m (Shin moved page Authentication Database to Authentication DB) |
|||
| Line 4: | Line 4: | ||
==== Local Database ==== | ==== Local Database ==== | ||
| − | This is the information for radiusd (RADIUS daemon service) to connect to the local database, and there is no need to modify it as it will change automatically when redundancy is configured. If the connection to the local database fails, you can store the password again and click the 'Connection Test' button to verify. | + | This is the information for radiusd (RADIUS daemon service) to connect to the local database, and there is no need to modify it as it will change automatically when redundancy is configured. If the connection to the local database fails, you can store the password again and click the 'Connection Test' button to verify.<br> |
| + | [[File:스크린샷 2023-08-09 오후 2.04.13.png|600px]] | ||
| + | |||
==== External Database ==== | ==== External Database ==== | ||
| − | + | The imRAD N1 can directly connect to a customer database, and then executes a query to authenticate users. | |
| − | + | By this setting, users can be authenticated without migration all user information from a customer database to the imRAD N1 database.<br> | |
| − | The imRAD directly | ||
| − | By this setting, | ||
You can add up to 4 entities and we support the following. | You can add up to 4 entities and we support the following. | ||
<pre> | <pre> | ||
| Line 27: | Line 27: | ||
If an ACCESS-REQUEST is encrypted to an [[RADIUS Authentication testing | EAP method ]] of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result. | If an ACCESS-REQUEST is encrypted to an [[RADIUS Authentication testing | EAP method ]] of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result. | ||
| + | Therefore, for Android devices, 'Phase-2 Authentication' must use 'GTC' (General Token Card) authentication method. (MAC OS defaults to GTC.) | ||
| − | If more than 2 | + | If more than 2 external databases exist, the imRAD RADIUS executes each query until authenticate a user. |
| − | + | {{note|When an external database is added, the connection status will automatically change within 1 minute.}} | |
| − | ==== Edit | + | =====Edit Database connection attributes ===== |
| − | You can add a new entity by click "Add" button at the right bottom below the | + | You can add a new entity by click "Add" button at the right bottom below the list. If there are 4 entities, It does not show the "Add" button. If you want to change or delete an entity, click the [[File:popup.png]] icon in front of each entity. |
{| class="wikitable" | {| class="wikitable" | ||
! Item!! Required !! Description | ! Item!! Required !! Description | ||
Revision as of 14:14, 9 August 2023
RADIUS > Settings > Authentication Database
The authentication database that stores user authentication information (User-Name / User-Password) consists of an internal database (local) within the imRAD N1 system and a customer database (external). When a user authentication request is received, the system checks the authentication locally in the database, and if the user is not found, it proceeds to authenticate against the external database.
Local Database
This is the information for radiusd (RADIUS daemon service) to connect to the local database, and there is no need to modify it as it will change automatically when redundancy is configured. If the connection to the local database fails, you can store the password again and click the 'Connection Test' button to verify.
External Database
The imRAD N1 can directly connect to a customer database, and then executes a query to authenticate users.
By this setting, users can be authenticated without migration all user information from a customer database to the imRAD N1 database.
You can add up to 4 entities and we support the following.
* MariaDB * MySql * Oracle 11g ~ 19c * Microsoft SQL Server 2014 ~ 2019 * Tibero 6 * PostgreSQL 12 * SYBASE
The imRAD decrypts the password in the ACCESS-REQUEST from a user, and then executes a stored function with two arguments after connecting a remote databgase.
One argument is the User-Name and another is the User-Password decrypted as plaintext.
So, You must prepare a stored function to validate a user.
If an ACCESS-REQUEST is encrypted to an EAP method of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result. Therefore, for Android devices, 'Phase-2 Authentication' must use 'GTC' (General Token Card) authentication method. (MAC OS defaults to GTC.)
If more than 2 external databases exist, the imRAD RADIUS executes each query until authenticate a user.
When an external database is added, the connection status will automatically change within 1 minute.
Edit Database connection attributes
You can add a new entity by click "Add" button at the right bottom below the list. If there are 4 entities, It does not show the "Add" button. If you want to change or delete an entity, click the 
icon in front of each entity.
| Item | Required | Description |
|---|---|---|
| Name | No | It is the display name of a remote entity to distinguish it from others. |
| DBMS Type | Yes | Choose one of them. |
| Server address | Yes | Input the IP address of the database. |
| Port | Yes | Input the port number to connect the database. |
| Username | Yes | Input a username to access the database. |
| Password | Yes | Input a password to access the database.[1] |
| Database | Yes | If a DBMS is Oracle, Input a SID. Otherwise, input the name of database or schema that executes a stored function. |
| PTA Query | Yes | Input a query to validate a user. Please refer to the below "Stored Function examples" for details. |
Stored Function examples
When a user is valid, the result must be 'OK' in a "SELECT" query which calls a stored function.
You have to input the User-Name argument as "##SU_NAME##" and the User-Password argument as "##U_PWD##"
# Using a user defined Mysql stored function that returns 'Y' when the User-Name and User-Password match. SELECT 'OK' WHERE test(##SU_NAME##, ##U_PWD##) = 'Y' # Using a user defined Oracle stored function(i.e. FNC_USER) that returns 1 when the User-Name and User-Password match. SELECT 'OK' FROM DUAL WHERE FNC_USER(##SU_NAME##, ##U_PWD##) = 1 # Using a user defined MS-SQL stored function that returns 'OK' when the User-Name and User-Password match. SELECT dbo.fnc_mssql_user(##SU_NAME##, ##U_PWD##)
Advanced
- NAS-Identifier: If you choose a NAS-Identifier, an ACCESS-REQUEST only from the NAS-Identifier passes to this PTA. In other words, It does not refer to the remote database to validate users who requested from other NAS-Identifiers.
References
- ↑ The imRAD strongly encrypts the input password and save it.