Contents

User's Guide
Overview
What It Is
What's New
Key Features List
ClearBox Enterprise vs ClearBox
System Requirements
Purchasing Licenses
Getting Started
Quick Start
Understanding Server Components
Managing User Accounts
Configuring RADIUS Realms
Realm Settings
Realm Rules
Dynamic Realm Rules
Authentication
Authentication Protocols Compatibility
Logging Authentication Packets
Logging Discarded Requests
Authorization
Accounting
Account Log Files
Realm Settings
Configuring SQL Queries
Private RADIUS Attributes
Regular Expressions Syntax
RADIUS Clients
RADIUS Client Settings
Dynamic Clients Settings
SQL Data Sources
SQL Data Source Settings
LDAP Servers
LDAP Server Settings
Remote RADIUS Servers
Remote RADIUS Server Settings
State Servers
State Server Settings
Meta Configuration
Meta Configuration
Meta Configuration Settings
Meta Base Schema
TLS Settings
Creating SSL Certificates
Creating Server Sertificate
Requesting Server Certificate
Creating Client Certificates
Revoking a Certificate or Renewing CRL
Exporting CA Certificate
Issuing a Certificate in Active Directory CA
Remote Configuration
Advanced ISP Billing Integration
DTH Billing Integration
Platypus Billing System Intergration
OnDO SIP Server Integration
How Do I...
Wi-Fi Security
Wireless Authentication
Wi-Fi and RADIUS
Supported EAP Authentication Types
Security Considerations
10 Tips for Wireless Network Security
Administering the Server
Logging
Debug Logs
Troubleshooting
Using Client Tool
List of Server Errors
Maintaining RADIUS Dictionary
Basic Concepts
AAA
Authentication
Wireless Authentication
Authentication Protocols
Authorization
Accounting
RADIUS
RADIUS
Realms
RADIUS Proxy
RADIUS Attributes
Example of RADIUS Packet Transactions
List of Standard RADIUS Attributes
Glossary
Technical Support
Purchasing Licenses
Contacts

 
Home
ClearBox Enterprise Server 2.0 Online Manual
Prev Page Next Page
 
 
ClearBox Enterprise Serverâ„¢ 2.0. User's Guide

Understanding Meta Configuration Structure

This article describes the structure of database tables storing ClearBox configuration. Almost every field has its equivalent in Configurator GUI. The reference syntax is [Object type].[Element 1].[Element 2]... Element may mean a tab, a button, an input box name, etc. For example, [Realm].[Authentication].[Domain] value can be reached selecting a realm, switching to the 'Authentication' tab and is placed in the 'Domain' box.

These tables can be created running \AAA\meta.sql script.

Hosts

A host is a RADIUS client or a remote RADIUS server. If it is a client host, it should be referenced by an appropriate entry in the Clients table.
ID Counter, serves as a host name ([RADIUS server].[RADIUS server ID]).
IPAddress IP address of the host/client ([Client].[Client IP address]/[RADIUS server].[Server IP address]).
RADIUSSecret Shared secret ([Client].[Shared secret]). Note, that meta configuration doesn't separate authentication and accounting secrets.
Retries If the host is a remote RADIUS server, it's the number of attempts that ClearBox should retry sending requests ([RADIUS server].[Forwarding retries]), NULL otherwise.
WaitForReply If the host is a remote RADIUS server, it's the number of seconds ClearBox should wait before resending requests ([RADIUS server].[Wait for response before retrying]), NULL otherwise.
RADAuthenPort If the host is a remote RADIUS server, it's its the authentication UDP port ([RADIUS server].[Authentication server port]), NULL otherwise.
RADAcctPort If the host is a remote RADIUS server, it's its the accounting UDP port ([RADIUS server].[Accounting server port]), NULL otherwise.
MaxProxyFails If the host is a remote RADIUS server and some realm is configured to proxy-forward requests to several hosts, including this, then ClearBox tries them in order. If it failed to receive a response from the remote server this number of times, it switches to the next server in the list ([RADIUS server].[Maximum forwarding retries]).

