RADIUS Realms

ClearBox Server treats a realm as a context in which all RADIUS requests are handled, or in other words as a set of rules of how to process incoming requests for authentication and accounting. Different requests from different clients may be processed in different ways. When a request is received from a RADIUS client, ClearBox Server looks through the list of configured realms to pick up one matching a request according to the realm-defined rules.

The rules can be defined as:

• 'If this request is from this client, then use this realm';
• 'If a user name found in a request consists of a name itself separated from a domain name by the at sign (@), the slash (/) or any other character';
• 'If some attributes set is present, not present in the request, or it's equal or not equal to a specific value'.

When none of this conditions is satisfied, the server looks at the client's default realm. If it's not set, then the server looks through the list of realms to find the first one marked as default realm. If none is default, then a request is rejected by the server. That's why it's desirable to design realms so that there's always a realm matching a request. Note that if several realms match the request, then the first of them is selected, so their order in the list of realms is significant.

Besides these static rules, ClearBox may issue a SQL command to select a proper realm (so called 'Dynamic realm rules').

After the server founds the realm by a request, it uses realm configuration to determine what to do with the request.

The realm specifies all aspects of a request packet processing: how to authenticate a user, what rules should a request match to be accepted, how to log accounting data from the request, etc.

Start with defining realm selection rules at the 'Common' tab. Select one of them and click 'Apply Changes' when ready.

See how to configure a realm.

Next, define how users are authenticated on the appropriate 'Authentication' tab, then click 'Apply Changes'. Fill in the necessary data on the 'Authorization' tab sheet if you need to have packets rejected on some condition or to include some attributes in the accept response message. 'Accounting' dialog allows you to select how the server will store accounting records that it received from RADIUS clients.

How to create a new realm:

1. Right-click the 'Realms' node in the left tree and select 'Add New Realm':

2. Type the new realm name instead of <new id> text:

3. Click 'Apply changes'.