Contents

User's Guide
Overview
What It Is
What's New
Key Features List
ClearBox Enterprise vs ClearBox
System Requirements
Purchasing Licenses
Getting Started
Quick Start
Understanding Server Components
Managing User Accounts
Configuring RADIUS Realms
Realm Settings
Realm Rules
Dynamic Realm Rules
Authentication
Authentication Protocols Compatibility
Logging Authentication Packets
Logging Discarded Requests
Authorization
Accounting
Account Log Files
Realm Settings
Configuring SQL Queries
Private RADIUS Attributes
Regular Expressions Syntax
RADIUS Clients
RADIUS Client Settings
Dynamic Clients Settings
SQL Data Sources
SQL Data Source Settings
LDAP Servers
LDAP Server Settings
Remote RADIUS Servers
Remote RADIUS Server Settings
State Servers
State Server Settings
Meta Configuration
Meta Configuration
Meta Configuration Settings
Meta Base Schema
TLS Settings
Creating SSL Certificates
Creating Server Sertificate
Requesting Server Certificate
Creating Client Certificates
Revoking a Certificate or Renewing CRL
Exporting CA Certificate
Issuing a Certificate in Active Directory CA
Remote Configuration
Advanced ISP Billing Integration
DTH Billing Integration
Platypus Billing System Intergration
OnDO SIP Server Integration
How Do I...
Wi-Fi Security
Wireless Authentication
Wi-Fi and RADIUS
Supported EAP Authentication Types
Security Considerations
10 Tips for Wireless Network Security
Administering the Server
Logging
Debug Logs
Troubleshooting
Using Client Tool
List of Server Errors
Maintaining RADIUS Dictionary
Basic Concepts
AAA
Authentication
Wireless Authentication
Authentication Protocols
Authorization
Accounting
RADIUS
RADIUS
Realms
RADIUS Proxy
RADIUS Attributes
Example of RADIUS Packet Transactions
List of Standard RADIUS Attributes
Glossary
Technical Support
Purchasing Licenses
Contacts

 
Home
ClearBox Enterprise Server 2.0 Online Manual
Prev Page Next Page
 
 
ClearBox Enterprise Serverâ„¢ 2.0. User's Guide

Authorization

Authorization is the process of establishing what a user can do, i.e. of granting or denying a user access to network resources once the user has been authenticated. RADIUS protocol does not separate authorization from authentication and uses one authentication request-response transaction for these purposes, but ClearBox Server distinguishes these processes logically and allows implementing authorization as an independent part of packet processing.

In RADIUS protocol when an authentication request occurs, the NAS sends at the same time a set of parameters (the attribute/values pairs) describing the user login type and requested services. The RADIUS server may analyze these attributes and decide whether to authorize the user or not. In the former case the server can include in its reply another attribute set to be applied to the user who is logging in (for example a static IP address, the address of the DNS servers, etc.). Finally, the NAS may decide if this set is suitable to that user and then continue or abort the session.

ClearBox Server divides RADIUS authorization process into three independent parts.

Reject Lists

This feature allows automatically rejecting authentication requests that contain a certain attribute. If any attribute from the Reject list is present in the packet, then Access-Reject response is sent back to the client. For example, Calling-Station-ID can be used to block users who dial in from a particular phone number.

Check Lists

The Check list is a list of attributes that must accompany the request for connection. The NAS must send attributes that accord the Check list assigned to a user; otherwise, ClearBox Server will reject the user even if he has been authenticated.

By including appropriate attributes in the Check list, a variety of rules could be enforced. Only certain users might be permitted to use ISDN connections, or dial in to a particular NAS. Or, Caller ID could be used to validate a user against a list of legal originating phone numbers.

Response Lists

The Response list is a list of attributes that ClearBox Server must return to the NAS once authorization succeeds. The Response list usually provides additional parameters that the NAS needs to complete the connection, typically as part of PPP negotiations.
By including appropriate attributes in the Response list, a variety of connection policies could be applied. Specific users could be assigned particular IP addresses or IPX network numbers, IP header compression could be turned on or off, or a time limit could be assigned to the connection.

Read more about RADIUS attributes and their properties.

See how to set authorization settings with ClearBox.


© 2001-2007 XPerience Technologies. www.xperiencetech.com
Converted from CHM to HTML with chm2web Pro 2.7 (unicode)