Clients

There should be an entry in the Hosts table for each RADIUS client. If a host is not referenced in Clients.HostID, it's treated as a RADIUS server.
ID Counter, serves as a client name ([Client].[Client ID]).
HostID References the client host from the Hosts table by the Hosts.ID field.
DefaultRealm References the default realm for this client from the Realms table by the Realms.ID field ([Client].[Default realm]).

DataSources

Each table row describes exactly one data source.
ID Counter, serves as a data source name ([Data source].[Data Source ID]).
Type Data source type. Can be mssql (MS SQL Server), msaccess (MS Access), odbc (ODBC data source), oledb (OLE DB data source).
Path If Type=msaccess, specifies the the database file location ([Data source].[Database path]), NULL otherwise.
DSN If Type=odbc, it's the system DSN of the data source ([Data source].[System DSN]), NULL otherwise.
Server If Type=mssql, it's the MS SQL Server name ([Data source].[SQL server]), NULL otherwise.
ConnectionString If Type=oledb, it's the OLE DB connection string ([Data source].[Connection string]), NULL otherwise.
Catalog If Type=mssql, defines the databas name ([Data source].[Database]), NULL otherwise.
[User] Optional user name ([Data source].[User name]).
[Password] Optional user password ([Data source].[User password]).
WindowsAuthentication If not zero and Type=mssql, ClearBox service is authenticated by MS SQL Server by its Windows account credentials rather than by user name/password ([Data source].[Use Windows authentication]).
DelayedConnection If not zero, ClearBox connects to the data source during its startup ([Data source].[Delayed connection]).
ReconnectOnError

If not zero, ClearBox reconnects to the data source if it fails to issue a SQL command ([Data source].[Automatically reconnect on errors]).


StateServers

Each table row describes exactly one state server.
ID Counter, serves as a state server name ([State server].[State Server ID]).
DataSourceID References the used data source from the DataSources table by the DataSources.ID field ([State server].[Data source ID]).
AddUserQuery SQL command issued when a user session is started ([State server].[Session is started SQL command]).
UpdateUserQuery SQL command issued when ClearBox received interim accounting record for a user session ([State server].[Session is in progress SQL command]).
RemoveUserQuery SQL command issued when a user session is terminated ([State server].[Session is terminated SQL command]).
ClearAllQuery SQL command issued when a NAS is rebooted ([State server].[Accounting is stopped SQL command]).
CountUsersQuery SQL command issued to count the number of concurrent user sessions ([State server].[Get concurrent sessions number query]).

Realms

Each table row describes exactly one realm.
ID Counter, serves as a realm name ([Realm].[Realm Rules].[Realm ID]).
Default If not zero, the realm is default ([Realm].[Realm Rules].[Default realm]).
RewriteType If not NULL, may be fromattribute (treat some attribute value as a user name) or rewrite (use regular expression to rewrite a user name) ([Realm].[Realm Rules].[Rewrite User Name]).
ReturnTranslatedName If not zero, ClearBox returns new user name in Access-Accept (if changed by rewriting) ([Realm].[Realm Rules].[Rewrite User Name].[Return this name in Access-Accept]).
TakeUserNameFrom If RewriteType=fromattribute, specifies the name of the source attribute ([Realm].[Realm Rules].[Rewrite User Name].[Take the user name value from]).
RewriteRule If RewriteType=rewrite, specifies the regular expression, according to which user name is transformed ([Realm].[Realm Rules].[Rewrite User Name].[Rewrite User-Name according to this rule]).
StateServerID May reference the state server from the StateServers table by the the StateServers.ID field ([Realm].[Authentication].[State server ID]).
Priority As the realms order is significant, ClearBox sorts the realms by this field in ascending order.

RealmCommons

There should exist only one row in this table containing common settings for all realms.
UseRuntime If not zero, ClearBox uses SelectQuery to select a realm ID to process an incoming request ([Dynamic realm rules].[Use SQL command to query for realm IDs]).
DataSourceID If UseRuntime=1, references the data source from the DataSources table by the DataSources.ID field ([Dynamic realm rules].[Data source]).
SelectQuery If UseRuntime=1, ClearBox runs this query to select a proper realm name (i.e. Realms.ID) ([Dynamic realm rules].[SQL command]).
DiscardDataSourceID If LogDiscarded=1, references the data source from the DataSources table by the DataSources.ID field ([Error reporting].[Data source]).
LogDiscarded If not zero, ClearBox runs Query to log a discarded request (or a response from remote RADIUS) ([Error reporting].[Use SQL command to log discarded packets]).
Query If LogDiscarded=1, ClearBox runs this query to log a discarded request ([Error reporting].[SQL command]).

