAD strongly encrypts the input password and save it.