ClearBox Enterprise Server Features and Benefits:
Speed and Performance
ClearBox Server is a 32 bit
multithreaded application written in C++ with low CPU & memory
usage. It provides excellent performance and reliability on all
Windows NT platforms and makes use of your multi-processor
ClearBox is fully compatible with all
relevant RADIUS RFCs (2865, 2866, 2869, 3579, 3580). It has support
for all types of RADIUS attributes, Vendor-Specific Attributes
including non-standard attribute IDs or length fields, subfields,
and much more. (RFCs 2548, 2867, 2868, 2869, 3162, 4679). It means
that ClearBox and your network equipment will always speak the same
language - RADIUS.
Unlimited Multiple Realms.
This new great feature allows ClearBox Server using various
authentication, authorization and accounting functions in any
combination basing on rules defined. Each realm can have an
independent configuration and its own user database. ClearBox can
select a proper realm, i.e. instructions on how to authenticate a
user or how to log his accounting data basing on the rich set of
- When a user name consists of two parts: real user name combined
with a domain name (e.g. richard@somedomain). ClearBox lets you
define the expected format of such user name, such as separator
symbol or suffix/prefix form. ClearBox is capable of stripping the
domain name from the user name.
- When a request is received from a specific client. You may
configure several clients if their requests should be handled by
the server in the same way, i.e. within one realm.
- When some set of attributes matches a list of defined
conditions (such as attribute presence, absence, equality, etc.).
This capability provides flexible realm selection. Suppose you need
to handle packets in some way depending on DNIS represented by
Called-Station-ID. You are able to configure real rules so that a
request message will be handled by different realms if it differs
in one attribute value!
- A realm can be selected by a dynamic SQL statement.
Multiple Data Sources.
Allows using concurrently different databases for different
purposes. Currently ClearBox support the following data source
- MS SQL Server. ClearBox uses native MS SQL Server driver for
the fast and reliable connection. It supports both two types of
connection authentication: using MS SQL built-in authentication or
- MS Access. These databases may be used for relatively small
solutions where user database is not large and high speed request
processing is not vital.
- ODBC-compliant data source. The majority of modern SQL-based
DBMSs are equipped with ODBC drivers. This allows using potentially
all existing databases thus avoiding unnecessary migrations and
- OLE DB data source. This is an alternative to ODBC data
Advanced RADIUS Proxy Server.
Can act both as a target server serving RADIUS client requests and
as a proxy server forwarding request to remote RADIUS servers.
Advanced ClearBox capabilities as a proxy server include:
- Attribute transparent translation to pass properly such data as
passwords and message authenticators.
- Using list of remote servers to create fault-tolerant, low-risc
solutions. ClearBox switches to another server from the list if
it's not responding.
- Packet attributes filtering to govern what attributes are
altered, added or omitted in packets transferred between ClearBox
and a remote RADIUS server.
- Local processing of forwarded accounting requests.
These capabilities of ClearBox are essential for routing request
to the servers of other service providers or to the remote
enterprise servers which can authenticate a foreign user. Similar
in concept to the cellular phone industry, this roaming ability
allows service providers covering complementary territories to
expand their coverage through service exchange deals.
Any realm created within ClearBox can be configured to authenticate
user names and passwords against several back-ends.
- Remote RADIUS server. The benefits of using this method are
described earlier on this page.
- Windows NT/2000 domains, groups and workstations. ClearBox can
make use of your domain infrastructure and existing user accounts
database. You can specify a domain (including trusted domains) or a
stand-alone workstation where Active Directory is run or NT SAM
database resides. Besides, you may include additional checks of a
group membership. Both local and global domain groups are
supported. Advanced verifications may be involved to gain deeper
access control: ClearBox can checks user profiles to see if they
are not disabled or expired, if a user has dial-in permission
- SQL-compliant data source (supported databases and servers and
listed earlier). ClearBox offers outstanding flexibility in
authenticating against SQL databases. Besides supporting data
sources, listed above, ClearBox allows you to specify two types of
a) Retrieve a password for the given user and realm name via a SQL
b) Validate PAP password sent in a request packet for a given user
and his realm.
Both types of queries allow authenticating against existing and
newly-created database table structures, no database redesign is
- LDAP server. It may be any directory service, like MS Active
Directory or OpenLDAP, supporting LDAP interface. ClearBox supports
both directories storing user password encrypted or in clear
It's possible to take a user name for authentication from any
RADIUS attribute present in the access request packet, enabling
such features as ANI authentication. Besides, user name may be
rewritten according to a regular expression.