RealmRules

There should exist only one row per realm.
ID Counter.
RealmID References an appropriate owning realm from the Realms table by the Realms.ID field.
Type Can be username (select the RealmID realm according to some user name format), attribute (select RealmID realm if some attributes listed in RealmRulesAttributes match the rules) or none (the realm is selected only if it is specified in some Clients.DefaultRealm entry or Realms.Default=1) ([Realm].[Realm Rules].[Realm matching rule]).
StripDomain If not zero and Type=username, ClearBox discards the domain part of a user name ([Realm].[Realm rules].[By domain name].[Strip off domain name]).
ChangeUserName If not zero, ClearBox returns new user name in Access-Accept if domain part was stripped off ([Realm].[Realm rules].[By domain name].[Return changed name in Access-Accept]).
Delimiter If Type=username, string part like @ or \\ separating domain part from user name ([Realm].[Realm rules].[By domain name].[Domain delimiter]), NULL otherwise.
DomainSuffix If Type=username and domain part is a suffix, then it's a domain part of the user name like domain.com in user@domain.com ([Realm].[Realm rules].[By domain name].[Domain]) , NULL otherwise
DomainPrefix If Type=username and domain part is a prefix, then it's a domain part of the user name like DOMAIN in NTDOMAIN\\WINUSER ([Realm].[Realm rules].[By domain name].[Domain + Domain name comes first]) , NULL otherwise.

RealmRulesAttributes

The table may contain multiple attributes for each exisitng Realms.ID.
ID Counter.
RealmID References an appropriate realm from the Realms table by the Realms.ID field.
[Name] Name of the RADIUS attribute ([Realm].[Realm rules].[By RADIUS attributes].[Attribute]).
[Value] Value of the attribute, used if CompareType=equal, notequal, like or regexp ([Realm].[Realm rules].[By RADIUS attributes].[Value]).
Required If not zero, a realm RealmID may be matched to a request only if this attribute matches the conditions. If zero, a realm may be matched due to other attributes matching ([Realm].[Realm rules].[By RADIUS attributes].[Required to match the realm]).
CompareType Defnies how the attribute is compared to attributes in an access request. May be equal (attribute values should be equal to match), notequal (attribute values should not be equal to match), present (attribute should be in the request to match), notpresent (attribute should not be in the request to match), like (attribute value in the request should start with the [Value] field), regexp ([Value] is a regular expression) ([Realm].[Realm rules].[By RADIUS attributes].[Comparison type]).

