Realm Authentication Settings

In this dialog you may define how a user name should be authenticated.

Ignore user name and password. Checking this option you instruct the server to skip user authentication.

Maximum number of concurrent session. Setting this value to the number greater than 0 makes ClearBox server check if the current number of connections to a NAS a user has established does not exceeds this threshold. This value applies for every user authenticated within this realm. Valid State server ID should be selected. If the number is zero, this check is not performed.

State server ID. Select a configured state server from the list to specify where ClearBox should take the information about number of connections established by a user.

Allowed Protocols. Click the button to select which authentication protocols supported by ClearBox server (currently PAP, CHAP, MS-CHAP, MS-CHAP2, ARAP and EAP-MD5) are allowed to authenticate a user in this realm. If a method is denied, a user is rejected although his password may be correct.

Authenticate against remote RADIUS servers. Select this authentication method to turn ClearBox into RADIUS proxy server and make it forward an authentication request to another remote RADIUS server.

Click "+" button to add a server from the list of RADIUS servers.

Click "-" to remove a server from the list.

Note that ClearBox doesn't send a request to all the servers from the list simultaneously, rather it uses them in turn when some remote server didn't reply appropriately several times.

Authenticate against Windows NT/2000 database or Active Directory. Select it if you have your users account already stored in Windows domain, workstation or Windows Active Directory. ClearBox can authenticate users against Windows domains, groups, workstations.

Domain. Specify domain name or workstation name against which a user should be authenticated.

Check group membership. Check this option to make the server check if a user is a member of the group specified in Group name. ClearBox can check local workstation groups, local and global domain groups.

Group name. Type in the group name in this box.

Server name. Specifies a machine name where the members of the group specified are stored.
- Leave this box empty if you don't need to check group membership or if a target group is located on the local machine where ClearBox is installed.
- Input the domain controller name here if you need to check a domain group membership.
- Input a workstation name here if you need to check its local group membership.

Select Global group or Local group option depending on what type of group should be checked.

Check if account is disabled. Check this option to verify is a user account is enabled/disabled.

Check if account has expired. Select this option to enable account expiration check.

Check dial-in permission. Check this option if ClearBox should verify if a "Dial-in permission" is turned on in a user profile.

Check against allowed logon hours. User profile may contain information on what hours is dial-in activity allowed. Check this option to restrict access time by these hours.

Authenticate against SQL database. Choose this option to authenticate users against an external SQL-compliant database. ClearBox can use any existing database structure so no database redesign is needed.

Data source ID. Select one of the data sources you've configured from the list.

Case sensitive password. Check this option if you use Password selection query (see below) and needs to perform case-sensitive check of user passwords. This applies to PAP passwords only, all other passwords are always case-sensitive.

Password selection query. Input here the SQL query that retrieves user password. This query should return no or exactly one row as one string field with the user password.

You may use the following special keys in the query to substitute user name and realm from the request packet:
$u, $r, $c, $n, $s (see their meaning here).
For example, if you configure the query <SELECT Password FROM Users WHERE Username='$u' AND CurrentBallance>0 AND UserRealm='$r'> in the realm 'MySuperRealm' then on reception of an access request with user name 'john' it's executed as <SELECT Password FROM Users WHERE Username='john' AND CurrentBallance>0 AND UserRealm='MySuperRealm'>. If no password is returned by the query or it doesn't match the password in the request then user authentication is rejected.

Password check query. You may prefer to use another type of query to check user's password. While the previously described query returns password, this query should check it as it's passed in the query. Besides special keys $u, $r, $c, $n and $s, you can use $p to substitute the password from the request into the query. The advantage of this type of query is that you may use stored procedures. The query should return no values to reject authentication or return one row consisting of exactly one numeric value. If it's 0 (zero) then authentication is rejected, accepted otherwise. For example: <SELECT 1 FROM Users WHERE Username='$u' AND Password='$p' AND Enabled=true AND (MaxCurrentSessions=0 OR MaxCurrentSessions<$s) >. Note that this type of query can be used for PAP passwords only as only then password is available as cleartext.

Important Note. Only one of these queries is used by ClearBox Server to authenticate a request. Password selection query is required to authenticate with CHAP, MS-CHAP and MS-CHAP2, EAP-MD5, while any of the queries may be used for PAP. If both of them are not empty strings then the first one, Password selection query, is used for PAP requests.

Click 'Apply Changes' when you have configured realm authentication settings and needs to save them.