ClearBox meets all requirements to a RADIUS server for providing
authentication services in a wireless network. It may be deployed
into any Wi-Fi network with WEP, WPA and WPA2 enabled hardware. It
supports PEAP/EAP-MS-CHAPv2, PEAP/EAP-TLS and EAP-TLS, supported by
virtually all WPA supplicants.
- ClearBox supports MPPE-encryption and generates MPPE keys to
use with MS-CHAP2 and EAP-TLS/PEAP.
- ClearBox supports password stored in a data source and hashed
with MD5, MD4 or SHA1.
ClearBox includes a built-in state server, which keeps track of
user sessions in progress. This feature allows limiting the number
of simultaneous logins by the user. It's possible to limit this
number for a whole RADIUS realm or for a particular user.
Besides, multiple state servers are supported, and they can be
adjusted for any existing database tables.
ClearBox extends RADIUS
authentication with extra authorization policies:
- Black List (or Autoreject List) specifies what attributes
should not be present in the request packet to authenticate a
connection successfully. Various policies can be constructed with
the help of this list. For example, Calling-Station-ID attribute
can be added to block users who dial in from a particular phone
- Check List includes RADIUS attributes that should be present in
the request. A variety of rules could be enforced by including
appropriate attributes in the Check List. Only certain users might
be permitted to use ISDN connections, or dial in to a particular
NAS. Or, Caller ID could be used to validate a user against a list
of legal originating phone numbers.
Special check attribute is Login-Time which controls the
hours when a user is allowed to log in.
- Response List defines what attributes should be included in the
successful response packet granting access to a user.
The Response List usually defines a profile, a set of properties
that are applied to a connection when the connection is authorized.
By including appropriate attributes in the Response List, a variety
of connection policies could be applied. Specific users could be
assigned particular IP addresses or IPX network numbers, IP header
compression could be turned on or off, or a time limit could be
assigned to the connection.
The lists described above may contain plain attributes defined
explicitly by you or may be retrieved by queries from a data source
or an LDAP server. Thus you may use static, unconditional
attributes for all users in the RADIUS realm, and attributes
retrieved from a database/LDAP server specific for particular
users. The power of regular expressions makes the comparisons more
Billing Systems Integration
ClearBox Server, being a
flexible AAA solution, can be easily integrated with almost all
billing systems capable of using RADIUS servers for
ClearBox is integrated with the following billing and reporting
- DTH Billing and Customer
Management by DTH Software. The system is suitable for ISP
and VoIP billing. It boasts many nice features like customizable
reporting, email or paper bills, electronic funds transfer, web
portals, collections processing, service orders and much more.
- Platypus Billing System by Boardtown
Corporation, a complete Windows client-server tool designed for
Internet and Application service providers, IP Billing, as well as
- Advanced ISP Billing by AdvancedISPBilling.com, effective and highly
customizable ISP billing system for small to large ISPs at very low
cost. It offers ease of day to day operations, superb client
management, a whole suite of useful managerial reports, seamless
system administration and a lot more.
- RADREP by RADIUS
Reporting, easy to use Windows GUI application which produces
usage and billing reports from RADIUS accounting logs, which can be
used for organizational charge-back or internal billing
ClearBox has all capabilities for reliable realm-time accounting
which is extremely necessary for your business. You may combine
several options of accounting logging for redundancy or flexible
- Forwarding accounting data to a remote RADIUS server. ClearBox
can be configured to forward accounting packets with accounting
status types specified to a remote RADIUS accounting server, both
forward a request and log it locally or log it only locally with
one of the methods listed further.
- Logging to a SQL database. The most required and powerful
method, it allows to store all information about connections in
your SQL database. You may specify your own multiple SQL queries or
simply bind RADIUS attributes to database table fields. Thus
ClearBox can make use of your existing billing or account
- Logging accounting data to a file in Livingston format.
Although it's not an official standard, Livingston format is widely
used. You may use any available reporting tool to produce usage and
billing reports from these ClearBox logs. Besides specifying log
file name you may select how often does the server rollover to a
new file (hourly, daily, weekly, monthly, on log file size
- Logging accounting data to a file in CSV
(comma-separated-values) format. This may be useful for you as CSV
logs may be imported easily into any spreadsheet or a database
table. Besides specifying log file name you may select how often do
the server rollover to a new file (hourly, daily, weekly, monthly,
on log file size limit).
You may define a filter for all these methods: what accounting
status types should be processed (e.g. "connection stop" records)
and what should be skipped. All methods can be filtered
© 2001-2007 XPerience Technologies. www.xperiencetech.com