RealmAuthentication

There should exist only one record per each realm. Each record describes authentication rules for a RealmID realm.
ID Counter.
RealmID References an appropriate realm from the Realms table by the Realms.ID field.
IgnoreAuthentication If not zero, ClearBox doesn't authenticate the realm users ([Realm].[Authentication].[Ignore user name and password]).
MaxSessions If not zero and Realms.StateServerID points to a valid state server, then the number of concurrent sessions for all realm users is limited by this number ([Realm].[Authentication].[Maximum number of concurrent sessions]).
AuthenticationSource Can be proxyto (authenticate against a remote RADIUS server; remote RADIUS servers are defined in the RealmProxyHosts table), database (against a data source), ntsam (against Windows doman/workgroup).
Domain If AuthenticationSource=ntsam, it is the authentication Windows domain or workgroup name ([Realm].[Authentication].[Authenticate against Windows domain].[Domain]), NULL otherwise.
LocalGroup If AuthenticationSource=ntsam and CheckGroup=1 then ClearBox check the membersip of a user in this local domain group ([Realm].[Authentication].[Authenticate against Windows domain].[Group name + Local group]), NULL otherwise.
GlobalGroup If AuthenticationSource=ntsam and CheckGroup=1 then ClearBox check the membersip of a user in this global domain group ([Realm].[Authentication].[Authenticate against Windows domain].[Group name + Global group]), NULL otherwise.
CheckGroup If not zero and AuthenticationSource=ntsam, ClearBox should check group membership ([Realm].[Authentication].[Authenticate against Windows domain].[Check group membership]), NULL otherwise.
CheckDialinPermission If not zero and AuthenticationSource=ntsam, ClearBox checks user permission to make dialin calls ([Realm].[Authentication].[Authenticate against Windows domain].[Check dial-in permission]), NULL otherwise.
CheckLogonHours If not zero and AuthenticationSource=ntsam, ClearBox checks allowed logon hours for the user ([Realm].[Authentication].[Authenticate against Windows domain].[Check against allowed logon hours]), NULL otherwise.
ServerName If CheckGroup=1 or CheckDialinPermission=1 or CheckLogonHours=1, this should be set to the domain cintroller name ([Realm].[Authentication].[Authenticate against Windows domain].[Server name]), NULL otherwise.
DataSourceID If AuthenticationSource=database, references an appropriate data source from the DataSources table by the DataSourced.ID field ([Realm].[Authentication].[Authenticate against SQL database].[Data source ID]), NULL otherwise.
CaseSensitive If not zero and AuthenticationSource=database, then ClearBox passwords checks by ClearBox are case-sensitive ([Realm].[Authentication].[Authenticate against SQL database].[Case sensitive passwords]).
PasswordSelectQuery If AuthenticationSource=database, ClearBox runs this query to get a user password from the DataSourceID data source ([Realm].[Authentication].[Authenticate against SQL database].[Password selection query]), NULL otherwise.
PasswordCheckQuery If AuthenticationSource=database, ClearBox runs this query to check a user password against the DataSourceID data source ([Realm].[Authentication].[Authenticate against SQL database].[Password check query]), NULL otherwise.
ProxyPreAuthen If AuthenticationSource=proxyto and ProxyPreAuthen=1, ClearBox runs ProxyPreauthenQuery SQL command to authenticate a request before forwarding it to a remote server ([Realm].[Authentication].[Authenticate against remote RADIUS servers].[Use pre-authentication before forwarding]).
ProxyPreauthenQuery If AuthenticationSource=proxyto and ProxyPreAuthen=1, ClearBox issues this SQL command to decide whether to forward the request or reject it immediately ([Realm].[Authentication].[Authenticate against remote RADIUS servers].[SQL command]), NULL otherwise.
PreauthenDatasource If AuthenticationSource=proxyto and ProxyPreAuthen=1, PreauthenDatasource references a data source from DataSources table by the DataSources.ID to run the ProxyPreauthenQuery command ([Realm].[Authentication].[Authenticate against remote RADIUS servers].[Data source ID]), NULL otherwise.

RealmAllowedProtocols

This table rows list allowed authentication protocols for a RealmID realm. If nothing is listed, all protocols are allowed.
ID Counter.
RealmID References an appropriate realm from the Realms table by the Realms.ID field.
AllowedAuthenProtocol May be pap, chap, mschap, mschap2 ([Realm].[Authentication].[Allowed protocols]).

RealmAuthorization

There should exist only one row per each realm. Each record describes authorization rules for a RealmID realm.
ID Counter
RealmID References an appropriate realm from the Realms table by the Realms.ID field.
DataSourceID References an appropriate data source from the DataSources table by the DataSourced.ID field. Note, that ClearBox working in 'meta mode' doesn't support queries to different data sources in one realm.
RejectQuery SQL command which loads RADIUS attribute names and values into the Reject authorization list ([Realm].[Authorization].[Black list].[Attributes by database query].[Query]).
CheckQuery SQL command which loads RADIUS attribute names and values into the Check authorization list ([Realm].[Authorization].[Check list].[Attributes by database query].[Query]).
ResponseQuery SQL command which loads RADIUS attribute names and values into the Response authorization list ([Realm].[Authorization].[Response list].[Attributes by database query].[Query]).
RejectResponseQuery SQL command which loads RADIUS attribute names and values into the Response authorization list ([Realm].[Authorization].[Reject-Response list].[Attributes by database query].[Query]).

