Contents

User's Guide
Overview
What It Is
What's New
Key Features List
ClearBox Enterprise vs ClearBox
System Requirements
Purchasing Licenses
Getting Started
Quick Start
Understanding Server Components
Managing User Accounts
Configuring RADIUS Realms
Realm Settings
Realm Rules
Dynamic Realm Rules
Authentication
Authentication Protocols Compatibility
Logging Authentication Packets
Logging Discarded Requests
Authorization
Accounting
Account Log Files
Realm Settings
Configuring SQL Queries
Private RADIUS Attributes
Regular Expressions Syntax
RADIUS Clients
RADIUS Client Settings
Dynamic Clients Settings
SQL Data Sources
SQL Data Source Settings
LDAP Servers
LDAP Server Settings
Remote RADIUS Servers
Remote RADIUS Server Settings
State Servers
State Server Settings
Meta Configuration
Meta Configuration
Meta Configuration Settings
Meta Base Schema
TLS Settings
Creating SSL Certificates
Creating Server Sertificate
Requesting Server Certificate
Creating Client Certificates
Revoking a Certificate or Renewing CRL
Exporting CA Certificate
Issuing a Certificate in Active Directory CA
Remote Configuration
Advanced ISP Billing Integration
DTH Billing Integration
Platypus Billing System Intergration
OnDO SIP Server Integration
How Do I...
Wi-Fi Security
Wireless Authentication
Wi-Fi and RADIUS
Supported EAP Authentication Types
Security Considerations
10 Tips for Wireless Network Security
Administering the Server
Logging
Debug Logs
Troubleshooting
Using Client Tool
List of Server Errors
Maintaining RADIUS Dictionary
Basic Concepts
AAA
Authentication
Wireless Authentication
Authentication Protocols
Authorization
Accounting
RADIUS
RADIUS
Realms
RADIUS Proxy
RADIUS Attributes
Example of RADIUS Packet Transactions
List of Standard RADIUS Attributes
Glossary
Technical Support
Purchasing Licenses
Contacts

 
Home
ClearBox Enterprise Server 2.0 Online Manual
Prev Page Next Page
 
 
ClearBox Enterprise Serverâ„¢ 2.0. User's Guide

ClearBox Enterprise Server Features and Benefits:

Speed and Performance
ClearBox Server is a 32 bit multithreaded application written in C++ with low CPU & memory usage. It provides excellent performance and reliability on all Windows NT platforms and makes use of your multi-processor equipment.

Compatibility
ClearBox is fully compatible with all relevant RADIUS RFCs (2865, 2866, 2869, 3579, 3580). It has support for all types of RADIUS attributes, Vendor-Specific Attributes including non-standard attribute IDs or length fields, subfields, and much more. (RFCs 2548, 2867, 2868, 2869, 3162, 4679). It means that ClearBox and your network equipment will always speak the same language - RADIUS.

Unlimited Multiple Realms.
This new great feature allows ClearBox Server using various authentication, authorization and accounting functions in any combination basing on rules defined. Each realm can have an independent configuration and its own user database. ClearBox can select a proper realm, i.e. instructions on how to authenticate a user or how to log his accounting data basing on the rich set of rules:

  • When a user name consists of two parts: real user name combined with a domain name (e.g. richard@somedomain). ClearBox lets you define the expected format of such user name, such as separator symbol or suffix/prefix form. ClearBox is capable of stripping the domain name from the user name.
  • When a request is received from a specific client. You may configure several clients if their requests should be handled by the server in the same way, i.e. within one realm.
  • When some set of attributes matches a list of defined conditions (such as attribute presence, absence, equality, etc.). This capability provides flexible realm selection. Suppose you need to handle packets in some way depending on DNIS represented by Called-Station-ID. You are able to configure real rules so that a request message will be handled by different realms if it differs in one attribute value!
  • A realm can be selected by a dynamic SQL statement.

Multiple Data Sources.
Allows using concurrently different databases for different purposes. Currently ClearBox support the following data source types:

  • MS SQL Server. ClearBox uses native MS SQL Server driver for the fast and reliable connection. It supports both two types of connection authentication: using MS SQL built-in authentication or Windows-based authentication.
  • MS Access. These databases may be used for relatively small solutions where user database is not large and high speed request processing is not vital.
  • ODBC-compliant data source. The majority of modern SQL-based DBMSs are equipped with ODBC drivers. This allows using potentially all existing databases thus avoiding unnecessary migrations and upgrades.
  • OLE DB data source. This is an alternative to ODBC data sources.

Advanced RADIUS Proxy Server.
Can act both as a target server serving RADIUS client requests and as a proxy server forwarding request to remote RADIUS servers. Advanced ClearBox capabilities as a proxy server include:

  • Attribute transparent translation to pass properly such data as passwords and message authenticators.
  • Using list of remote servers to create fault-tolerant, low-risc solutions. ClearBox switches to another server from the list if it's not responding.
  • Packet attributes filtering to govern what attributes are altered, added or omitted in packets transferred between ClearBox and a remote RADIUS server.
  • Local processing of forwarded accounting requests.

These capabilities of ClearBox are essential for routing request to the servers of other service providers or to the remote enterprise servers which can authenticate a foreign user. Similar in concept to the cellular phone industry, this roaming ability allows service providers covering complementary territories to expand their coverage through service exchange deals.

Authentication Server.
Any realm created within ClearBox can be configured to authenticate user names and passwords against several back-ends.

