Authentication DB

RADIUS > Settings > PTA

A pass-through authentication enables the RADIUS server to confer with another entity(e.g. windows security database, oracle, and so on) to validate the user's username and password.^[1]

The imRAD directly connects to a customer database, and then executes a query to validate a user. By this setting, a user can be authenticated without migration the user information from a customer database to the imRAD database.
You can add up to 4 entities and we support the following.

* MariaDB
* MySql
* Oracle 11g ~ 19c
* Microsoft SQL Server 2014 ~ 2019
* Tibero 6
* PostgreSQL 12
* SYBASE

The imRAD decrypts the password in the ACCESS-REQUEST from a user, and then executes a stored function with two arguments after connecting a remote databgase. One argument is the User-Name and another is the User-Password decrypted as plaintext.
So, You must prepare a stored function to validate a user.

If a ACCESS-REQUEST is encrypted to a EAP method of which can not decrypt the User-Password attribute, the imRAD RADIUS can not get the correct result.

If more than 2 PTAs exist, the imRAD RADIUS executes each query until validate a user.

Edit PTA

You can add a new entity by click "Add" button at the right bottom below the PTA list. If there are 4 entities, It does not show the "Add" button. If you want to change or delete a entity, click the icon in front of each entity.

Item	Required	Description
Name	No	It is the display name of a remote entity to distinguish it from others.
DBMS Type	Yes	Choose one of them.
Server address	Yes	Input the IP address of the database.
Port	Yes	Input the port number to connect the database.
Username	Yes	Input a username to access the database.
Password	Yes	Input a password to access the database.^[2]
Database	Yes	If a DBMS is Oracle, Input a SID. Otherwise, input the name of database or schema that executes a stored function.
PTA Query	Yes	Input a query to validate a user. Please refer to the below "Stored Function examples" for details.

Stored Function examples

When a user is valid, the result must be 'OK' in a "SELECT" query which calls a stored function.
You have to input the User-Name argument as "##SU_NAME##" and the User-Password argument as "##U_PWD##"

# Using a user defined Mysql stored function that returns 'Y' when the User-Name and User-Password match.
SELECT 'OK' WHERE test(##SU_NAME##, ##U_PWD##) = 'Y'

# Using a user defined Oracle stored function(i.e. FNC_USER) that returns 1 when the User-Name and User-Password match.
SELECT 'OK' FROM DUAL WHERE FNC_USER(##SU_NAME##, ##U_PWD##) = 1

# Using a user defined MS-SQL stored function that returns 'OK' when the User-Name and User-Password match.
SELECT dbo.fnc_mssql_user(##SU_NAME##, ##U_PWD##)

Advanced

NAS-Identifier: If you choose a NAS-Identifier, a ACCESS-REQUEST only from the NAS-Identifier passes to this PTA. In other words, It does not refer to the remote database to validate users who request from other NAS-Identifiers.

↑ Jim Geier, Implementing 802.1X Security Solutions for Wired and Wireless Networks
↑ The imRAD strongly encrypts the input password and save it.

[1] Jim Geier, Implementing 802.1X Security Solutions for Wired and Wireless Networks

[2] The imRAD strongly encrypts the input password and save it.

[1]

[2]