Realm Authentication Settings

Check the necessary methods in the first Simple protocols list. All these methods may be used in wired authentication depending on client capabilities.

EAP protocols list includes the types prescribed by WPA/WPA2 and supported by ClearBox. Check on those which are supported by wireless clients in your wireless network. The order of types can be changed by selecting a type and clicking Up or Down. The order is significant, as ClearBox negotiates them in this order, with the preferred methods standing first in the list.

If PEAP is selected, its settings are displayed. Tunneled protocols list containing the authentication methods which may be used inside a TLS channel established by PEAP. EAP-MS-CHAPv2 is password-based, and ClearBox may authenticate users only when SQL authentication is activated. EAP-TLS requires that each network client has a digital certificate.

Enable fast re-authentication option allows PEAP clients to perform subsequent authentication negotiations much faster as their previous sessions are stored in ClearBox cache, and a tunneled authentication is not performed at all.

NOTE, that any of the wireless strong encryption protocols require the RADIUS server certificate to be selected. Run Certificates Wizard to get it.

Click "+" button to add a server from the list of RADIUS servers.

Click "-" to remove a server from the list.

Note that ClearBox doesn't send requests to all the servers in the list simultaneously, rather it uses them in turn when some remote server didn't reply appropriately several times.

Click Proxy Policy to bring up the proxy filtering dialog. It defines the rules applied to attributes and their values in the packets being forwarded to and/or received from a remote RADIUS server. You may add or remove attributes, change them or their values.

Changes in the forwarded request packet. This list displays the policies for the packets forwarded to a remote server.

Click '+' near the list to add a new rule.

Select Add this attribute to add a new RADIUS attribute to the request packet. Select an attribute from the list and type in its Value.

Select Remove this attribute to make ClearBox remove the specified RADIUS attribute from a request packet, if it's present there. Select an attribute from the list and type in its Value. If Value is an empty string, all attributes with the specified name and any value will be removed.

Select Change this attribute to to make ClearBox replace one RADIUS attribute in a request packet with another, if it's present there. Select the source attribute from the list and type in its Value. If Value is an empty string, all attributes with the specified name will be replaced. Select the destination attribute and its value.

Say, you've selected 'Change this attribute to', selected 'Service-Type' as a source attribute with empty 'Value' field, selected 'Service-Type' as a destination attribute and typed 'Framed' in the 'Value' box. This will make ClearBox always change any value of the Service-Type attribute to Service-Type=Framed being sent in Access-Request forwarded to a remote RADIUS server.

Changes in the remote server reply packet. This list displays the policies applied to replies received from a remote RADIUS server.

Click '+' near the list to add a new rule.

Select Add this attribute to add a new RADIUS attribute to a response packet. Select an attribute from the list and type in its Value.

Select Remove this attribute to make ClearBox remove the specified RADIUS attribute from a response packet, if it's present there. Select an attribute from the list and type in its Value. If Value is an empty string, all attributes with the specified name will be removed.

Select Change this attribute to to make ClearBox replace one RADIUS attribute in the response packet with another, if it's present there. Select the source attribute from the list and type in its Value. If Value is an empty string, all attributes with the specified name will be replaced. Select the destination attribute and its value.

Say, you've selected 'Change this attribute to', selected 'Service-Type' as a source attribute with empty 'Value' field, selected 'Service-Type' as a destination attribute and typed 'Framed' in the 'Value' box. This will make ClearBox always change any value of the Service-Type attribute to Service-Type=Framed being sent in Access-Accept forwarded by ClearBox to a RADIUS client.

For wireless authentication, there is a forwarding option:

• Forward all requests to an EAP-enabled RADIUS server. In this case ClearBox will not start an EAP conversation but will forward all requests blindly to a remote server.
• Request for user credentials in PEAP/MS-CHAPv2 phase. If this is selected, ClearBox will establish PEAP session with a wireless client, and when user password should be validate, send a simple MS-CHAP2 request to a remote RADIUS server which may not support PEAP.

Use pre-authentication before forwarding. Checking this option one may enable authentication of requests before forwarding a request to the remote RADIUS server. If a request is rejected on this stage, it is not forwarded.

Data Source ID. Select a data source from the list where SQL command is send for the authentication.

SQL command. Type in the command here which should select exactly one row with one integer field:

Field	Meaning	Type
1	Authentication result	integer

When this value is 0, pre-authentication is passed. Any positive number is a 'reject code' which may be used as the $h key in the Reject-Response list. The command may include special keys ($u, $r, $c, $n, $s) and any request attributes (read more).

Domain [Mandatory]. Specify the domain or workstation name where a user is authenticated in.

Check group membership. Check this option to make the server check that a user is a member of the group specified in Group name. ClearBox can check local workstation groups, local and global domain groups.

Group name. Type in the group name in this box.

