ClearBox TACACS+ server offers an outstanding flexibility with multiple AAA policies. Each authentication, authorization, or accounting policy may be selected by a user domain, its membership in a domain group, or a requested privilege level or service. It allows to implement so-called access matrix. Suppose, a company grants different access levels to its network equipment (routers, gateways, etc.) looking at a user group membership.
ClearBox offers two ways to control user authorization, i.e. what he is allowed when connected to the network. The first is per-service authorization,
when you may explicitly define what services (shell, ip, lcp, etc.) are allowed.
The second is per-command authorization: what commands are granted or prohibited on a network server.
ClearBox provides complete implementation of the TACACS+ protocol as is compliant with any TACACS+ clients vendors like Cisco, Fortigate, Aruba, Juniper, Citrix and other.
Besides, any arbitrary TACACS+ authorization and accounting attributes are supported
Any request may be processed in several ways depending on defined rules. Any request attribute, sender address, user name pattern may be used to handle request authentication and/or accounting independently.
Say, "authenticate all request from 192.168.1.3 against Active Directory, and use internal database for all other clients" scenario is available in several clicks.
One of the reasons to apply TACACS+ is to control each command that your stuff issue on the network equipment (so called per-command authorization). ClearBox is definitely strong here, brining regex power to describe allowed commands in a short way.
Several independent authentication backends are supported. RADIUS requests may be authenticated against Active Directory/Windows domains, local Windows groups and accounts, LDAP directories, ClearBox internal user accounts database, any SQL-compliant data sources including SQL servers, Excel tables and even plain text files.
CleasrBox allows to use SQL queries or stored procedures to control almost any aspect of request processing, such as authenticating it, logging authentication status, choosing allowed commands.
ClearBox is shipped with many vendors-specific RADIUS attributes dictionaries, and it can be extended with any vendor-specific attributes. Support for H323 Cisco and Quintum attributes is at the server core level.
You may add, modify, delete user accounts using ClearBox built-in database. Passwords, access policy, double logon prevention, MAC address authentication, restricted logon hours may be managed via ClearBox administrative interface.
ClearBox supports for logging accounting RADIUS records in several ways simultaneously. SQL data storages, plain files, remote RADIUS servers are all supported. Advanced techniques, like caching data in MS Message Queue, increase the system scalability and fault tolerance.
Easy to set up user groups with different access to different equipment sets. Existing AD groups and users are fully supportted, too.