User's Guide
What It Is
What's New
Key Features List
ClearBox Enterprise vs ClearBox
System Requirements
Purchasing Licenses
Getting Started
Quick Start
Understanding Server Components
Managing User Accounts
Configuring RADIUS Realms
Realm Settings
Realm Rules
Dynamic Realm Rules
Authentication Protocols Compatibility
Logging Authentication Packets
Logging Discarded Requests
Account Log Files
Realm Settings
Configuring SQL Queries
Private RADIUS Attributes
Regular Expressions Syntax
RADIUS Clients
RADIUS Client Settings
Dynamic Clients Settings
SQL Data Sources
SQL Data Source Settings
LDAP Servers
LDAP Server Settings
Remote RADIUS Servers
Remote RADIUS Server Settings
State Servers
State Server Settings
Meta Configuration
Meta Configuration
Meta Configuration Settings
Meta Base Schema
TLS Settings
Creating SSL Certificates
Creating Server Sertificate
Requesting Server Certificate
Creating Client Certificates
Revoking a Certificate or Renewing CRL
Exporting CA Certificate
Issuing a Certificate in Active Directory CA
Remote Configuration
Advanced ISP Billing Integration
DTH Billing Integration
Platypus Billing System Intergration
OnDO SIP Server Integration
How Do I...
Wi-Fi Security
Wireless Authentication
Wi-Fi and RADIUS
Supported EAP Authentication Types
Security Considerations
10 Tips for Wireless Network Security
Administering the Server
Debug Logs
Using Client Tool
List of Server Errors
Maintaining RADIUS Dictionary
Basic Concepts
Wireless Authentication
Authentication Protocols
RADIUS Attributes
Example of RADIUS Packet Transactions
List of Standard RADIUS Attributes
Technical Support
Purchasing Licenses

ClearBox Enterprise Server 2.0 Online Manual
Prev Page Next Page
ClearBox Enterprise Server™ 2.0. User's Guide