Server name [Mandatory for group membership checks]. Specifies a machine name where the members of the group specified are stored:
- Leave this box empty if you don't need to check group membership or if a target group is located on the local machine where ClearBox is installed.
- Input the domain controller name here if you need to check a domain group membership.
- Input a workstation name here if you need to check its local group membership.

Select Global group or Local group option depending on what type of group should be checked.

Check dial-in permission. Check this option if ClearBox should verify if a "Dial-in permission" is turned on in a user profile. If this option is turned on, 'Server name' should be set to a domain controller/local workstation name.

Check against allowed logon hours. User profile may contain information on what hours is dial-in activity allowed. Check this option to restrict access time by these hours. If this option is turned on, 'Server name' should be set to a domain controller/local workstation name.

Data source ID. Select one of the data sources you've configured.

Case sensitive password. Check this option if you use Password selection query (see below) and user passwords are case-sensitive This applies to PAP passwords only, all other passwords are always case-sensitive.

Reject if user name contains any of these symbols. Check this option and type in the symbols which are not allowed in user names. Typically it's the quote sign (') which violates SQL syntax rules. The symbols are input with no separators, as a single string.

Password encryption. Specifies the encryption form in which passwords are stored in the database. In most common cases password are not encrypted (clear text in the list), but there are options for MD5, SHA1 and MD4 hashed passwords. By default they use hexadecimal formatting (e.g. a9254daff570b65a94cfbe0277cc11a5), but there's the option for Base64-formatted password hashes.

ClearBox uses SQL commands of two types for user authentication against a database:

Password selection query. Input here a SQL command that retrieves user password. It is mandatory when authenticating users with CHAP, MS-CHAP and other encrypted passwords. This command should return no or exactly one row: a) as one string field with the user password or b) as a positive integer hint value. This value may be used in the Reject list as the $h key.

Field	Meaning	Type
1	User password/reject hint	string/integer

You may use special keys ($u, $r, $c, $n, $s) in the command string and any request attributes (read more).
For example, if you configure the query <SELECT Password FROM Users WHERE Username='$u' AND CurrentBallance>0 AND UserRealm='$r' and {Service-Type}=1> in the realm 'MySuperRealm', then on reception of an access request with user name 'john' it's executed as <SELECT Password FROM Users WHERE Username='john' AND CurrentBallance>0 AND UserRealm='MySuperRealm' and 1=1>.

If no row is returned, passwords don't match or a number is returned, a user is rejected.

Password check query. You may prefer to use another type of query to check user's password. While the previously described command returns a password, this 'check' query should check it as it's passed to the server. The query can be used for PAP passwords only as only then password is available as clear text.

Besides special keys $u, $r, $c, $n, $s and RADIUS attributes, you may use $p to substitute the password from the request into the command string. The query should return no values to reject authentication, or return one row consisting of exactly one numeric value. If it's 0 (zero) then authentication is accepted, and rejected otherwise. The positive number means a special hint (denoted as the $h key) which may be used in further processing (e.g. in Reject list).

Field	Meaning	Type
1	0 to accept >0 to reject	integer

Command sample : <SELECT 0 FROM Users WHERE Username='$u' AND Password='$p' AND Enabled=true AND (MaxCurrentSessions=0 OR MaxCurrentSessions<$s) >.

Important Note. Only one of these queries is used by ClearBox Server to authenticate a request. Password selection query is required for CHAP, MS-CHAP and MS-CHAP2, EAP-MD5 authentication, while both of the command types work for PAP. If both of them are set, Password selection query is used for PAP requests.

LDAP server ID. Select one of the LDAP servers you've configured.

Select one of two available options:

Password is stored in clear text in the directory. Select this option when a user password is stored in the directory as is, with no encryption. It is a comparatively rarely used case, though it is the only way to authenticate CHAP, MS-CHAP, etc. passwords.

Search filter [Mandatory]. An expression in LDAP syntax used to find a user password. Most typical filter is (cn=user name), i.e. is search for an object with common name equal to the user name. You may use special keys ($u, $r, $c, $n, $s) in the command string and any request attributes (read more).

Password attribute [Mandatory]. Specify an attribute of user account object where password is stored.

Base DN [Mandatory]. Specify the root distinguished name (DN) where search is performed from.

Search scope. Select an appropriate search scope. Base: Search only the base entry specified by Base DN; One level: search all entries in the first level below the base entry specified by Base DN, excluding the base entry; Subtree: search the base entry and all entries in the tree below the base specified by Base DN.

Password is stored encrypted in the directory. Select this option when a user password is stored in the directory encrypted or hashed. Only PAP passwords will work then, as in all other cases (CHAP, MS-CHAP, ...) ClearBox needs a clear text password.

User DN [Mandatory]. Specify full user distinguished name template used to authenticate a user. You may use special keys ($u, $r, $c, $n, $s) in the command string and any request attributes (read more).