Overview of SQL Authentication
Steel-Belted Radius Carrier can authenticate against records stored in an external SQL database. Any RADIUS attributes, such as username and password, can be used to query the database.
External database authentication is typically used when an organization already has a large amount of user information stored in a SQL database, and this information is to be used to authenticate these users using RADIUS. Authentication against an existing database extends authentication services to user accounts without requiring an administrator to enter user information into the Steel-Belted Radius Carrier database.
Steel-Belted Radius Carrier offers the SQL authentication feature as a plug-in software module. Key features of the SQL plug-in include:
The SQL statement is completely user-specified, enabling support for existing tables with existing field names and formats.
The SQL statement supports a wide range of arithmetic and string expressions as part of the statement.
The SQL statement is parameterized, so it is compiled once, and each execution uses variable data without need for recompilation.
Multiple authentications may be overlapped at the same time.
The SQL authentication method, which appears in the Authentication Methods page in Web GUI, can be activated/deactivated and ordered with respect to other authentication methods.
Multiple instances of the SQL authentication module can operate simultaneously, enabling authentication to multiple databases.
If the database connection drops, it is automatically reestablished after a configurable timeout without Steel-Belted Radius Carrier being restarted.
Data from the database can be returned as attributes in the Access-Accept message.
Although Steel-Belted Radius Carrier does its best to provide uniformity in the operation of databases from different vendors, differences occur, particularly in the way SQL statements are interpreted. The capabilities of the SQL authentication module depend on the capabilities of the underlying databases and their clients; things that work with one database may not work with another.
SQL Authentication Process
SQL Authentication Process
Any RADIUS attribute (or Steel-Belted Radius Carrier request variable) from the request can be used in an SQL SELECT statement. Any return list attribute (that is, a Steel-Belted Radius Carrier response variable) can be retrieved from a SQL database and returned in a RADIUS access response message. See Figure 189.
A stored procedure is a sequence of SQL statements that form a logical unit and perform a particular task. You can use stored procedures to encapsulate a set of queries or operations that can be executed repeatedly on a database server. For example, you can code operations on an employee database, such as password lookup, as stored procedures that can be executed by application code.
Stored procedures can be compiled and executed with different parameters and results. Stored procedures can use any combination of input parameters (the values passed to the stored procedure at execution time) and output parameters (the values set or returned by the stored procedure to the calling application or environment).
You can write stored procedures for SQL that communicate with Steel-Belted Radius Carrier via input and output parameters to implement custom functions. Stored procedures let you use server-side processing on the SQL server to manipulate the information specified by variables. How you use these stored procedures depends on details specific to the implementation of SQL that you are using.
Do not configure a stored procedure to call the same attribute more than once. Doing so may cause Steel-Belted Radius Carrier to fail.
For information about using stored procedures with the Oracle SQL database, see Working with Stored Procedures in Oracle. For information about using stored procedures with the Microsoft SQL database, see Working with Stored Procedures in MS-SQL.
Steel-Belted Radius Carrier may encounter serious problems if the connection between Oracle and Steel-Belted Radius Carrier becomes unstable. The most common reasons for a connection becoming unstable are:
Slow or unreliable network response times
Interruptions in connectivity caused by intervening network devices, such as a firewall timing out the connection
To prevent connectivity problems, consider implementation of one of the following solutions:
To minimize problems caused by intervening firewalls, configure your firewall to pass traffic on the Oracle communications ports between the Steel-Belted Radius Carrier server and the Oracle server without restriction.
To minimize network latency and firewall-related problems, move the Steel-Belted Radius Carrier server to the same network segment as the Oracle server.
If moving your Steel-Belted Radius Carrier server is not feasible, locate a second Steel-Belted Radius Carrier server on the same network segment as your Oracle server, and configure your current Steel-Belted Radius Carrier server to proxy all authentication requests to this new device. This configuration enables you to open RADIUS ports on the firewall only for the Steel-Belted Radius Carrier server (instead of opening RADIUS ports for all network access servers). Because proxy functions in Steel-Belted Radius Carrier do not require an uninterrupted connection to process requests, this solution enables you to retain your current firewall timeout settings.