ClearBox Server is a 32-bit multi-threaded application
with low CPU & RAM usage.
It provides excellent performance and reliability on all
Windows platforms and makes use of your multi-processor equipment.
High Compatibility
ClearBox is fully compatible with all relevant RADIUS RFCs (2865, 2866, 2869, 3579, and 3580). It supports all types of the RADIUS attributes and the Vendor-Specific Attributes, including non-standard attribute ID's, length fields, subfields, and much more. (RFCs 2548, 2867, 2868, 2869, 3162, and 4679). This means that ClearBox and your network equipment will always speak a common language, RADIUS.
Multiple Independent Policies
This feature allows ClearBox
Server to perform various authentication, authorization, and
accounting functions in any combination based on the defined rules.
ClearBox can select a proper method
a) by a user name;
b) by a RADIUS client address;
c) by a set of attribute matches (such as attribute presence, absence, equality,
etc.).
This capability provides a flexible realm selection.
Suppose you need to handle packets in some way depending
on DNIS represented by Called-Station-ID. You are able
to configure real rules so that a request message will
be handled by different realms if it differs in one attribute
value!
Multiple Data Sources Support
Allows using concurrently different databases for different purposes. Currently ClearBox support
MS SQL Server, MS Access, MySQL, Oracle and any
SQL-based DBMS's equipped with ODBC drivers or
OLE DB providers.
Advanced RADIUS Proxy Server
ClearBox Server can act both as a target
server serving RADIUS client requests and as a proxy
server forwarding request to remote RADIUS servers.
ClearBox performs transparent translation to pass properly
passwords and message authenticators;
uses list of remote servers to create fault-tolerant,
low-risc solutions. ClearBox switches to another server
from the list if it's not responding;
adds, alters or omits
attributes in packets transferred between
ClearBox and a remote RADIUS server;
allows to both forward and store locally accounting requests.
These capabilities of ClearBox are essential for routing request to the servers of other service providers or to the
remote enterprise servers which can authenticate a foreign user. Similar in concept to the cellular phone industry,
this roaming ability allows service providers covering complementary territories to expand their coverage through
service exchange deals.
Authentication Server
ClearBox supports authentication methods both for wired authentication (PAP, CHAP, MS-CHAP, MS-CHAPv2) and for wireless (PEAP, EAP-TLS).
Any realm created within ClearBox can be
configured to authenticate user names and passwords against
several security databases.
- Remote RADIUS server. The benefits of using this
method are described above.
- LDAP server. It may be any directory service,
like MS Active Directory or OpenLDAP,
supporting LDAP interface.
ClearBox supports both directories storing user
password encrypted or in clear text.
- Windows NT/2000 domains, groups and workstations. ClearBox can make use of your domain infrastructure and
existing user accounts database. You can specify a domain
(including trusted domains) or a stand-alone workstation
where Active Directory is run or NT SAM database resides.
Besides, you may include additional checks for group
membership. Both local and global domain groups are supported.
Advanced verifications may be involved to gain deeper
access control: ClearBox can checks user profiles to see
if they are not disabled or expired, if a user has dial-in
permission turned on.
- SQL-compliant data source (supported databases
and servers and listed earlier). ClearBox offers outstanding
flexibility in authenticating against SQL databases. Besides
supporting data sources, listed above, ClearBox allows
you to specify two types of database queries:
a) Retrieve a password for the given user and realm name
via a SQL query
b) Validate PAP password sent in a request packet for
a given user and his realm.
Both types of query allow the authentication against existing
and newly-created database table structures, no database
redesign is necessary.
It's now possible to take a user name for authentication
from any RADIUS attribute present in the access request
packet, enabling such features as ANI authentication.
Double-Logon Prevention
ClearBox includes a built-in
state server, which keeps track of user sessions in progress.
This feature allows one to limit the number of simultaneous
logins by the user. Its possible to limit this number
for a whole realm or for a particular user.
Besides, multiple state servers are supported, and they
can be adjusted for any exiting database tables.
Flexible Authorization Policies
ClearBox extends RADIUS authentication with extra authorization policies:
- Rejects a request if it contains an attribute from the Black ListVarious policies
can be constructed with the help of this list. For example,
Calling-Station-ID attribute can be added to block users
who dial in from a particular phone number.
- Checks that a request should contain mandatory attributes from the Check List.
A variety of rules could be
enforced by including appropriate attributes in the Check
List. Only certain users might be permitted to use ISDN
connections, or dial in to a particular NAS. Or, Caller
ID could be used to validate a user against a list of
legal originating phone numbers.
- On successful authentication, ClearBox adds attributes defined in the Response List.
By including appropriate
attributes in the Response List, a variety of connection
policies may be applied. Specific users can be assigned
particular IP addresses or IPX network numbers, IP header
compression can be turned on or off, or a time limit
can be assigned to the connection. The lists described
may contain plain attributes defined explicitly by you
or may be retrieved by queries to a database source. Thus
you may use static, unconditional attributes for all users
in the realm, and attributes retrieved from a database
specific for particular users.
Billing Systems Integration
ClearBox Server, being a flexible AAA solution,
can be easily integrated with almost all billing systems capable of using RADIUS servers for authentication.
ClearBox is integrated with three billing systems:
- DTH Billing and Customer Management by DTH Software. The system is suitable for ISP and VoIP billing. It boasts many nice features like customizable reporting, email or paper bills, electronic funds transfer, web portals, collections processing, service orders and much more.
- Platypus Billing System by Boardtown
Corporation, a complete Windows client-server tool
designed for Internet and Application service providers,
IP Billing, as well as wireless providers.
- Advanced ISP Billing by AdvancedISPBilling.com,
effective and highly customizable ISP billing system for
small to large ISPs at very low cost. It offers simple
day to day operations, superb client management, a whole
suite of useful managerial reports, seamless system administration
and much more.
Accounting Server
ClearBox has all capabilities for reliable realm-time accounting which is extremely necessary for your business.
You may combine several options of accounting logging for redundancy or flexible accounting management:
- Forwarding accounting data to a remote RADIUS server.
ClearBox can be configured to forward accounting packets
with accounting status types specified to a remote RADIUS
accounting server, both forward a request and log it locally
or log it only locally with one of the methods listed
further.
- Logging to a SQL database. The most important
and powerful method, it allows to store all information
about connections in your SQL database. You may specify
your own SQL query or simply bind RADIUS attributes to
database table fields. Thus ClearBox can make use of your
existing billing or account management system.
- Logging accounting data to a file in Livingston format.
Although it's not an official standard, Livingston format
is widely used. You may use any available reporting tool
to produce usage and billing reports from these ClearBox
logs. Besides specifying log file name you may select
how often the server performs rollover to a new file (hourly,
daily, weekly, monthly, on log file size limit).
- Logging accounting data to a file in CSV (comma-separated-values)
format. This may be useful for you as CSV logs may
be imported easily into any spreadsheet or a database
table. Besides specifying log file name you may select
how often the server will rollover to a new file (hourly,
daily, weekly, monthly, on log file size limit). You may
define a filter for all these methods: what accounting
status types should be processed (e.g. "connection stop"
records) and what should be skipped. All methods can be
filtered independently.