RealmAccounting

There should exist only one record per realm. Each record describes accounting rules for a RealmID realm.
ID Counter.
RealmID References an appropriate realm from the Realms table by the Realms.ID field.
EnableDB If not zero, ClearBox logs accounting data to the DataSourceID database ([Realm].[Accounting].[Log packets to database]).
EnableProxy If not zero, ClearBox forwards accounting requests to the remote RADIUS server specified in the RealmProxyHosts table ([Realm].[Accounting].[Proxy-forward accounting packets to these remote RADIUS servers]).
EnableCSV If not zero, ClearBox logs accounting data to a CSV log file ([Realm].[Accounting].[Log packets to file]).
ProcessLocally If not zero and EnableProxy=1, ClearBox will honor EnableDB and EnableCSV flags and process forwarded requsests locally ([Realm].[Accounting].[Proxy-forward accounting packets to these remote RADIUS servers].[Process forwarded packets locally]).
DataSourceID If EnableDB=1, references an appropriate data source from the DataSources table by the DataSources.ID field ([Realm].[Accounting].[Log packets to database].[Data source ID]), NULL otherwise.
InsertQuery If EnableDB=1, ClearBox runs this SQL command to process accounting data, placing it into a databse table from the DataSourceID data source ([Realm].[Accounting].[Log packets to database].[Use commands]), NULL otherwise.
FileName If EnableCSV=1, specifies the name of the file (without extension) where accounting data is logged ([Realm].[Accounting].[Log packets to file].[Logging options].[File name]), NULL otherwise.
FileExtension If EnableCSV=1, specifies the extension of the file where accounting data is logged ([Realm].[Accounting].[Log packets to file].[Logging options].[File extension]), NULL otherwise.
RollOver If EnableCSV=1, specifies how often should ClearBox switch to a new log file. Can have the following values: hourly, daily, weekly, monthly, onsize (create new log file when its current size exceeds MaxFileSize) ([Realm].[Accounting].[Log packets to file].[Logging options].[Rollover]), NULL otherwise.
AutoFlush If not zero and EnableCSV=1, ClearBox write the received accounting data immediately to the disk without any delays ([Realm].[Accounting].[Log packets to file].[Logging options].[Auto flush data]), NULL otherwise.
NamePattern If EnableCSV=1, may specify a pattern of the suffix appended to the log file name according to the current date ([Realm].[Accounting].[Log packets to file].[Logging options].[Name pattern]), NULL otherwise.
MaxFileSize If EnableCSV=1 and RollOver=onsize, specifies the maximum size of the log file ([Realm].[Accounting].[Log packets to file].[Logging options].[Maximum file size]), NULL otherwise.
Delimiter If EnableCSV=1, specifies the character which separates values in the log file ([Realm].[Accounting].[Log packets to file].[Logging options].[Delimiter]), NULL otherwise.
LogEnumeratedNames If not zero and EnableCSV=1, ClearBox writes string aliases of numeric RADIUS attributes when it's possible ([Realm].[Accounting].[Log packets to file].[Logging options].[Write names of numeric attributes if possible]).
LogAttributeNames If not zero and EnableCSV=1, ClearBox writes name of the logged attributes on the first line of the log file ([Realm].[Accounting].[Log packets to file].[Logging options].[Place attribute names in the first line of each file]).

RealmAccountingStatus

This tables rows define what accounting packets are logged according to the rules specified in RealmAccounting.
RealmID References an appropriate realm from the Realms table by the Realms.ID field.
AcctStatusType Accounting status type (1 for Start, 2 for Stop, 3 for Interim Accounting).
EnableForProxy If not zero, this AcctStatusType may be proxy-forwarded to a remote RADIUS server specified in RADIUSProxyHosts ([Realm].[Accounting].[Proxy-forward accounting packets to these remote RADIUS servers].[Forwarded status types]).
EnableForDB If not zero, this AcctStatusType may be logged to the data source specified by RADIUSAccounting.DataSourceID ([Realm].[Accounting].[Log packets to database].[Logged status types]).
EnableForCSV If not zero, this AcctStatusType may be logged to the log file specified in RADIUSAccounting.FileName ([Realm].[Accounting].[Log packets to database].[Logged status types]).

RealmAccountingAttributes

Attribute names which should be logged to a CSV file (when RealmAccounting.EnableCSV=1). The attributes in each RealmID realm are sorted by the ID field and are logged in that order.
ID Counter.
RealmID References an appropriate realm from the Realms table by the Realms.ID field.
Atribute RADIUS attribute name (([Realm].[Accounting].[Log packets to file].[Logging options].[Logged attributes]).