  • Remote RADIUS server. The benefits of using this method are described earlier on this page.
  • Windows NT/2000 domains, groups and workstations. ClearBox can make use of your domain infrastructure and existing user accounts database. You can specify a domain (including trusted domains) or a stand-alone workstation where Active Directory is run or NT SAM database resides. Besides, you may include additional checks of a group membership. Both local and global domain groups are supported. Advanced verifications may be involved to gain deeper access control: ClearBox can checks user profiles to see if they are not disabled or expired, if a user has dial-in permission turned on.
  • SQL-compliant data source (supported databases and servers and listed earlier). ClearBox offers outstanding flexibility in authenticating against SQL databases. Besides supporting data sources, listed above, ClearBox allows you to specify two types of database queries:
    a) Retrieve a password for the given user and realm name via a SQL query
    b) Validate PAP password sent in a request packet for a given user and his realm.
    Both types of queries allow authenticating against existing and newly-created database table structures, no database redesign is necessary.
  • LDAP server. It may be any directory service, like MS Active Directory or OpenLDAP, supporting LDAP interface. ClearBox supports both directories storing user password encrypted or in clear text.

It's possible to take a user name for authentication from any RADIUS attribute present in the access request packet, enabling such features as ANI authentication. Besides, user name may be rewritten according to a regular expression.

Wireless Authentication.

ClearBox meets all requirements to a RADIUS server for providing authentication services in a wireless network. It may be deployed into any Wi-Fi network with WEP, WPA and WPA2 enabled hardware. It supports PEAP/EAP-MS-CHAPv2, PEAP/EAP-TLS and EAP-TLS, supported by virtually all WPA supplicants.

Advanced Authentication.

  • ClearBox supports MPPE-encryption and generates MPPE keys to use with MS-CHAP2 and EAP-TLS/PEAP.
  • ClearBox supports password stored in a data source and hashed with MD5, MD4 or SHA1.

Double-Logon Prevention
ClearBox includes a built-in state server, which keeps track of user sessions in progress. This feature allows limiting the number of simultaneous logins by the user. It's possible to limit this number for a whole RADIUS realm or for a particular user.
Besides, multiple state servers are supported, and they can be adjusted for any existing database tables.

Authorization Policies.
ClearBox extends RADIUS authentication with extra authorization policies:

  • Black List (or Autoreject List) specifies what attributes should not be present in the request packet to authenticate a connection successfully. Various policies can be constructed with the help of this list. For example, Calling-Station-ID attribute can be added to block users who dial in from a particular phone number.
  • Check List includes RADIUS attributes that should be present in the request. A variety of rules could be enforced by including appropriate attributes in the Check List. Only certain users might be permitted to use ISDN connections, or dial in to a particular NAS. Or, Caller ID could be used to validate a user against a list of legal originating phone numbers.
    Special check attribute is Login-Time which controls the hours when a user is allowed to log in.
  • Response List defines what attributes should be included in the successful response packet granting access to a user.
    The Response List usually defines a profile, a set of properties that are applied to a connection when the connection is authorized. By including appropriate attributes in the Response List, a variety of connection policies could be applied. Specific users could be assigned particular IP addresses or IPX network numbers, IP header compression could be turned on or off, or a time limit could be assigned to the connection.

The lists described above may contain plain attributes defined explicitly by you or may be retrieved by queries from a data source or an LDAP server. Thus you may use static, unconditional attributes for all users in the RADIUS realm, and attributes retrieved from a database/LDAP server specific for particular users. The power of regular expressions makes the comparisons more flexible.

Billing Systems Integration
ClearBox Server, being a flexible AAA solution, can be easily integrated with almost all billing systems capable of using RADIUS servers for authentication.

ClearBox is integrated with the following billing and reporting systems:

  • DTH Billing and Customer Management by DTH Software. The system is suitable for ISP and VoIP billing. It boasts many nice features like customizable reporting, email or paper bills, electronic funds transfer, web portals, collections processing, service orders and much more.
  • Platypus Billing System by Boardtown Corporation, a complete Windows client-server tool designed for Internet and Application service providers, IP Billing, as well as wireless providers.
  • Advanced ISP Billing by AdvancedISPBilling.com, effective and highly customizable ISP billing system for small to large ISPs at very low cost. It offers ease of day to day operations, superb client management, a whole suite of useful managerial reports, seamless system administration and a lot more.
  • RADREP by RADIUS Reporting, easy to use Windows GUI application which produces usage and billing reports from RADIUS accounting logs, which can be used for organizational charge-back or internal billing purposes.

Accounting Server.
ClearBox has all capabilities for reliable realm-time accounting which is extremely necessary for your business. You may combine several options of accounting logging for redundancy or flexible accounting management:

  • Forwarding accounting data to a remote RADIUS server. ClearBox can be configured to forward accounting packets with accounting status types specified to a remote RADIUS accounting server, both forward a request and log it locally or log it only locally with one of the methods listed further.
  • Logging to a SQL database. The most required and powerful method, it allows to store all information about connections in your SQL database. You may specify your own multiple SQL queries or simply bind RADIUS attributes to database table fields. Thus ClearBox can make use of your existing billing or account management system.
  • Logging accounting data to a file in Livingston format. Although it's not an official standard, Livingston format is widely used. You may use any available reporting tool to produce usage and billing reports from these ClearBox logs. Besides specifying log file name you may select how often does the server rollover to a new file (hourly, daily, weekly, monthly, on log file size limit).
  • Logging accounting data to a file in CSV (comma-separated-values) format. This may be useful for you as CSV logs may be imported easily into any spreadsheet or a database table. Besides specifying log file name you may select how often do the server rollover to a new file (hourly, daily, weekly, monthly, on log file size limit).

You may define a filter for all these methods: what accounting status types should be processed (e.g. "connection stop" records) and what should be skipped. All methods can be filtered independently.


© 2001-2007 XPerience Technologies. www.xperiencetech.com
Converted from CHM to HTML with chm2web Pro 2.7 (unicode)