Access point
Wireless access point (WAP or AP) is a device that connects wireless communication devices together to form a wireless network. The WAP usually connects to a wired network, and can relay data between wireless devices and wired devices. Several WAPs can link together to form a larger network that allows "roaming".
The process of identifying an individual, usually based on a username and password.
The process of granting or denying a user access to network resources once the user has been authenticated through the username and password.
The process of keeping track of a user's activity while accessing the network resources. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation.
Short for Apple Remote Access Protocol, an Apple authentication protocol which uses challenges and responses, like CHAP, to avoid sending clear text passwords through the network.
A public key certificate (or certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual without exchanging secret keys. The signatures on a certificate are of a certificate authority (CA) and attest that the identity information and the public key belong together.
Certificate authority (CA) is an entity which issues digital certificates for use by other parties. There are many commercial CAs that charge for their services. Companies, institutions and governments may have their own CAs, and there are also free CAs.
A CA issues digital certificates which contain a public key and the identity of the owner. The CA also attests that the public key contained in the certificate belongs to the person/organization/server or other entity noted in the certificate. A CA's obligation is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. If the user trusts the CA and can verify the CA's signature, then they can also verify that a certain public key does indeed belong to whoever is identified in the certificate.
Certificate revocation list
Certificate revocation list (CRL) is a list of certificates (their serial numbers) which have been revoked, are no longer valid, and should not be relied on by any system user.
Certificate signing request
A certificate signing request(CSR) is a message sent from an applicant to a certificate authority (CA) in order to apply for a digital identity certificate. Before creating a CSR, the applicant first generates a key pair, keeping the private key secret. The CSR contains information identifying the applicant and the public key chosen by the applicant. The corresponding private key is not included in the CSR, but is used to digitally sign the entire request. If the request is successful, the certificate authority will send back an identity certificate that has been digitally signed with the private key of the certificate authority.
Short for Challenge Handshake Authentication Protocol, a type of authentication in which the authentication agent (typically a network server) sends the client program a random value that is used only once and an ID value. Both the sender and peer share a predefined secret. The peer concatenates the random value (or nonce), the ID and the secret and calculates a one-way hash using MD5. The hash value is sent to the authenticator, which in turn builds that same string on its side, calculates the MD5 sum itself and compares the result with the value received from the peer. If the values match, the peer is authenticated.
Cipher suite
The TLS protocol that underlies PEAP and EAP-TLS is capable of using a variety of cryptographic techniques for authentication and data privacy between client and a RADIUS server. Each of these techniques is called a cipher suite.
Set of known RADIUS attribute names and their types.
A hotspot is a venue that offers Wi-Fi access. Hotspots are often found at restaurants, train stations, airports, libraries, coffee shops, bookstores, fuel stations, department stores, supermarkets and other public places. Many universities and schools have wireless networks in their campus.
IEEE 802.1X
IEEE 802.1X is an IEEE standard for port-based Network Access Control. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for certain closed wireless access points, and is based on the EAP.
Inner identity
The Wi-Fi authentication protocol PEAP works by creating a TLS-encrypted tunnel between the user and a RADIUS server. Authentication credentials are sent inside of the tunnel, and are not visible to the access point. When using these protocols, the username is sent in two places: the "outer identity", which is sent unencrypted outside the TLS channel, and inside the encrypted TLS channel. Inner identity is the name sent inside the channel.
see Secret.
Lightweight Directory Access Protocol, the protocol supported by most directory services..
Short for Microsoft Challenge Handshake Authentication Protocol is a Microsoft authentication protocol that, like CHAP, avoids sending passwords in clear text.
Network Access Server. The device that accepts PPP connections and places clients on the network that the NAS serves. NAS is also called Terminal server.
A piece of data sent over a network and encapsulating RADIUS message in a well-known format.
Short for Password Authentication Protocol, the most basic form of authentication, in which a user's name and password are transmitted over a network "in the clear" (that is, in an unencrypted form) and compared to a table of name-password pairs.
Public key infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. This is carried out by software at a CA, possibly under human supervision, together with other coordinated software at distributed locations. For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA.
Most enterprise-scale PKI systems rely on certificate chains to establish a party's identity, as a certificate may have been issued by a certificate authority computer whose 'legitimacy' is established for such purposes by a certificate issued by a higher-level certificate authority, and so on. This produces a certificate hierarchy composed of, at a minimum, several computers, often more than one organization, and often assorted interoperating software packages from several sources. Enterprise PKI systems are often closely tied to an enterprise's directory scheme, in which each employee's public key is often stored (embedded in a certificate), together with other personal details (phone number, email address, location, department, ...).
Windows 2000 Server and Server 2003 contain a CA software, which is integrated into the Active Directory.
Proxy server
A server that sits between a client application and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server.
Short for Remote Authentication Dial-In User Service, an authentication and accounting system used by many Internet Service Providers (ISPs). When you dial in to the ISP you must enter your username and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system.
A set of rules (policies) defining how the server should handle an authentication or accounting request.
Secret (Key, Shared secret)
A string well known to both client and server and used to validate and/or encrypt data, transmitted between them.
Self-signed certificate
A self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy. Such certificates are also termed root certificates.
A process receiving requests from its clients, processing them and replying to a client.
Server Manager
Graphic utility used to manage ClearBox Server, configure and monitor it.
Server certificate
In order to provide trusted network security services to wireless clients, ClearBox Server must be able to cryptographically identify itself to clients. To prove its identity to clients, it sends them its digital certificate during the client login procedure.
State server
Some kind of database maintained by the server where information on users currently logged onto the network is stored.
A supplicant is software that is installed on the client to implement the IEEE 802.1X protocol framework and one or more EAP methods. Supplicants include Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Vista and other operation systems and packages.
Temporal Key Integrity Protocol, the part of the IEEE 802.11i standard. TKIP implements per-packet key mixing with a re-keying system and also provides a message integrity check. These avoid the problems of WEP.
Vendor Specific Attributes; RADIUS attributes defined by vendors using the provision of attribute 26.
Wired Equivalent Privacy (WEP) is a scheme to secure IEEE 802.11 wireless networks. WEP was intended to provide confidentiality comparable to that of a traditional wired network. Several serious weaknesses were identified by cryptanalysts; a WEP connection can be cracked with readily available software within minutes. WEP was superseded by Wi-Fi Protected Access (WPA) and WPA2. Despite its weaknesses, WEP provides a level of security that may deter casual snooping.
Wi-Fi is a wireless technology brand owned by the Wi-Fi Alliance intended to improve the interoperability of wireless local area network products based on the IEEE 802.11 standards.
WLAN, or Wireless Local Area Network, similar to other wireless devices, uses radio instead of wires to transmit data back and forth between computers on the same network.
Wi-Fi Protected Access (WPA and WPA2) is a class of systems to secure wireless (Wi-Fi) computer networks. It was created in response to several serious weaknesses researchers had found in the previous system, WEP. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. WPA2 will not work with some older network cards. Both provide good security, with two significant issues: 1) Either WPA or WPA2 must be enabled and chosen in preference to WEP. 2) In the "Personal" (Pre-shared key mode, PSK mode), the most likely choice for homes and small offices, a passphrase is required.
Both WPA and WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK) based security.

© 2001-2007 XPerience Technologies.
Converted from CHM to HTML with chm2web Pro 2.7 (unicode)