RealmProxyHosts

Each record describes a host where authentication or accounting requests are forwarded to, if RealmAuthentication.AuthenticationSource=proxyto or RealmAccounting.EnableProxy=1.
ID Counter.
RealmID References an appropriate realm from the Realms table by the Realms.ID field.
HostID References a remote RADIUS server from the Hosts table by the Hosts.ID field ([Realm].[Authentication].[Authenticate against remote RADIUS servers]/[Realm].[Accounting].[Proxy-forward accounting packets to these remote RADIUS servers]).
Authen If Authen=1, HostID is included to the list of RADIUS servers for proxy authentication, otherwise HostID points to a remote accounting RADIUS server.

RealmAuthenLogger

There should exist only one record per realm. Each record describes authentication packets logging options for a RealmID realm.
ID Counter.
RealmID References an appropriate realm from the Realms table by the Realms.ID field.
LogAccept If set to 1, ClearBox logs Access-Request + Access-Accept packets attributes with AcceptQuery SQL command ([Realm].[Logging packets].[Issue this SQL command to log Access-Accept authentication transactions]).
LogReject If set to 1, ClearBox logs Access-Request + Access-Reject packets attributes with RejectQuery SQL command ([Realm].[Logging packets].[Issue this SQL command to log Access-Reject authentication transactions])..
LogProxied If set to 1, ClearBox logs attributes from proxy-forwarded packets (depending on LogAccept and LogReject flags) ([Realm].[Logging packets].[Log proxy-forwarded requests/responses]).
AcceptQuery If LogAccept=1, this SQL command is envoked to log RADIUS attributes ([Realm].[Logging packets].[Issue this SQL command to log Access-Accept authentication transactions].[Access-Accept command]).
RejectQuery If LogReject=1, this SQL command is envoked to log RADIUS attributes ([Realm].[Logging packets].[Issue this SQL command to log Access-Reject authentication transactions].[Access-Reject command]).
DataSourceID References an appropriate data source from the DataSources table by the DataSources.ID field ([Realm].[Logging packets].[Data source ID]).
LogSyslog If set to 1, ClearBox logs request packet attributes to a syslog server specified in SyslogHost ([Realm].[Logging packets].[Enable Syslog logging]).
SyslogPriority Possible values are: 0 (system is unusable), 1 (action must be taken immediately), 2 (critical conditions), 3 (error conditions), 4 (warning conditions), 5 (normal but significant condition), 6 (informational), 7 (debug-level messages) ([Realm].[Logging packets].[Enable Syslog logging].Message priority).
SyslogFacility

Possible values are: 0 (kernel messages), 1 (random user-level messages), 2*8 (mail system), 3*8 (system daemons), 4*8 (security/authorization messages), 5*8 (messages generated internally by syslogd), 6*8 (line printer subsystem), 7*8 (network news subsystem), 8*8 (UUCP subsystem), 9*8 (clock daemon), 10*8 (security/authorization messages (private)),
11*8 (ftp daemon), 12*8 (NTP subsystem), 16*8 (reserved for local use (local 0)), 17*8 (reserved for local use (local 1)), 18*8 (reserved for local use (...)), 19*8 ... 23*8 (reserved for local use) ([Realm].[Logging packets].[Enable Syslog logging].[Facility]).

SyslogHost IP address of a syslog daemon ([Realm].[Logging packets].[Enable Syslog logging].[Syslog server IP address]).
SyslogFormat Specifies a format of messages sent to the syslog daemon specified in SyslogHost. It may use special keys like $r, $c and so on, radius attributes in common format (e.g. {Calling-Station-Id} and $a to denote a Reply-Message attribute value for a Access-Reject or 'Successful Auth' for Access-Accept packets) ([Realm].[Logging packets].[Enable Syslog logging].[Message string]).

ConfigurationModifications

Contains the date of configuration modifications.
ID Counter
LastModified Add a new row with a current date into this field to tell ClearBox to reload the configuration.

© 2001-2007 XPerience Technologies. www.xperiencetech.com
Converted from CHM to HTML with chm2web Pro 2.7 (unicode)